danabot | 1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
Size

305KB
MD5

7e2587f9abd6549a88072d135730580a
SHA1

3035343a78141807b53c016387cbc1518da1dabf
SHA256

1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875
SHA512

7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46
SSDEEP

6144:TRgeL+GHqAVQujE9DkhkNokN0iPvzpQ6rFiaI:THSGHqA2uw28xnzpQ6rF

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2984-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

55 2064 rundll32.exe
73 2064 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

E16C.execdigifv

pid process

3972 E16C.exe
4012 cdigifv

flow	pid	process
55	2064	rundll32.exe
73	2064	rundll32.exe

pid	process
3972	E16C.exe
4012	cdigifv

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adoberfp\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\adoberfp.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adoberfp\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adoberfp\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService똀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adoberfp\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService퀀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\adoberfp\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService܀"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2064 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2064 set thread context of 3696 2064 rundll32.exe rundll32.exe

pid	process
2064	rundll32.exe

description	pid	process	target process
PID 2064 set thread context of 3696	2064	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rename.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WCChromeNativeMessagingHost.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\rename.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3868 3972 WerFault.exe E16C.exe

pid	pid_target	process	target process
3868	3972	WerFault.exe	E16C.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

cdigifv1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdigifv
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdigifv
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	cdigifv

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093554e4a100054656d7000003a0009000400efbe6b557d6c9355544a2e00000000000000000000000000000000000000000000000000d007ab00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2708

pid	process
2708

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe

pid	process
2984	1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
2984	1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708
2708

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2708
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.execdigifv

pid process

2984 1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
4012 cdigifv

pid	process
2708

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708
Token: SeShutdownPrivilege	2708
Token: SeCreatePagefilePrivilege	2708

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3696 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2708
2708

pid	process
3696	rundll32.exe

pid	process
2708
2708

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

E16C.exerundll32.exe

description	pid	process	target process
PID 2708 wrote to memory of 3972	2708		E16C.exe
PID 2708 wrote to memory of 3972	2708		E16C.exe
PID 2708 wrote to memory of 3972	2708		E16C.exe
PID 3972 wrote to memory of 2064	3972	E16C.exe	rundll32.exe
PID 3972 wrote to memory of 2064	3972	E16C.exe	rundll32.exe
PID 3972 wrote to memory of 2064	3972	E16C.exe	rundll32.exe
PID 2064 wrote to memory of 3696	2064	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 3696	2064	rundll32.exe	rundll32.exe
PID 2064 wrote to memory of 3696	2064	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe
"C:\Users\Admin\AppData\Local\Temp\1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2984

C:\Users\Admin\AppData\Local\Temp\E16C.exe
C:\Users\Admin\AppData\Local\Temp\E16C.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3972 -s 524
2⤵
- Program crash
PID:3868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3972 -ip 3972
1⤵
PID:1012

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3428

C:\Users\Admin\AppData\Roaming\cdigifv
C:\Users\Admin\AppData\Roaming\cdigifv
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:4012

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4396

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adoberfp.dll",aDYyMzdINA==
2⤵
PID:3964

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll

Filesize
726KB

MD5
d159e7cb029841606382dac7b0c596ed

SHA1
3f20192488a1083a62d7c74697d5e400985a9a64

SHA256
72f1cebcc150e434bcb60ed9d431eb621ca53e586ea42104af3ff07fee6df222

SHA512
60897c16157668283ab8db70f9c73f1fd53e92b752bc3e318482363f3f1651ff75040db174404157f3a6c5db6619b8fae0c036e87017fa5fb27246049c61baa4

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll

Filesize
726KB

MD5
d159e7cb029841606382dac7b0c596ed

SHA1
3f20192488a1083a62d7c74697d5e400985a9a64

SHA256
72f1cebcc150e434bcb60ed9d431eb621ca53e586ea42104af3ff07fee6df222

SHA512
60897c16157668283ab8db70f9c73f1fd53e92b752bc3e318482363f3f1651ff75040db174404157f3a6c5db6619b8fae0c036e87017fa5fb27246049c61baa4

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\EventStore.db

Filesize
48KB

MD5
b97918192e61733455e99ece7892027e

SHA1
879d6b5a6acec7a1bef2170c8fa0f372ba977376

SHA256
5f96900da826514166d2ca1ad08fd545a9923c92dbaf180a285a1bf5dfa3c46a

SHA512
60c674e388671ee5815e2fc0a46bcc6c2c37022f6d1d5069e389f9bee5d400417e4b4f00828092121955ca0968a161c5a33a868bf3109278a5ded9c691bd0a83

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xml

Filesize
13KB

MD5
c7405e2e68aec89e44862595ccc0d186

SHA1
2cc8d73f93dd875134917795633bb606911f1069

SHA256
9a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37

SHA512
0cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.NET.Native.Framework.1.7_1.7.25531.0_x64__8wekyb3d8bbwe.xml

Filesize
1KB

MD5
c1e304a57b77d96dbac8ca07849f9b86

SHA1
76a2051cdd63b97419d076ee3e0972c7b11ee10c

SHA256
28bf7f3525db4ecacb36705ff7d30bee209ff200a15178bae8a2f0f27f7058b8

SHA512
86b48ef3207a257799b9d9c0e23859391dd3c5984e30d4fa761bc8853bbcc8b37193ab4bdb95b7dd36906ebdd8ad83f29811d9c76675f93f261d9d0cf7a26662

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SettingsLocationTemplate.xsd

Filesize
9KB

MD5
f35965aa615dd128c2b95cfe925145c3

SHA1
57346050388048feb8034d5011b105018483b4a0

SHA256
ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398

SHA512
82767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
552256775056e5baf09f3ffe9659b7b7

SHA1
d8332dd21f840f5e381c763bf99c3ddcc5494a34

SHA256
1c9b3f41c298e25eadf07c6a3419698f24043ab06ad0a0447d86c5d45b3da8e4

SHA512
4619074b63615b4ff936c6789b11b26b6f538eb3cab1666ebc9a92e628cd3ee12e30eed16ccc76da0abf80d2cc575b44475d9881f068778c3dfd44d6cf882a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\E16C.exe

Filesize
1.1MB

MD5
52939ddac663150e902b58fdbb2d7b75

SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c

SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

Download Submit
C:\Users\Admin\AppData\Local\Temp\E16C.exe

Filesize
1.1MB

MD5
52939ddac663150e902b58fdbb2d7b75

SHA1
a311ef6a1728ec247963a8b276da6f94d0d0a50c

SHA256
73c4486426a8ae3962e83259140d771c80532da079c3da94965039f9d9b8b11a

SHA512
6f6ee5ef9700fa2fbd332ad5b8a749614a465feb9c0c8d0eb7115296c414694f4401535da73d6a413eb62c7c8e9be7bf412b9ecf27c892f5dbc0b1fd62264789

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Roaming\cdigifv

Filesize
305KB

MD5
7e2587f9abd6549a88072d135730580a

SHA1
3035343a78141807b53c016387cbc1518da1dabf

SHA256
1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875

SHA512
7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46

Download Submit
C:\Users\Admin\AppData\Roaming\cdigifv

Filesize
305KB

MD5
7e2587f9abd6549a88072d135730580a

SHA1
3035343a78141807b53c016387cbc1518da1dabf

SHA256
1fb7dd7192b8a4eb7deaccf37ea4cc8ddef62784cce137fd4e5445800e2d6875

SHA512
7d7fbe4a9b9b4c290b1a756fb0e076a2b8752b074e0845c86970526136ccb23c8691575ea52f06a0199fb8ae261432f9ea075b34fa55b52107e2db25cd0b7d46

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\adoberfp.dll

Filesize
726KB

MD5
d159e7cb029841606382dac7b0c596ed

SHA1
3f20192488a1083a62d7c74697d5e400985a9a64

SHA256
72f1cebcc150e434bcb60ed9d431eb621ca53e586ea42104af3ff07fee6df222

SHA512
60897c16157668283ab8db70f9c73f1fd53e92b752bc3e318482363f3f1651ff75040db174404157f3a6c5db6619b8fae0c036e87017fa5fb27246049c61baa4

Download Submit
memory/2064-146-0x0000000005450000-0x0000000005B75000-memory.dmp

Filesize
7.1MB

Download
memory/2064-139-0x0000000000000000-mapping.dmp

Download
memory/2064-149-0x00000000041A0000-0x00000000042E0000-memory.dmp

Filesize
1.2MB

Download
memory/2064-150-0x00000000041A0000-0x00000000042E0000-memory.dmp

Filesize
1.2MB

Download
memory/2064-151-0x00000000041A0000-0x00000000042E0000-memory.dmp

Filesize
1.2MB

Download
memory/2064-148-0x00000000041A0000-0x00000000042E0000-memory.dmp

Filesize
1.2MB

Download
memory/2064-152-0x00000000041A0000-0x00000000042E0000-memory.dmp

Filesize
1.2MB

Download
memory/2064-159-0x0000000005450000-0x0000000005B75000-memory.dmp

Filesize
7.1MB

Download
memory/2064-145-0x0000000005450000-0x0000000005B75000-memory.dmp

Filesize
7.1MB

Download
memory/2064-156-0x0000000004219000-0x000000000421B000-memory.dmp

Filesize
8KB

Download
memory/2064-147-0x00000000041A0000-0x00000000042E0000-memory.dmp

Filesize
1.2MB

Download
memory/2984-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2984-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2984-132-0x00000000006D8000-0x00000000006ED000-memory.dmp

Filesize
84KB

Download
memory/2984-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/3696-154-0x000001ED37970000-0x000001ED37AB0000-memory.dmp

Filesize
1.2MB

Download
memory/3696-153-0x00007FF6DFB46890-mapping.dmp

Download
memory/3696-158-0x000001ED35FA0000-0x000001ED361CA000-memory.dmp

Filesize
2.2MB

Download
memory/3696-157-0x0000000000C80000-0x0000000000E99000-memory.dmp

Filesize
2.1MB

Download
memory/3696-155-0x000001ED37970000-0x000001ED37AB0000-memory.dmp

Filesize
1.2MB

Download
memory/3964-178-0x0000000003F50000-0x0000000004675000-memory.dmp

Filesize
7.1MB

Download
memory/3964-176-0x0000000003F50000-0x0000000004675000-memory.dmp

Filesize
7.1MB

Download
memory/3964-174-0x0000000000000000-mapping.dmp

Download
memory/3972-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3972-143-0x0000000002280000-0x0000000002395000-memory.dmp

Filesize
1.1MB

Download
memory/3972-142-0x00000000020A4000-0x000000000217A000-memory.dmp

Filesize
856KB

Download
memory/3972-136-0x0000000000000000-mapping.dmp

Download
memory/4012-163-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4012-162-0x0000000000488000-0x000000000049D000-memory.dmp

Filesize
84KB

Download
memory/4012-164-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/4396-168-0x00000000036B0000-0x0000000003DD5000-memory.dmp

Filesize
7.1MB

Download
memory/4396-177-0x00000000036B0000-0x0000000003DD5000-memory.dmp

Filesize
7.1MB

Download