Overview

overview

10

Static

static

cc34204494...e6.exe

windows7-x64

10

cc34204494...e6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 06:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6.exe

  • Size

    214KB

  • MD5

    251a41fc5e568b24574e7a0649679240

  • SHA1

    5f0ce9ee0c94d5e0d0c64ac435f4a1f6241ed2a1

  • SHA256

    cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6

  • SHA512

    60c8feca298910e7606a3b3b4364423f5585f9a4b8f454dab92a23b06d2118d6eef34cbafbb14b2fa3e08f8c92f8ff7cb43f8f60b320e7bc6212ae2aef66f89a

  • SSDEEP

    6144:Q9MLzWvtOIx+kkS169CKxPgnYypx+hH0MjlVklPH:Q9MvWv8IEkFwfPgvXuJlU

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6.exe
    "C:\Users\Admin\AppData\Local\Temp\cc34204494d316e46e26cd28b13d6a7ac540f7d0b6058c026e37fc83ec55aee6.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4916
  • C:\Users\Admin\AppData\Local\Temp\D3EF.exe
    C:\Users\Admin\AppData\Local\Temp\D3EF.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:5064
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4396
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5064 -s 556
      2⤵
      • Program crash
      PID:212
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 5064 -ip 5064
    1⤵
      PID:4408
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:744
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4064
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\server_ok.dll",lEpKV0tJMUI=
            2⤵
              PID:4676

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dll
            Filesize

            726KB

            MD5

            a0ce53fe00fb60dcac5ef821dd8db72a

            SHA1

            7f9eb7bb35f0c1e2dbd5dc11953a1a7249df231d

            SHA256

            fa99f4e4e09deaeabf8e2976dfaa5a69d8dbbfa29bbcaf73262f968afbb37dcf

            SHA512

            303b8489b929c07c8fd9e9e1adfb60cb87be50af875b27c545318dd9b4736ead0b146695a5b69176f038cd14d1d53f40371498c73a96aa54a1b1040c507cf787

            Download Submit
          • C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dll
            Filesize

            726KB

            MD5

            a0ce53fe00fb60dcac5ef821dd8db72a

            SHA1

            7f9eb7bb35f0c1e2dbd5dc11953a1a7249df231d

            SHA256

            fa99f4e4e09deaeabf8e2976dfaa5a69d8dbbfa29bbcaf73262f968afbb37dcf

            SHA512

            303b8489b929c07c8fd9e9e1adfb60cb87be50af875b27c545318dd9b4736ead0b146695a5b69176f038cd14d1d53f40371498c73a96aa54a1b1040c507cf787

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
            Filesize

            2KB

            MD5

            1f8001c5a3ab09524c8185d2657e471c

            SHA1

            2297cd6ba695d3fa72f2a70a7db95f2e241116ab

            SHA256

            c8c2ac11232a448dd5d78c34752f56b8f5b8e18fe79b3176fdd88759d5b703d5

            SHA512

            d038b9b97a96b267684ba1a7d2458ddf63d3fd3ea8c58a213b5085196da9c7001fe1dbadfc75d2364befc09c9618c133b331ed487fcb043b6a923f3951be0b37

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SettingsLocationTemplate2013.xsd
            Filesize

            11KB

            MD5

            492e8dea7892f6198ee95b42424eab81

            SHA1

            246cc91c7d3e5d780e78192ee033f791e516b127

            SHA256

            e86dc0cf66df362220ae64e89480897d23fc7a54b475be3f7f78fb9cdc9ab3b7

            SHA512

            577a6b692f0e09e03f294d1aaab112450fcc6abfc6240074997bdeb050f229c4849f76828d815f862b7215ec24cc3aad5aa516da0d0a1ec84b1041fdf2c3a63c

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            7a23185532eaa0ba113cf67891e9bab2

            SHA1

            a89d32b04737b8bfdbeaee57920bd188e4708380

            SHA256

            e901458c7cfbe08faf8fdbc81db624c7ef1726929fcbedc7bd9df839f9d8c6df

            SHA512

            d3982b0bf09b0562836cc6f1cd795fd7eb70e94eff7d8754b330beed5ca73a1e8f9c1c04ab5f813e7d0273be1d7486834bf2d09f014a8bee04d8a6354bdd890c

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            7a23185532eaa0ba113cf67891e9bab2

            SHA1

            a89d32b04737b8bfdbeaee57920bd188e4708380

            SHA256

            e901458c7cfbe08faf8fdbc81db624c7ef1726929fcbedc7bd9df839f9d8c6df

            SHA512

            d3982b0bf09b0562836cc6f1cd795fd7eb70e94eff7d8754b330beed5ca73a1e8f9c1c04ab5f813e7d0273be1d7486834bf2d09f014a8bee04d8a6354bdd890c

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
            Filesize

            1KB

            MD5

            93a100713ff56b66e15f984d3100aab7

            SHA1

            4ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656

            SHA256

            0c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26

            SHA512

            df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_property.ico
            Filesize

            65KB

            MD5

            a348f66a6427a599596849f4256a5b8d

            SHA1

            1edc7072a3cdaaa191065ce17855e6a596cfe6de

            SHA256

            7e2789e022e43c931114d6a712e0ddeaa925975e08a77e3c403cd705c3b819e8

            SHA512

            2a564e12977ab9fc745563626e53eb882d0d3ed2c1c70eda231a9630066fb4d43a85ab919678faaf8e19252e2b93da1f2e43aad0768e46b9ec5587dadb26ea24

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.tracing.json.bk
            Filesize

            28B

            MD5

            6c7e84cb1a40e1e6a5cfe37e2ceaad04

            SHA1

            a2781444bb3c55196292df729b01be707ec1953a

            SHA256

            c6bf69533d3fc2c00d2e601726411163cae0e6cb168662eb6a58b492a25b042c

            SHA512

            97c9bc007beda6e6ea9c9aeea3f4033fe77304d5417a9f9f97ede9ed168f7259053f5861227a3a7eaa4859d1d1a7898705b0f8aae9527b4b607ab205e3b6e9aa

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\D3EF.exe
            Filesize

            1.1MB

            MD5

            52939ddac663150e902b58fdbb2d7b75

            SHA1

            a311ef6a1728ec247963a8b276da6f94d0d0a50c

            SHA256

            73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

            SHA512

            6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\D3EF.exe
            Filesize

            1.1MB

            MD5

            52939ddac663150e902b58fdbb2d7b75

            SHA1

            a311ef6a1728ec247963a8b276da6f94d0d0a50c

            SHA256

            73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

            SHA512

            6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit
          • \??\c:\program files (x86)\windowspowershell\modules\server_ok.dll
            Filesize

            726KB

            MD5

            a0ce53fe00fb60dcac5ef821dd8db72a

            SHA1

            7f9eb7bb35f0c1e2dbd5dc11953a1a7249df231d

            SHA256

            fa99f4e4e09deaeabf8e2976dfaa5a69d8dbbfa29bbcaf73262f968afbb37dcf

            SHA512

            303b8489b929c07c8fd9e9e1adfb60cb87be50af875b27c545318dd9b4736ead0b146695a5b69176f038cd14d1d53f40371498c73a96aa54a1b1040c507cf787

            Download Submit
          • memory/2568-152-0x00000000049F0000-0x0000000004B30000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2568-159-0x0000000005880000-0x0000000005FA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2568-147-0x00000000049F0000-0x0000000004B30000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2568-149-0x00000000049F0000-0x0000000004B30000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2568-150-0x00000000049F0000-0x0000000004B30000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2568-151-0x00000000049F0000-0x0000000004B30000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2568-139-0x0000000000000000-mapping.dmp
            Download
          • memory/2568-148-0x00000000049F0000-0x0000000004B30000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/2568-156-0x0000000004A69000-0x0000000004A6B000-memory.dmp
            Filesize

            8KB

            Download
          • memory/2568-145-0x0000000005880000-0x0000000005FA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2568-146-0x0000000005880000-0x0000000005FA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4064-172-0x0000000003480000-0x0000000003BA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4064-163-0x0000000003480000-0x0000000003BA5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4396-154-0x0000026C8F490000-0x0000026C8F5D0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4396-158-0x0000026C8DAC0000-0x0000026C8DCEA000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/4396-157-0x00000000006E0000-0x00000000008F9000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/4396-153-0x00007FF695B96890-mapping.dmp
            Download
          • memory/4396-155-0x0000026C8F490000-0x0000026C8F5D0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4676-169-0x0000000000000000-mapping.dmp
            Download
          • memory/4676-173-0x0000000004940000-0x0000000005065000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4676-174-0x0000000004940000-0x0000000005065000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4916-135-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/4916-134-0x0000000000400000-0x000000000045F000-memory.dmp
            Filesize

            380KB

            Download
          • memory/4916-133-0x00000000006B0000-0x00000000006B9000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4916-132-0x00000000006E8000-0x00000000006F9000-memory.dmp
            Filesize

            68KB

            Download
          • memory/5064-142-0x00000000020C8000-0x000000000219E000-memory.dmp
            Filesize

            856KB

            Download
          • memory/5064-143-0x00000000022A0000-0x00000000023B5000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/5064-144-0x0000000000400000-0x0000000000517000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/5064-136-0x0000000000000000-mapping.dmp
            Download