danabot | ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051

Analysis

max time kernel
144s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
Size

306KB
MD5

8ba89cb6de7e41ec69404990443a97ba
SHA1

af55bcc1d185f3e820d2a5a7eeb10170cf10011c
SHA256

ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051
SHA512

a9eeef96356bcdaa5a5ed8db9d4196bbe854f5ed11a7dc1c8e55fa5ee9ac3b50625f9b0851ebc6e29ddac8b23d019c47b55d4d48be0001664cc2b1cfd328c11a
SSDEEP

6144:feRrbPL/QsQk7H4p0HakV/S0iPvzpQ6rFiaI:fALQspo0z6xnzpQ6rF

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4596-133-0x00000000006F0000-0x00000000006F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

30 3108 rundll32.exe
53 3108 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

BEC1.exe

pid process

3388 BEC1.exe

flow	pid	process
30	3108	rundll32.exe
53	3108	rundll32.exe

pid	process
3388	BEC1.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\natives_blob.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\natives_blob\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3108 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3108 set thread context of 3500 3108 rundll32.exe rundll32.exe

pid	process
3108	rundll32.exe

description	pid	process	target process
PID 3108 set thread context of 3500	3108	rundll32.exe	rundll32.exe

Drops file in Program Files directory 36 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\server_lg.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_issue.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\adobepdf.xdc	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_shared.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobepdf.xdc	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-focus.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-focus.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\UnifiedShare.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\server_issue.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tesselate.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Scan_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Scan_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_shared.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\UnifiedShare.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1100 3388 WerFault.exe BEC1.exe

pid	pid_target	process	target process
1100	3388	WerFault.exe	BEC1.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355193f100054656d7000003a0009000400efbe6b558a6c9355203f2e0000000000000000000000000000000000000000000000000076177100540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1936

pid	process
1936

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe

pid	process
4596	ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
4596	ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936
1936

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1936
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe

pid process

4596 ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe

pid	process
1936

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936
Token: SeShutdownPrivilege	1936
Token: SeCreatePagefilePrivilege	1936

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3500 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1936
1936

pid	process
3500	rundll32.exe

pid	process
1936
1936

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

BEC1.exerundll32.exe

description	pid	process	target process
PID 1936 wrote to memory of 3388	1936		BEC1.exe
PID 1936 wrote to memory of 3388	1936		BEC1.exe
PID 1936 wrote to memory of 3388	1936		BEC1.exe
PID 3388 wrote to memory of 3108	3388	BEC1.exe	rundll32.exe
PID 3388 wrote to memory of 3108	3388	BEC1.exe	rundll32.exe
PID 3388 wrote to memory of 3108	3388	BEC1.exe	rundll32.exe
PID 3108 wrote to memory of 3500	3108	rundll32.exe	rundll32.exe
PID 3108 wrote to memory of 3500	3108	rundll32.exe	rundll32.exe
PID 3108 wrote to memory of 3500	3108	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe
"C:\Users\Admin\AppData\Local\Temp\ed30da424dc43e62e30ae480f41e237d0a8d7dbdd526d466cdc61f6303750051.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4596

C:\Users\Admin\AppData\Local\Temp\BEC1.exe
C:\Users\Admin\AppData\Local\Temp\BEC1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3388

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3500

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 536
2⤵
- Program crash
PID:1100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3388 -ip 3388
1⤵
PID:3464

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4084

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:1764

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\natives_blob.dll",YUgZVw==
2⤵
PID:4492

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll
Filesize
726KB

MD5
56d0c01294b5673f59f1f1e52c5dc6c4

SHA1
c4a9a75b34271ad0083361ee6ee24c5690b02b5f

SHA256
a44e564482d24568244e41e4486fd07e5edcfa17e583db78f7ed2956f9db8a2b

SHA512
9315157f73349ba239e9432e9fb888e86886aae992cbdffa5b1320f58069af04b602193506b36710516d3886a1c2f71851ca57f3d6b1f49c4a71cea784832117

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll
Filesize
726KB

MD5
56d0c01294b5673f59f1f1e52c5dc6c4

SHA1
c4a9a75b34271ad0083361ee6ee24c5690b02b5f

SHA256
a44e564482d24568244e41e4486fd07e5edcfa17e583db78f7ed2956f9db8a2b

SHA512
9315157f73349ba239e9432e9fb888e86886aae992cbdffa5b1320f58069af04b602193506b36710516d3886a1c2f71851ca57f3d6b1f49c4a71cea784832117

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\EaseOfAccessSettings2013.xml
Filesize
5KB

MD5
7ac38dcc72989ac01bd1a67d484af471

SHA1
458224b5c1c1696d8255a355a6100a4652fd7bd7

SHA256
923335d4d6399bd1bc2d44d264183cba0e2a2c3ecb1d18472003e787275d7e46

SHA512
ae5f247648411df8657a2806e5a9ff8e48bf79cf19d2b4101ef67fa78d7b55e37248190ed1d60f58255fe5ceff38017764b0a0d73108150dd4666dde75c0ce14

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
b290178a94a0bd93830d5714c11f9681

SHA1
9dd5d3337117568b6423a32dff9baf14fb11e73c

SHA256
5876d6a887dd7db15a3bea28e71c0aa044023eafb1eed8ca9356035f5943249c

SHA512
ef5af5bc01510ea6e865e11a94bcf67966a01930fcdd9ab10bcb854a06976f59c909bd10e9ff3ef0aea53bad9a4af510401c05ada4c017e45ff512a127dea9fb

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
827B

MD5
ded8a0ae2ade3e3cab8bfbfea00b969f

SHA1
73752c78795a78ef3b742ad41737959e6f51ee42

SHA256
ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85

SHA512
3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftLync2010.xml
Filesize
3KB

MD5
701beb4f8c252fb3c9f5dbdc94648048

SHA1
556ba20475a502b68b7992454be6c64ab355b4ec

SHA256
620e27a3746773947ba7ceee99d2b55e4e3cfa32a9164a0185a8cb8b22a55b67

SHA512
28c76c3d5ebb75797d37965b13cb05f852e25cc3d2558c38b091b82e12b78f268d58f144a0fcac32b30d70e5897ed7c647d4e3584edd2625ba7cdf5c54826faf

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2010Win64.xml
Filesize
71KB

MD5
490d1e0a28234dcd02db60d5a87f0691

SHA1
6edc0f7aa19150b49df1b96b5c6bbee036c0ef7a

SHA256
06ce8cb39081cd09df95911494f46ae85b27e37e4f83aa9c80b887bf69e87e22

SHA512
0ea4a0b0030371c031de694df115a284fa2d3a7697071072e2a7d83afbb60201313787e4d537a6111ba716e78d9dcfcac523633e2667bc00bbe1b125fb6641eb

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
aaa5b959aac4a6484baee0110db764b9

SHA1
2f5152a36f74fc650357a68677d300dbeb34841c

SHA256
d61b9aa03b756e66b6dfde765a8f1364281860c65367d4a8ae70f73db746fc6e

SHA512
371227cc9a92b776b0ac20ecdc36d585740c7eb72d85644c7cef3bad9595eed5ad31f8f4bc362562366b5acefad0ea33cc751a3ab98a2245b1b21462c7f240ff

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
aaa5b959aac4a6484baee0110db764b9

SHA1
2f5152a36f74fc650357a68677d300dbeb34841c

SHA256
d61b9aa03b756e66b6dfde765a8f1364281860c65367d4a8ae70f73db746fc6e

SHA512
371227cc9a92b776b0ac20ecdc36d585740c7eb72d85644c7cef3bad9595eed5ad31f8f4bc362562366b5acefad0ea33cc751a3ab98a2245b1b21462c7f240ff

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SmsInterceptStore.jfm
Filesize
16KB

MD5
8ad8eabf315217362a2392acce762345

SHA1
1a2dafdf90dd56fd53dc623b7cfa00f13f1d24e8

SHA256
9d6bac58cea0733dd170ce5aa77c11217f00bb395cf569f8a5f645ac2919445a

SHA512
6da2b3309f948e2244840ccc7301eafaf7e0db2426f8b6cc01027d821d89f6fc724fc1043ddfa645ea23991c64ea5a82d356baaddb43dd76a77be89955f01e77

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\netfol.ico
Filesize
28KB

MD5
3fa8c6dc1f72c3f9f8670a3e236459f2

SHA1
fcca30e9c5f861ac907150c76ca5f2174d214b7b

SHA256
dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7

SHA512
af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\print_property.ico
Filesize
58KB

MD5
30d7062e069bc0a9b34f4034090c1aae

SHA1
e5fcedd8e4cc0463c0bc6912b1791f2876e28a61

SHA256
24e77f244b0743e311b0fc97f06513a0cecf6560e92f9c6f164288a152d32000

SHA512
85dd6c916d48804a24dbbad0f4b4842453ac31a692905f8f2f34112eaa1bbf062a825d45ed5d800bbc4663a28b0b5003ebd5fa54991cf846f1028e929ea06de6

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
Filesize
1KB

MD5
0e190f6bbc7898c31d4eae77c6abebfe

SHA1
fb6673c8116b650f0536d56be09eb188d7bdc930

SHA256
f7f461d92f4a45d1232e7e5ad76cffbbb7b83abd69df864387c757051494d118

SHA512
faaf0699ddb7e4e152afaf54bed0794c9e816cb762454c277f5d52acf88a44535cc3a44797c73393fc50db8afe2566bcaf9a4f93d945c6b0b3d8458d16ae5312

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\settings.ico
Filesize
66KB

MD5
4896c2ad8ca851419425b06ec0fd95f2

SHA1
7d52e9355998f1b4487f8ef2b1b3785dec35d981

SHA256
1160a3a774b52f07453bde44755fbf76a8b1534c5ade19402f05857c249056b3

SHA512
271f40a273bc98738d450a8585cc84d097d88bbb6417fd20b4417d31b4e19b1b8fe860d044f70a3e4096588b9615c8cc588b1cab651ab1b4320d7ce1d74eb8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEC1.exe
Filesize
1.1MB

MD5
52939ddac663150e902b58fdbb2d7b75

SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c

SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

Download Submit
C:\Users\Admin\AppData\Local\Temp\BEC1.exe
Filesize
1.1MB

MD5
52939ddac663150e902b58fdbb2d7b75

SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c

SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\natives_blob.dll
Filesize
726KB

MD5
56d0c01294b5673f59f1f1e52c5dc6c4

SHA1
c4a9a75b34271ad0083361ee6ee24c5690b02b5f

SHA256
a44e564482d24568244e41e4486fd07e5edcfa17e583db78f7ed2956f9db8a2b

SHA512
9315157f73349ba239e9432e9fb888e86886aae992cbdffa5b1320f58069af04b602193506b36710516d3886a1c2f71851ca57f3d6b1f49c4a71cea784832117

Download Submit
memory/1220-181-0x0000000000000000-mapping.dmp

Download
memory/1764-178-0x0000000003AF0000-0x0000000004215000-memory.dmp

Filesize
7.1MB

Download
memory/1764-164-0x0000000003AF0000-0x0000000004215000-memory.dmp

Filesize
7.1MB

Download
memory/3108-160-0x0000000005BA0000-0x00000000062C5000-memory.dmp

Filesize
7.1MB

Download
memory/3108-153-0x0000000004D10000-0x0000000004E50000-memory.dmp

Filesize
1.2MB

Download
memory/3108-142-0x0000000000000000-mapping.dmp

Download
memory/3108-157-0x0000000004D89000-0x0000000004D8B000-memory.dmp

Filesize
8KB

Download
memory/3108-150-0x0000000004D10000-0x0000000004E50000-memory.dmp

Filesize
1.2MB

Download
memory/3108-146-0x0000000005BA0000-0x00000000062C5000-memory.dmp

Filesize
7.1MB

Download
memory/3108-147-0x0000000005BA0000-0x00000000062C5000-memory.dmp

Filesize
7.1MB

Download
memory/3108-152-0x0000000004D10000-0x0000000004E50000-memory.dmp

Filesize
1.2MB

Download
memory/3108-149-0x0000000004D10000-0x0000000004E50000-memory.dmp

Filesize
1.2MB

Download
memory/3108-148-0x0000000004D10000-0x0000000004E50000-memory.dmp

Filesize
1.2MB

Download
memory/3108-151-0x0000000004D10000-0x0000000004E50000-memory.dmp

Filesize
1.2MB

Download
memory/3388-141-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3388-139-0x000000000212F000-0x0000000002205000-memory.dmp

Filesize
856KB

Download
memory/3388-145-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3388-140-0x0000000002310000-0x0000000002425000-memory.dmp

Filesize
1.1MB

Download
memory/3388-136-0x0000000000000000-mapping.dmp

Download
memory/3500-158-0x0000000000AA0000-0x0000000000CB9000-memory.dmp

Filesize
2.1MB

Download
memory/3500-159-0x000002AEC6EA0000-0x000002AEC70CA000-memory.dmp

Filesize
2.2MB

Download
memory/3500-156-0x000002AEC6D40000-0x000002AEC6E80000-memory.dmp

Filesize
1.2MB

Download
memory/3500-155-0x000002AEC6D40000-0x000002AEC6E80000-memory.dmp

Filesize
1.2MB

Download
memory/3500-154-0x00007FF68EAF6890-mapping.dmp

Download
memory/4492-176-0x0000000000000000-mapping.dmp

Download
memory/4492-179-0x0000000004040000-0x0000000004765000-memory.dmp

Filesize
7.1MB

Download
memory/4492-180-0x0000000004040000-0x0000000004765000-memory.dmp

Filesize
7.1MB

Download
memory/4596-132-0x0000000000798000-0x00000000007AE000-memory.dmp

Filesize
88KB

Download
memory/4596-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4596-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4596-133-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download