Analysis

  • max time kernel
    147s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2022, 09:03

General

  • Target

    file.exe

  • Size

    307KB

  • MD5

    1ac28017236cafb30ae46b8cfcdd3aff

  • SHA1

    aa0ecc6413d85ed7211628f45f741cfa1f338af5

  • SHA256

    c31c03e3c2e9ec95d2e80453222278603735971083824ce59ae7e8f2850dc6eb

  • SHA512

    a691763218b3b385272398e53ef301328ca78ea895840aca1d46fd85273701a00110ebb153c3c99253c5c179c4383053d4d7e5a89ec9d4926aca73d0b96962ff

  • SSDEEP

    6144:n+65LwOzcNUnWPx0KD5tMIHPmC7AEXQ8/0iPvzpQ6rFiaI:nF7zcNUnWGKDLMIvnnf/xnzpQ6rF

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 11 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 16 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5064
  • C:\Users\Admin\AppData\Local\Temp\3066.exe
    C:\Users\Admin\AppData\Local\Temp\3066.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:636
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4196
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23999
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2228
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 556
      2⤵
      • Program crash
      PID:2172
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 636 -ip 636
    1⤵
      PID:4628
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4476
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4440
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\cpdf_rhp..dll",GBYCU2pSQ1hv
            2⤵
              PID:2132

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP..dll

                  Filesize

                  726KB

                  MD5

                  70a3d76df04a36ed596eb4ecc9e43201

                  SHA1

                  dd87607ba0b0f2f0c2b811112cfe7ebdef9b4378

                  SHA256

                  062ba512cf46cada8c9602a141d009513ad8b826ba3676aa3b14b9a372f91641

                  SHA512

                  2a8dc58ec7016e18b8270d602d9bd6af5d27f7a973032b25702c2612d7ebf8421310e3fff5766afd4f312f8b839ce93f5f792cb78fd89253169d6f75fda160a5

                • C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP..dll

                  Filesize

                  726KB

                  MD5

                  70a3d76df04a36ed596eb4ecc9e43201

                  SHA1

                  dd87607ba0b0f2f0c2b811112cfe7ebdef9b4378

                  SHA256

                  062ba512cf46cada8c9602a141d009513ad8b826ba3676aa3b14b9a372f91641

                  SHA512

                  2a8dc58ec7016e18b8270d602d9bd6af5d27f7a973032b25702c2612d7ebf8421310e3fff5766afd4f312f8b839ce93f5f792cb78fd89253169d6f75fda160a5

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.officemui.msi.16.en-us.xml

                  Filesize

                  122KB

                  MD5

                  35acff0f35559eac959647a7501385f7

                  SHA1

                  28e052e01fe4e0eac3eab461385460eff7efe271

                  SHA256

                  2669d714f126be033270a9f2919d6152f45c5bec970dc1ab8da09f41351234c0

                  SHA512

                  f3fa4e7499e15a63d2503355705eb08d15be0a3736145c3b46cc79a4fcf7e00df871f62af769090aff7692b34d93365cf413be7b86b27a9df0ecb8f481898ed2

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                  Filesize

                  2.3MB

                  MD5

                  891eff248c54ad734371919ff2feaf74

                  SHA1

                  cde390117be6efb46279cfcd0abd0ebf87ffa57d

                  SHA256

                  ce7de2f9ea4e02433f407cf9765f661d5341573d5ab2d3a06b57eabfa88c8c55

                  SHA512

                  2a208d209e81de997e772606038b00788ebeaf72f3743279ae55c1516971b3d0bbd49d7ab2fe916288641a5b3f21778a8a51358aa0091dd27a2f69c39314ba8c

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                  Filesize

                  2.3MB

                  MD5

                  891eff248c54ad734371919ff2feaf74

                  SHA1

                  cde390117be6efb46279cfcd0abd0ebf87ffa57d

                  SHA256

                  ce7de2f9ea4e02433f407cf9765f661d5341573d5ab2d3a06b57eabfa88c8c55

                  SHA512

                  2a208d209e81de997e772606038b00788ebeaf72f3743279ae55c1516971b3d0bbd49d7ab2fe916288641a5b3f21778a8a51358aa0091dd27a2f69c39314ba8c

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\VdiState.xml

                  Filesize

                  892B

                  MD5

                  05a593ddf82be0bb1f258c9d0585f75d

                  SHA1

                  6712a2dd452fc768e5d9f7cd3805d1592c27d676

                  SHA256

                  bf438bec47694988412b0b5d395e112ffd4376521c0cc9c523a2a8d265c3b6be

                  SHA512

                  f379ebcc30a0368757500677691d5429fc4a1876379fb83101f7183e844bed37577fcf836cbbcdd09ff696e24745fdc9aa3149c4d7ea1fdc7d9fe243d384ece4

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edb.chk

                  Filesize

                  8KB

                  MD5

                  4dc7958684ca348ecbe0b8b8ba31ec94

                  SHA1

                  a35627fb2f6c8a1943399e9513203a053ee1e957

                  SHA256

                  9ea84932f08ab081a89a161ddd379d6aad1cef512c3287ff857aca94353cb158

                  SHA512

                  0a70f14fdd5d1f37473ee2f2cc8c354ee612be6f321de439bccd68faf7cde7ab44538beb55e28fb9c95e6ac7c6010a7a0ee603365c5e12a9ec44f8736f9d1cde

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ringtones.ico

                  Filesize

                  50KB

                  MD5

                  8b30e7cbd25f178baac418e9b507b61e

                  SHA1

                  73c93d967571bb88b1bdf33477e7a5f758fc18e9

                  SHA256

                  0afa2eb896ffe20c5244dd191be791231c8b5b71eff200e75a3150a8e3296f30

                  SHA512

                  6b0ff7ff67cbb4c8611696273ee16fc5d57b53ea7869e0c97686583d7875faa65f04d7678017628a11420000f8bb869f6dca5fcbefb53b1824443fa73544944d

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.x-none.hash

                  Filesize

                  128B

                  MD5

                  2b4d6d3b95916f9810449019372fbbde

                  SHA1

                  2c9f59c51fc6b290f758aed25a899dba37459fc6

                  SHA256

                  cea19b915390806a9677165794194c66b19e3198a342d51e5a880e7b55768ac7

                  SHA512

                  5cbb012b89989d53a7814dcb9f0391a761ebea6a7c9d1dcaae0efb476e61b30ce678387c4ff6fcebea0643f96d2f3bf126cff9511a75c1780ec89b51ba79c8db

                • C:\Users\Admin\AppData\Local\Temp\3066.exe

                  Filesize

                  1.1MB

                  MD5

                  d4fe627b0bc66a57bfdb76c531c06ce6

                  SHA1

                  1a9ff0a579460a2e90266ebbfbad127514a74e7a

                  SHA256

                  9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97

                  SHA512

                  bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617

                • C:\Users\Admin\AppData\Local\Temp\3066.exe

                  Filesize

                  1.1MB

                  MD5

                  d4fe627b0bc66a57bfdb76c531c06ce6

                  SHA1

                  1a9ff0a579460a2e90266ebbfbad127514a74e7a

                  SHA256

                  9292bc6aec169cc1f3f223470669c6307f1d3e61687544c0a228846c1cf0df97

                  SHA512

                  bea169646b86ca0659efe0989856d58098efcc70d8b8953045635ddd7d4293aed656771d8d0a1e5e4e87a4f272b8e6b69f4eeacd7d7f7220d5b6e50535aa2617

                • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                  Filesize

                  726KB

                  MD5

                  6ea8a6cc5fed6c664df1b3ef7c56b55d

                  SHA1

                  6b244d708706441095ae97294928967ddf28432b

                  SHA256

                  2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                  SHA512

                  4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                  Filesize

                  726KB

                  MD5

                  6ea8a6cc5fed6c664df1b3ef7c56b55d

                  SHA1

                  6b244d708706441095ae97294928967ddf28432b

                  SHA256

                  2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                  SHA512

                  4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                • \??\c:\program files (x86)\windowspowershell\modules\cpdf_rhp..dll

                  Filesize

                  726KB

                  MD5

                  70a3d76df04a36ed596eb4ecc9e43201

                  SHA1

                  dd87607ba0b0f2f0c2b811112cfe7ebdef9b4378

                  SHA256

                  062ba512cf46cada8c9602a141d009513ad8b826ba3676aa3b14b9a372f91641

                  SHA512

                  2a8dc58ec7016e18b8270d602d9bd6af5d27f7a973032b25702c2612d7ebf8421310e3fff5766afd4f312f8b839ce93f5f792cb78fd89253169d6f75fda160a5

                • memory/636-142-0x000000000221B000-0x00000000022F1000-memory.dmp

                  Filesize

                  856KB

                • memory/636-144-0x0000000000400000-0x0000000000517000-memory.dmp

                  Filesize

                  1.1MB

                • memory/636-143-0x0000000002300000-0x0000000002415000-memory.dmp

                  Filesize

                  1.1MB

                • memory/2132-174-0x0000000004210000-0x0000000004935000-memory.dmp

                  Filesize

                  7.1MB

                • memory/2132-173-0x0000000004210000-0x0000000004935000-memory.dmp

                  Filesize

                  7.1MB

                • memory/2228-154-0x00000274A4290000-0x00000274A43D0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2228-155-0x00000274A4290000-0x00000274A43D0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/2228-156-0x00000274A28C0000-0x00000274A2AEA000-memory.dmp

                  Filesize

                  2.2MB

                • memory/2228-157-0x0000000000530000-0x0000000000749000-memory.dmp

                  Filesize

                  2.1MB

                • memory/2228-158-0x00000274A28C0000-0x00000274A2AEA000-memory.dmp

                  Filesize

                  2.2MB

                • memory/4196-153-0x0000000004C19000-0x0000000004C1B000-memory.dmp

                  Filesize

                  8KB

                • memory/4196-149-0x0000000004BA0000-0x0000000004CE0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4196-145-0x0000000004310000-0x0000000004A35000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4196-159-0x0000000004310000-0x0000000004A35000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4196-146-0x0000000004BA0000-0x0000000004CE0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4196-147-0x0000000004BA0000-0x0000000004CE0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4196-148-0x0000000004BA0000-0x0000000004CE0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4196-151-0x0000000004BA0000-0x0000000004CE0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4196-150-0x0000000004BA0000-0x0000000004CE0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4440-163-0x0000000002FE0000-0x0000000003705000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4440-171-0x0000000002FE0000-0x0000000003705000-memory.dmp

                  Filesize

                  7.1MB

                • memory/5064-134-0x0000000000400000-0x0000000000452000-memory.dmp

                  Filesize

                  328KB

                • memory/5064-133-0x0000000000670000-0x0000000000679000-memory.dmp

                  Filesize

                  36KB

                • memory/5064-135-0x0000000000400000-0x0000000000452000-memory.dmp

                  Filesize

                  328KB

                • memory/5064-132-0x00000000006A9000-0x00000000006BE000-memory.dmp

                  Filesize

                  84KB