Analysis

  • max time kernel
    146s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2022, 11:11

General

  • Target

    file.exe

  • Size

    312KB

  • MD5

    70864a483554c4c8144703fb3bafba78

  • SHA1

    3b7be19e63c68f795d51fe11c7ce84794a08b7ba

  • SHA256

    becc1118b9c80b25464fde5a69a8f9c43a47931f8e261ed9806c74b10c1b211a

  • SHA512

    ef0dd2c3861dc28d004f98be697abdbaa7d349ea9bb356028829175f92a5af47d64cd118c44bb27498100f22ba10a96796379483cea065f23e9d69a31a1d86b0

  • SSDEEP

    6144:zxxMLqVQRlYBn49iKB3HOw04SBmLH4rWlRjO1n:zTMOVQROBnojFOpPrW9u

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 18 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:3912
  • C:\Users\Admin\AppData\Local\Temp\E19B.exe
    C:\Users\Admin\AppData\Local\Temp\E19B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4912
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3832
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4912 -s 556
      2⤵
      • Program crash
      PID:2256
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4912 -ip 4912
    1⤵
      PID:4388
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3504
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:2492
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\snapshot_blob.dll",eSxNb1dNWlIx
            2⤵
              PID:3304

          Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Program Files (x86)\WindowsPowerShell\Modules\snapshot_blob.dll

                  Filesize

                  726KB

                  MD5

                  4287fdf999ab2f103f2bc0a6d122b6ca

                  SHA1

                  9a16448a5d01e2e850416127a7fcbf01c3f4276e

                  SHA256

                  1dbec444c4ed6b68aac379338603123f032b5ca873683161ffc271e762c0df1e

                  SHA512

                  13357de3f5af3916beb69ef30f0c908f32909b690aabe3cd2afe01c750f93e8da97b27128de4f60422edf17b7ed2e424439ee0c9f949afad7033b39891dcc015

                • C:\Program Files (x86)\WindowsPowerShell\Modules\snapshot_blob.dll

                  Filesize

                  726KB

                  MD5

                  4287fdf999ab2f103f2bc0a6d122b6ca

                  SHA1

                  9a16448a5d01e2e850416127a7fcbf01c3f4276e

                  SHA256

                  1dbec444c4ed6b68aac379338603123f032b5ca873683161ffc271e762c0df1e

                  SHA512

                  13357de3f5af3916beb69ef30f0c908f32909b690aabe3cd2afe01c750f93e8da97b27128de4f60422edf17b7ed2e424439ee0c9f949afad7033b39891dcc015

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32ww.msi.16.x-none.xml

                  Filesize

                  331KB

                  MD5

                  b5cf5d15a8e6c6f2eb99a5645a2c2336

                  SHA1

                  7efe1b634ce1253a6761eb0c54f79dd42b79325f

                  SHA256

                  f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

                  SHA512

                  83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmmui.msi.16.en-us.xml

                  Filesize

                  10KB

                  MD5

                  3ef69b2c0f15e6b97fca1141bc9beb9a

                  SHA1

                  421916704e31978eb77421161bb170003a83c1a2

                  SHA256

                  f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

                  SHA512

                  cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ECApp_10.0.19041.1023_neutral__8wekyb3d8bbwe.xml

                  Filesize

                  2KB

                  MD5

                  13eb9cfbca43ebcd240e1fcff5acab4d

                  SHA1

                  5a0da86ab3f30905433677284eb843742f05afe5

                  SHA256

                  616d6a37866683e848fac3a17cecdea05e51da55420adcf947e40d062f587bb8

                  SHA512

                  256879b3d2c86ed4c3e8fccc8ffa09d11ae6eb6a2c9da4afa834f36b399752d7c46ceb638497cb28c48d874db0ccde15b73a22f1aa894b376aafd00f20b23352

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml

                  Filesize

                  17KB

                  MD5

                  88edd5a41ab82f584c96038657f61fa0

                  SHA1

                  7196dd2233a620172932cbe75afc1eae004de540

                  SHA256

                  fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

                  SHA512

                  d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe.xml

                  Filesize

                  1KB

                  MD5

                  af5e2e83f730f2fd1c0a63c86437d00a

                  SHA1

                  0aee18034eae17e51f20858c05a9616b03c9b8c4

                  SHA256

                  6a8f415526a62ac93dc93850ce58b533e0ea93acf3e7fa72f917d123d664c210

                  SHA512

                  9a59e43913e131c976f772b442c02226abeb137b5a8f8bc3f57673fa6ea15e5bff0a3cc5af747f3730b6d0878f97ef0b18fde4e8afb5fd4674dc618335d17b20

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                  Filesize

                  2.3MB

                  MD5

                  d1464bdef68ef6079f22e27094403f7e

                  SHA1

                  88b4b5698c3c80e6d0aa5a86b00b57ae815ac3c3

                  SHA256

                  db0af2374b59137d85f1b4ca27b1cfcdce9f73ef46cc8fc73e692297c91c9138

                  SHA512

                  801ed7982177bc36f93266c89f0e01c82d5c6a70f08de85763f21cfc8e329a1482f13039559d7c6ba8f8e69ccd1b9f860a05e6bec588240c6ff5ef1fdc21b915

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                  Filesize

                  2.3MB

                  MD5

                  d21b45479a3a0d55154dc355ff4a788e

                  SHA1

                  cd8209b8e509dad7419c754223265d79b61c4463

                  SHA256

                  e5a8ec267b6b336c2c7247d573eead83adc64d01e8aacf16d55145847f02bef1

                  SHA512

                  7e3ffbb77c6eeae01dd5712bc24a74b9c6c4efbd377ff3f507064379cb2725ebf98dc86456129dbeedfa721860721ead6bf9421bcedbcfe9c51ea892a6558bd9

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SmsInterceptStore.jfm

                  Filesize

                  16KB

                  MD5

                  42503cb1e39818ef9265e178f1c15cb6

                  SHA1

                  3a7ae377387bbff92f8f66cf5608a581ae0d7a84

                  SHA256

                  7cb882655d38dc1eba3f35810fa95138decf03fc90a828f17994d6bc76acb0d2

                  SHA512

                  a39900fdf1f5012992824a470c26d9e0c61e34cca1987d06ee9802d1c81aef4197a9bfe941cd50a3954b485239db906f771953fc0795919f80f7bfdc88aba294

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ringtones.ico

                  Filesize

                  50KB

                  MD5

                  8b30e7cbd25f178baac418e9b507b61e

                  SHA1

                  73c93d967571bb88b1bdf33477e7a5f758fc18e9

                  SHA256

                  0afa2eb896ffe20c5244dd191be791231c8b5b71eff200e75a3150a8e3296f30

                  SHA512

                  6b0ff7ff67cbb4c8611696273ee16fc5d57b53ea7869e0c97686583d7875faa65f04d7678017628a11420000f8bb869f6dca5fcbefb53b1824443fa73544944d

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\setup.ini

                  Filesize

                  214B

                  MD5

                  d8b2e1bfe12db863bdccdd49a5e1c8b5

                  SHA1

                  9c979907f03887b270d4e87b0cdd5377cff3692c

                  SHA256

                  00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301

                  SHA512

                  3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

                • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user-192.png

                  Filesize

                  2KB

                  MD5

                  00974aab6b9832933e8ac609e50e5dce

                  SHA1

                  6fa57587c15d3de9c9ace6da93ab80830bd87771

                  SHA256

                  7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6

                  SHA512

                  c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47

                • C:\Users\Admin\AppData\Local\Temp\E19B.exe

                  Filesize

                  1.1MB

                  MD5

                  bf8c7929bc3f4fad1da578dd2b73cc0d

                  SHA1

                  716a6662f38f3ebb7b2081cf620fc2bf58b4d21e

                  SHA256

                  aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f

                  SHA512

                  afbc94473c1518114649de98a7fedfb24f842beb98a6129611850c93190467bc117552022b9ad678cb4138995c1c0ce0cfdb27010b6825c9b4bc1847d920e9ab

                • C:\Users\Admin\AppData\Local\Temp\E19B.exe

                  Filesize

                  1.1MB

                  MD5

                  bf8c7929bc3f4fad1da578dd2b73cc0d

                  SHA1

                  716a6662f38f3ebb7b2081cf620fc2bf58b4d21e

                  SHA256

                  aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f

                  SHA512

                  afbc94473c1518114649de98a7fedfb24f842beb98a6129611850c93190467bc117552022b9ad678cb4138995c1c0ce0cfdb27010b6825c9b4bc1847d920e9ab

                • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                  Filesize

                  726KB

                  MD5

                  6ea8a6cc5fed6c664df1b3ef7c56b55d

                  SHA1

                  6b244d708706441095ae97294928967ddf28432b

                  SHA256

                  2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                  SHA512

                  4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                  Filesize

                  726KB

                  MD5

                  6ea8a6cc5fed6c664df1b3ef7c56b55d

                  SHA1

                  6b244d708706441095ae97294928967ddf28432b

                  SHA256

                  2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                  SHA512

                  4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                • \??\c:\program files (x86)\windowspowershell\modules\snapshot_blob.dll

                  Filesize

                  726KB

                  MD5

                  4287fdf999ab2f103f2bc0a6d122b6ca

                  SHA1

                  9a16448a5d01e2e850416127a7fcbf01c3f4276e

                  SHA256

                  1dbec444c4ed6b68aac379338603123f032b5ca873683161ffc271e762c0df1e

                  SHA512

                  13357de3f5af3916beb69ef30f0c908f32909b690aabe3cd2afe01c750f93e8da97b27128de4f60422edf17b7ed2e424439ee0c9f949afad7033b39891dcc015

                • memory/2492-176-0x0000000003E00000-0x0000000004525000-memory.dmp

                  Filesize

                  7.1MB

                • memory/2492-163-0x0000000003E00000-0x0000000004525000-memory.dmp

                  Filesize

                  7.1MB

                • memory/3304-177-0x0000000003BB0000-0x00000000042D5000-memory.dmp

                  Filesize

                  7.1MB

                • memory/3304-178-0x0000000003BB0000-0x00000000042D5000-memory.dmp

                  Filesize

                  7.1MB

                • memory/3832-155-0x0000018EBF540000-0x0000018EBF680000-memory.dmp

                  Filesize

                  1.2MB

                • memory/3832-157-0x0000000000820000-0x0000000000A39000-memory.dmp

                  Filesize

                  2.1MB

                • memory/3832-158-0x0000018EBDD00000-0x0000018EBDF2A000-memory.dmp

                  Filesize

                  2.2MB

                • memory/3832-156-0x0000018EBF540000-0x0000018EBF680000-memory.dmp

                  Filesize

                  1.2MB

                • memory/3912-135-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                • memory/3912-133-0x0000000002190000-0x0000000002199000-memory.dmp

                  Filesize

                  36KB

                • memory/3912-132-0x0000000000609000-0x000000000061F000-memory.dmp

                  Filesize

                  88KB

                • memory/3912-134-0x0000000000400000-0x0000000000453000-memory.dmp

                  Filesize

                  332KB

                • memory/4628-149-0x0000000004BE0000-0x0000000004D20000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4628-154-0x0000000004C59000-0x0000000004C5B000-memory.dmp

                  Filesize

                  8KB

                • memory/4628-148-0x0000000004BE0000-0x0000000004D20000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4628-147-0x0000000004BE0000-0x0000000004D20000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4628-146-0x0000000004300000-0x0000000004A25000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4628-145-0x0000000004300000-0x0000000004A25000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4628-159-0x0000000004300000-0x0000000004A25000-memory.dmp

                  Filesize

                  7.1MB

                • memory/4628-151-0x0000000004BE0000-0x0000000004D20000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4628-152-0x0000000004BE0000-0x0000000004D20000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4628-150-0x0000000004BE0000-0x0000000004D20000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4912-142-0x0000000002094000-0x000000000216A000-memory.dmp

                  Filesize

                  856KB

                • memory/4912-143-0x0000000002360000-0x0000000002475000-memory.dmp

                  Filesize

                  1.1MB

                • memory/4912-144-0x0000000000400000-0x0000000000517000-memory.dmp

                  Filesize

                  1.1MB