danabot | 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 10:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe
Size

1.1MB
MD5

c9234f802b4fb9bcf16237d438fa86e6
SHA1

81b2eb0d8d06c0006929a3e0ebdaf6615aca1908
SHA256

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7
SHA512

8c018af20bad4de00125fe1cdbeb7b8bb059846b7b67c75d31cd12bb909b7f012517bb7d31641a2d7156cf3a9798cccd14dd542f5e2079bd0d47a29c96102bd3
SSDEEP

24576:VM6foBca4H/sQ0NG6LdS9tbtOTxGIraEgsKiZZK3QASvzK6r:jfe/k/su6LatMDcsKKZYSvzKM

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

11 2668 rundll32.exe
12 2668 rundll32.exe
45 2668 rundll32.exe

flow	pid	process
11	2668	rundll32.exe
12	2668	rundll32.exe
45	2668	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeID\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AdobeID.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AdobeID\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2668 rundll32.exe
4352 svchost.exe
1240 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2668	rundll32.exe
4352	svchost.exe
1240	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2668 set thread context of 3748 2668 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2668 set thread context of 3748	2668	rundll32.exe	rundll32.exe

Drops file in Program Files directory 20 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\adoberfp.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\init.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\reflow.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adoberfp.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2656 3432 WerFault.exe 08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe

pid	pid_target	process	target process
2656	3432	WerFault.exe	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\65A3FCD29309972AA2E993584A547C1B49842F26	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\65A3FCD29309972AA2E993584A547C1B49842F26\Blob = 03000000010000001400000065a3fcd29309972aa2e993584a547c1b49842f2620000000010000006e0200003082026a308201d3a0030201020208454d26b4610653bc300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74696d6f6f65204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313231393131303232325a170d3234313231383131303232325a305a3122302006035504030c1942616c74696d6f6f65204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100b009c25363d83a3ea9dccae4f2eaf96f1aace69a872f2f8c9b6baa537ff13ddd74f079b9405ad6e9ddd6421fe7e49a0a04e207f155f8437a24caddc6ded2314041ab4152466ca53bc25270c3d047141ff9464c4028ca994b8014d689725026b1b5ccf5e3977b5a9b5f6d0c8cd42ecb6ce667b513484dbd8420ed0d02e05ef94b0203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74696d6f6f65204379626572547275737420526f6f74300d06092a864886f70d01010b05000381810040dbd87e9a91bcd996383cb38433de6a75635fb8b89787db3468d424d9cab0e0d85332eb10fab50c51b545cb979d430eab5fe1c3568b736f8953bacd6e8ec930937b8bf09f048b59fd48d8de6cff2260d8421b932f73bc62d8f1c369ab1c8f53af0c44e0bea854d46947066d716453503c9e70e20a576ac729fb9377a4010ea5	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
4352	svchost.exe
4352	svchost.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe
4352	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2668 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3748 rundll32.exe
2668 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2668	rundll32.exe

pid	process
3748	rundll32.exe
2668	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3432 wrote to memory of 2668	3432	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 3432 wrote to memory of 2668	3432	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 3432 wrote to memory of 2668	3432	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 2668 wrote to memory of 3748	2668	rundll32.exe	rundll32.exe
PID 2668 wrote to memory of 3748	2668	rundll32.exe	rundll32.exe
PID 2668 wrote to memory of 3748	2668	rundll32.exe	rundll32.exe
PID 4352 wrote to memory of 1240	4352	svchost.exe	rundll32.exe
PID 4352 wrote to memory of 1240	4352	svchost.exe	rundll32.exe
PID 4352 wrote to memory of 1240	4352	svchost.exe	rundll32.exe
PID 2668 wrote to memory of 3940	2668	rundll32.exe	schtasks.exe
PID 2668 wrote to memory of 3940	2668	rundll32.exe	schtasks.exe
PID 2668 wrote to memory of 3940	2668	rundll32.exe	schtasks.exe
PID 2668 wrote to memory of 2320	2668	rundll32.exe	schtasks.exe
PID 2668 wrote to memory of 2320	2668	rundll32.exe	schtasks.exe
PID 2668 wrote to memory of 2320	2668	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe
"C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3432

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2668

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3748

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3940

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3432 -s 556
2⤵
- Program crash
PID:2656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3432 -ip 3432
1⤵
PID:3668

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4548

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4352

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobeid.dll",bEUn
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll
Filesize
726KB

MD5
c3af683c9c6920324e495f78c375fc53

SHA1
330fb8e030e63b57919e59a2405007ed956a8206

SHA256
ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686

SHA512
baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.dll
Filesize
726KB

MD5
c3af683c9c6920324e495f78c375fc53

SHA1
330fb8e030e63b57919e59a2405007ed956a8206

SHA256
ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686

SHA512
baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
820B

MD5
a8664f5906d9060a0a87bc01e35179bb

SHA1
1bbbc9f10431d2941805907a8a6d4009f4e2938c

SHA256
a8ed53b828f69fb5e6e28eef9a38b5753320aa7a942b4a4c2dbf67705d21e309

SHA512
389a4be3833050f89ea0bc5327514b3d80753eb6a214d4ad58d8c1b22770dcca2cdf099d4563db98e3d3f9530474b147e49cbed4b5b3e3a9e315a797f056049f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml
Filesize
9KB

MD5
996f11041df0526341cebbbd40a98390

SHA1
37f652515ef8c662840086d743f7f68d327cce52

SHA256
bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e

SHA512
6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe.xml
Filesize
6KB

MD5
7e913c1a399dd176eea1bb8f2be26268

SHA1
6be9a44820ffbabb10202af890da00c9aa2dfec2

SHA256
5295393602a18f301613c7160e24f88816070a41cf69b32c821b6d3858541b4a

SHA512
dc52de8489f586081c246a297a35987eb7f74e122f475df88cfdc683787fe532e609db3b43915c73f7f172e1a4fc13efacd1b52252d1041e5c8f4dd190009105

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft_Office_OfficeTelemetryAgentFallBack2016.xml
Filesize
3KB

MD5
1a3168a15983b890b16390a23a89a02e

SHA1
d56ce16d88d79159a27c2d1cd3770dc56d897ebe

SHA256
334782208e9520975f597b19a273fcc6f3a8a7caffd2e4fb22213f6b957f4946

SHA512
f2be33992fd70d90eb94973c19924229bb70da4ce21c9777cfccbf56b0635452b382d2846afe2b0cc80a83d3b6a2c855557855cfb22fc681d182b2b605daa668

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
b3422857a7d7e642950c80522bb39ba3

SHA1
316de4d290078b0aec174a6a161c1dac654bcd01

SHA256
5fa7cac49ed9e36fc87f8ccd4cf164bb8e2487c348374a267544a1e01dd1b509

SHA512
941ec15dd866f1125181cf57d4a00337e078f3172689b996584fe103647b006953fab2059ce2c7ce8cfbf3bd4991db8a4ce7a57c5ba125347ce6209595786cb8

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
b63af1a19730beb752f7eb64812f9e9e

SHA1
6613300d11a6532284715d4d42bf954fa2f4f467

SHA256
6b0ef8c1101b0a4db4019bd38c191c645efbf2a3306c4474e202a6642d1ff7b5

SHA512
96c1db795e860e1919c31d22d74c255279b8fc85a25f187c13562267203ee889309b839880a34d28bf1e7fd16e0d2f52ccf59d0e5beca57b487ce31dd370b749

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.privacy.json
Filesize
31B

MD5
4870433b19757ef8721b38acf2baa272

SHA1
d9def40343d41a6a80e936fc12db58ebb3e3fdb8

SHA256
cf39cf82fe54738a64f566a0f947ddabf90b7af56a899596fb34dca2a67ddfbc

SHA512
79c72e2c4d8a8538879f11c09877f78ea363ee28f70da66cae50a3372e600a1939372945dc4542a5ee649c18adb5e7d1129fc97635d48c165737193f8b682550

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\adobeid.dll
Filesize
726KB

MD5
c3af683c9c6920324e495f78c375fc53

SHA1
330fb8e030e63b57919e59a2405007ed956a8206

SHA256
ebd4c8bc1d96ea8a79428f937a2364eac9a541a7af023c4ea37bc582ae8c6686

SHA512
baec7d3b455c0b6d27871217a226b5bdefd033917660d90d95a03263baf1d40f98ec125b0182ea093293335b9f83dfdc9fa93d0e617ce770210452f5c4cbe29b

Download Submit
memory/1240-165-0x0000000004660000-0x0000000004D85000-memory.dmp

Filesize
7.1MB

Download
memory/1240-166-0x0000000004660000-0x0000000004D85000-memory.dmp

Filesize
7.1MB

Download
memory/1240-162-0x0000000000000000-mapping.dmp

Download
memory/2320-168-0x0000000000000000-mapping.dmp

Download
memory/2668-141-0x0000000004FC0000-0x0000000005100000-memory.dmp

Filesize
1.2MB

Download
memory/2668-138-0x00000000047D0000-0x0000000004EF5000-memory.dmp

Filesize
7.1MB

Download
memory/2668-139-0x00000000047D0000-0x0000000004EF5000-memory.dmp

Filesize
7.1MB

Download
memory/2668-151-0x00000000047D0000-0x0000000004EF5000-memory.dmp

Filesize
7.1MB

Download
memory/2668-140-0x0000000004FC0000-0x0000000005100000-memory.dmp

Filesize
1.2MB

Download
memory/2668-132-0x0000000000000000-mapping.dmp

Download
memory/2668-142-0x0000000004FC0000-0x0000000005100000-memory.dmp

Filesize
1.2MB

Download
memory/2668-143-0x0000000004FC0000-0x0000000005100000-memory.dmp

Filesize
1.2MB

Download
memory/2668-145-0x0000000004FC0000-0x0000000005100000-memory.dmp

Filesize
1.2MB

Download
memory/2668-144-0x0000000004FC0000-0x0000000005100000-memory.dmp

Filesize
1.2MB

Download
memory/3432-137-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3432-136-0x0000000002420000-0x0000000002535000-memory.dmp

Filesize
1.1MB

Download
memory/3432-135-0x0000000002342000-0x0000000002418000-memory.dmp

Filesize
856KB

Download
memory/3748-146-0x00007FF60E1A6890-mapping.dmp

Download
memory/3748-147-0x0000020888270000-0x00000208883B0000-memory.dmp

Filesize
1.2MB

Download
memory/3748-148-0x0000020888270000-0x00000208883B0000-memory.dmp

Filesize
1.2MB

Download
memory/3748-150-0x00000208868A0000-0x0000020886ACA000-memory.dmp

Filesize
2.2MB

Download
memory/3748-149-0x00000000005F0000-0x0000000000809000-memory.dmp

Filesize
2.1MB

Download
memory/3940-167-0x0000000000000000-mapping.dmp

Download
memory/4352-161-0x0000000003C30000-0x0000000004355000-memory.dmp

Filesize
7.1MB

Download
memory/4352-155-0x0000000003C30000-0x0000000004355000-memory.dmp

Filesize
7.1MB

Download
memory/4352-169-0x0000000003C30000-0x0000000004355000-memory.dmp

Filesize
7.1MB

Download