Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2022, 10:39

General

  • Target

    becc1118b9c80b25464fde5a69a8f9c43a47931f8e261ed9806c74b10c1b211a.exe

  • Size

    312KB

  • MD5

    70864a483554c4c8144703fb3bafba78

  • SHA1

    3b7be19e63c68f795d51fe11c7ce84794a08b7ba

  • SHA256

    becc1118b9c80b25464fde5a69a8f9c43a47931f8e261ed9806c74b10c1b211a

  • SHA512

    ef0dd2c3861dc28d004f98be697abdbaa7d349ea9bb356028829175f92a5af47d64cd118c44bb27498100f22ba10a96796379483cea065f23e9d69a31a1d86b0

  • SSDEEP

    6144:zxxMLqVQRlYBn49iKB3HOw04SBmLH4rWlRjO1n:zTMOVQROBnojFOpPrW9u

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\becc1118b9c80b25464fde5a69a8f9c43a47931f8e261ed9806c74b10c1b211a.exe
    "C:\Users\Admin\AppData\Local\Temp\becc1118b9c80b25464fde5a69a8f9c43a47931f8e261ed9806c74b10c1b211a.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2532
  • C:\Users\Admin\AppData\Local\Temp\2DB7.exe
    C:\Users\Admin\AppData\Local\Temp\2DB7.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2268
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4036
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23999
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:2432
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:3744
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2268 -s 524
        2⤵
        • Program crash
        PID:4692
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2268 -ip 2268
      1⤵
        PID:3480
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3064
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k LocalService
          1⤵
            PID:4640
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\main.dll",lD5Wag==
              2⤵
                PID:3564

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\WindowsPowerShell\Modules\main.dll

                    Filesize

                    726KB

                    MD5

                    393f37717975f7ec877386128049bb09

                    SHA1

                    628570419a252a7877d0057cc78e5d32186950d8

                    SHA256

                    3403e946041361aaf52a5ef445f1d86e7e43b0f450a21831b9169ed8089a16a7

                    SHA512

                    e2c1e223c7866d534fd1ccc69942789e0ab2866625597d947edce145b92d2acb081715441b91f59fb48445595729654156233ef41e7abf8c951a314546c11720

                  • C:\Program Files (x86)\WindowsPowerShell\Modules\main.dll

                    Filesize

                    726KB

                    MD5

                    393f37717975f7ec877386128049bb09

                    SHA1

                    628570419a252a7877d0057cc78e5d32186950d8

                    SHA256

                    3403e946041361aaf52a5ef445f1d86e7e43b0f450a21831b9169ed8089a16a7

                    SHA512

                    e2c1e223c7866d534fd1ccc69942789e0ab2866625597d947edce145b92d2acb081715441b91f59fb48445595729654156233ef41e7abf8c951a314546c11720

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch

                    Filesize

                    262B

                    MD5

                    0c19329f1a0959d6e069dd77dc32e7fc

                    SHA1

                    8216c5d18000ff6c11f0b562a85d650b3e07da7c

                    SHA256

                    ca469f2580e20b3d1077355a1e0e673be724ac15ab15e859b7bc3bcf60854120

                    SHA512

                    fbbe1626c32f7b77c77fa1e0e5f0c22562d3bdc15a4290cf300625efa782c31d9ac461ea2b6552dbc42f16137bfc226d98ee2f002a353245eae6afca873e912d

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe.xml

                    Filesize

                    9KB

                    MD5

                    993d82e37af681bd65f1d428b6ee281e

                    SHA1

                    bb1a8402cfccd1d97ea58d6136847a4dd1ba0f65

                    SHA256

                    1bc1d4525a46e58edd165a9d792f50441ea3cbcecd14022dc112e02f3d9b5bf8

                    SHA512

                    4eb247e384ffa84460e43abe7563643de30f397b628c02f3e6e51c69669d5d7b8be6ebe51355586e5cd5a252652e0eef7f1bd0219b416b61e1db318db4ac833c

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml

                    Filesize

                    17KB

                    MD5

                    88edd5a41ab82f584c96038657f61fa0

                    SHA1

                    7196dd2233a620172932cbe75afc1eae004de540

                    SHA256

                    fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

                    SHA512

                    d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml

                    Filesize

                    27KB

                    MD5

                    539930de67b99bab23fe2c67000eeddb

                    SHA1

                    6b0e5ece46ecb0b019ec71caa44facf122647059

                    SHA256

                    2f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c

                    SHA512

                    ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                    Filesize

                    2.3MB

                    MD5

                    ba356d5ad2accbd05cba4ccb8b4219ec

                    SHA1

                    210ba30d539797a80e801fafc5b8434e8fae087c

                    SHA256

                    1dd52a0a7fdedfcd02d825ab229251d36c76277c16163555060e209cec395384

                    SHA512

                    19f2913e0d128d8b5b8c4ecf3f623ccdbe70378e9f9f58798c0d3d26b998afd78b3007ff012f7f279aa38af1eb0174ed7340611423e44bd9aa00b3ad5894368f

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                    Filesize

                    2.3MB

                    MD5

                    ba356d5ad2accbd05cba4ccb8b4219ec

                    SHA1

                    210ba30d539797a80e801fafc5b8434e8fae087c

                    SHA256

                    1dd52a0a7fdedfcd02d825ab229251d36c76277c16163555060e209cec395384

                    SHA512

                    19f2913e0d128d8b5b8c4ecf3f623ccdbe70378e9f9f58798c0d3d26b998afd78b3007ff012f7f279aa38af1eb0174ed7340611423e44bd9aa00b3ad5894368f

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\StorageHealthModel.dat

                    Filesize

                    542KB

                    MD5

                    1ffbb6bf6ac240feb3fada4eedbe5310

                    SHA1

                    3f8ef6d47bda2b464024e8d09577591fab2685d7

                    SHA256

                    c09e4425d87b888993f114755887611f68d351961e429628b952b9b62b49ef5a

                    SHA512

                    18c37c2c207664a231144dced3f8a4b97c3787da1174c08f357d9d6e80ae5cd68bcaf2c89062371b40ac9d235a882053bb80d46c28ff7f4e85c2ab25dc5a7081

                  • C:\Users\Admin\AppData\Local\Temp\2DB7.exe

                    Filesize

                    1.1MB

                    MD5

                    bf8c7929bc3f4fad1da578dd2b73cc0d

                    SHA1

                    716a6662f38f3ebb7b2081cf620fc2bf58b4d21e

                    SHA256

                    aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f

                    SHA512

                    afbc94473c1518114649de98a7fedfb24f842beb98a6129611850c93190467bc117552022b9ad678cb4138995c1c0ce0cfdb27010b6825c9b4bc1847d920e9ab

                  • C:\Users\Admin\AppData\Local\Temp\2DB7.exe

                    Filesize

                    1.1MB

                    MD5

                    bf8c7929bc3f4fad1da578dd2b73cc0d

                    SHA1

                    716a6662f38f3ebb7b2081cf620fc2bf58b4d21e

                    SHA256

                    aa123ff84c9fc24ff4fd58d0b5796b6b176976774b877efd9ec1c8263e87b08f

                    SHA512

                    afbc94473c1518114649de98a7fedfb24f842beb98a6129611850c93190467bc117552022b9ad678cb4138995c1c0ce0cfdb27010b6825c9b4bc1847d920e9ab

                  • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                    Filesize

                    726KB

                    MD5

                    6ea8a6cc5fed6c664df1b3ef7c56b55d

                    SHA1

                    6b244d708706441095ae97294928967ddf28432b

                    SHA256

                    2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                    SHA512

                    4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                  • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                    Filesize

                    726KB

                    MD5

                    6ea8a6cc5fed6c664df1b3ef7c56b55d

                    SHA1

                    6b244d708706441095ae97294928967ddf28432b

                    SHA256

                    2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                    SHA512

                    4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                  • \??\c:\program files (x86)\windowspowershell\modules\main.dll

                    Filesize

                    726KB

                    MD5

                    393f37717975f7ec877386128049bb09

                    SHA1

                    628570419a252a7877d0057cc78e5d32186950d8

                    SHA256

                    3403e946041361aaf52a5ef445f1d86e7e43b0f450a21831b9169ed8089a16a7

                    SHA512

                    e2c1e223c7866d534fd1ccc69942789e0ab2866625597d947edce145b92d2acb081715441b91f59fb48445595729654156233ef41e7abf8c951a314546c11720

                  • memory/2268-142-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2268-139-0x0000000000669000-0x000000000073F000-memory.dmp

                    Filesize

                    856KB

                  • memory/2268-141-0x00000000022F0000-0x0000000002405000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/2432-157-0x0000000000C00000-0x0000000000E19000-memory.dmp

                    Filesize

                    2.1MB

                  • memory/2432-154-0x0000013F68890000-0x0000013F689D0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2432-155-0x0000013F68890000-0x0000013F689D0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/2432-158-0x0000013F66EC0000-0x0000013F670EA000-memory.dmp

                    Filesize

                    2.2MB

                  • memory/2532-135-0x0000000000400000-0x0000000000453000-memory.dmp

                    Filesize

                    332KB

                  • memory/2532-134-0x0000000000400000-0x0000000000453000-memory.dmp

                    Filesize

                    332KB

                  • memory/2532-133-0x0000000002050000-0x0000000002059000-memory.dmp

                    Filesize

                    36KB

                  • memory/2532-132-0x00000000004E9000-0x00000000004FF000-memory.dmp

                    Filesize

                    88KB

                  • memory/3564-173-0x0000000004740000-0x0000000004E65000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/3564-174-0x0000000004740000-0x0000000004E65000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/4036-159-0x0000000004170000-0x0000000004895000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/4036-145-0x0000000004170000-0x0000000004895000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/4036-156-0x0000000004A19000-0x0000000004A1B000-memory.dmp

                    Filesize

                    8KB

                  • memory/4036-152-0x00000000049A0000-0x0000000004AE0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4036-151-0x00000000049A0000-0x0000000004AE0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4036-150-0x00000000049A0000-0x0000000004AE0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4036-149-0x00000000049A0000-0x0000000004AE0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4036-148-0x00000000049A0000-0x0000000004AE0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4036-147-0x00000000049A0000-0x0000000004AE0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4036-146-0x0000000004170000-0x0000000004895000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/4640-163-0x0000000003A00000-0x0000000004125000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/4640-172-0x0000000003A00000-0x0000000004125000-memory.dmp

                    Filesize

                    7.1MB