Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2022, 11:40

General

  • Target

    36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

  • Size

    310KB

  • MD5

    c6d5caf032d4435e71637bd333f174fb

  • SHA1

    1971852a4bedd32ac3a74d7a9600dcb369e71cce

  • SHA256

    36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007

  • SHA512

    7a7176c80ade6000dbb7a4b94cb11f229b360ea8adab69d829cf24541d5f364e9f6143a697f1c839336da98261f9a038aacc4c463b90d67bb2fba56158d8144e

  • SSDEEP

    6144:+gxRLtYltAaD+/eWOGkLc3zJJaRH4rWlRjO1n:+qRpYlt5DXbBotJayrW9u

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 16 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 23 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
    "C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4332
  • C:\Users\Admin\AppData\Local\Temp\C614.exe
    C:\Users\Admin\AppData\Local\Temp\C614.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:3436
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:224
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4060
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
        3⤵
          PID:3432
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3436 -s 536
        2⤵
        • Program crash
        PID:3328
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3436 -ip 3436
      1⤵
        PID:208
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:3424
        • C:\Windows\SysWOW64\svchost.exe
          C:\Windows\SysWOW64\svchost.exe -k LocalService
          1⤵
            PID:5080
            • C:\Windows\SysWOW64\rundll32.exe
              "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\back-arrow-down.dll",HwkWVTFWUlpS
              2⤵
                PID:4824

            Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.dll

                    Filesize

                    726KB

                    MD5

                    d28fbb67ac9d3d1d4ab4a4842c70f678

                    SHA1

                    c9b7d11f272555535f5bcfe56dde17742c4c6ef4

                    SHA256

                    0e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df

                    SHA512

                    59923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69

                  • C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-down.dll

                    Filesize

                    726KB

                    MD5

                    d28fbb67ac9d3d1d4ab4a4842c70f678

                    SHA1

                    c9b7d11f272555535f5bcfe56dde17742c4c6ef4

                    SHA256

                    0e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df

                    SHA512

                    59923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml

                    Filesize

                    27KB

                    MD5

                    539930de67b99bab23fe2c67000eeddb

                    SHA1

                    6b0e5ece46ecb0b019ec71caa44facf122647059

                    SHA256

                    2f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c

                    SHA512

                    ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe.xml

                    Filesize

                    15KB

                    MD5

                    2f71d0396b93381c1fd86bf822612868

                    SHA1

                    d0801700dd00a51276f32c6ed19f5b713b5db825

                    SHA256

                    0543ea8c8efce3d69431f57affc2cfa44df1b9244a25ed080e4b2014d0419026

                    SHA512

                    67022ce5c41641799abff9e68cb3f049c5d932aea5c6fd8748469e2e7f51f987f1bdfc7d831a8d11a69d99a77cc363c51db8be6ad50e4014eb63a15c1f25a722

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftEdgeUpdate.log

                    Filesize

                    103KB

                    MD5

                    7a1763f6f5577656a43c4c9bd844ff4c

                    SHA1

                    df0864de9dcaa196589a66e2280570986a8bbee3

                    SHA256

                    d786b67ba29815370580be2c6eccd29adc09a1095a38d7ceff3279f6ab68a325

                    SHA512

                    c276a742684e6cf3b1378204fd3cbce73ea9a9ba16550aef8571810785f4be3d0abb28d31a78c0a9e25756b8a91b4f905547a1762544b7bb17dd76a93ca430a9

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Policy.vpol

                    Filesize

                    444B

                    MD5

                    37c62fff1cdd42c987b1dea7875aea8a

                    SHA1

                    6c4dbb8c556315c7808f135ba9279ce9e5ccf7e1

                    SHA256

                    6cc104bdf2fa9eebe51c8a7ac70a265aee8601285afbac97c0a9e896a3a5854f

                    SHA512

                    a76404f14658b75b4495cf3d627e8a9aa6c07fe869eec4a6147a26589f4fe51024d340b97033a2a46e5f1e9643c0a9bc32cac8f88745aca9b79349532d03f0d5

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                    Filesize

                    2.3MB

                    MD5

                    81ec934abf4fc9bd7b3ebb4486d56e7a

                    SHA1

                    a4e6a1e6575ff17175b20aee68c4042831dc7650

                    SHA256

                    d83702cfc2e4e74bce1ca31f12d644861bbe6759bab88c495e420dcc663e2d2e

                    SHA512

                    1dead0ce0db06c508f7cb83c7bd4ee8ea515e2f7bf762e8e218afd2e9f7da5795031e923ab16f67a9cff30c6250cd71578b0814a3a05297ecf334c0047b1660e

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\osver.txt

                    Filesize

                    10B

                    MD5

                    bea59a2f25178d677087edde21c60be7

                    SHA1

                    56844a00adee7f8d2c161808de19ce6fd191fb61

                    SHA256

                    4906553c99e9225413bacd029603f2549fe8d972bf389770063f3e932b623d80

                    SHA512

                    008622e6bf66c3cc4bdfc9cda7dc10376e310b560321ee0d7040f7c6da7673cd04799ee04b9e22bb45de378fa0791dc0b6bbf43efed1366d0520c26d803d7400

                  • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\watermark.png

                    Filesize

                    28KB

                    MD5

                    1f93b502e78190a2f496c2d9558e069d

                    SHA1

                    6ae6249493d36682270c0d5e3eb3c472fdd2766e

                    SHA256

                    5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

                    SHA512

                    cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

                  • C:\Users\Admin\AppData\Local\Temp\C614.exe

                    Filesize

                    1.1MB

                    MD5

                    8a4cb873c04ffe6859dd5bb381fed9b2

                    SHA1

                    c71cb06097a8172057c7dd0ca61c27e164c1939a

                    SHA256

                    c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029

                    SHA512

                    352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

                  • C:\Users\Admin\AppData\Local\Temp\C614.exe

                    Filesize

                    1.1MB

                    MD5

                    8a4cb873c04ffe6859dd5bb381fed9b2

                    SHA1

                    c71cb06097a8172057c7dd0ca61c27e164c1939a

                    SHA256

                    c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029

                    SHA512

                    352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

                  • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                    Filesize

                    726KB

                    MD5

                    6ea8a6cc5fed6c664df1b3ef7c56b55d

                    SHA1

                    6b244d708706441095ae97294928967ddf28432b

                    SHA256

                    2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                    SHA512

                    4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                  • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                    Filesize

                    726KB

                    MD5

                    6ea8a6cc5fed6c664df1b3ef7c56b55d

                    SHA1

                    6b244d708706441095ae97294928967ddf28432b

                    SHA256

                    2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                    SHA512

                    4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

                  • \??\c:\program files (x86)\windowspowershell\modules\back-arrow-down.dll

                    Filesize

                    726KB

                    MD5

                    d28fbb67ac9d3d1d4ab4a4842c70f678

                    SHA1

                    c9b7d11f272555535f5bcfe56dde17742c4c6ef4

                    SHA256

                    0e4f467d0751dce5efd4323ef07e5e3019e0a77e6dab03676339fafa52b558df

                    SHA512

                    59923921612c96168681a495a2afc9b04bd91e1a358f26c0a172aa1f094c096eda41be814486170705a2e4ee364e8480b5896bcfb93dd51dc8a5253d4576cd69

                  • memory/224-154-0x0000000004F09000-0x0000000004F0B000-memory.dmp

                    Filesize

                    8KB

                  • memory/224-159-0x00000000046A0000-0x0000000004DC5000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/224-147-0x0000000004E90000-0x0000000004FD0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/224-149-0x0000000004E90000-0x0000000004FD0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/224-150-0x0000000004E90000-0x0000000004FD0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/224-151-0x0000000004E90000-0x0000000004FD0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/224-152-0x0000000004E90000-0x0000000004FD0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/224-148-0x0000000004E90000-0x0000000004FD0000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/224-145-0x00000000046A0000-0x0000000004DC5000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/224-146-0x00000000046A0000-0x0000000004DC5000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/3436-144-0x0000000000400000-0x0000000000517000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3436-143-0x0000000002290000-0x00000000023A5000-memory.dmp

                    Filesize

                    1.1MB

                  • memory/3436-142-0x0000000002054000-0x000000000212A000-memory.dmp

                    Filesize

                    856KB

                  • memory/4060-158-0x000001D64EE20000-0x000001D64F04A000-memory.dmp

                    Filesize

                    2.2MB

                  • memory/4060-157-0x0000000000AE0000-0x0000000000CF9000-memory.dmp

                    Filesize

                    2.1MB

                  • memory/4060-156-0x000001D6507F0000-0x000001D650930000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4060-155-0x000001D6507F0000-0x000001D650930000-memory.dmp

                    Filesize

                    1.2MB

                  • memory/4332-132-0x0000000000558000-0x000000000056D000-memory.dmp

                    Filesize

                    84KB

                  • memory/4332-135-0x0000000000400000-0x0000000000453000-memory.dmp

                    Filesize

                    332KB

                  • memory/4332-134-0x0000000000400000-0x0000000000453000-memory.dmp

                    Filesize

                    332KB

                  • memory/4332-133-0x0000000000520000-0x0000000000529000-memory.dmp

                    Filesize

                    36KB

                  • memory/4824-173-0x0000000004410000-0x0000000004B35000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/4824-174-0x0000000004410000-0x0000000004B35000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/5080-172-0x0000000003470000-0x0000000003B95000-memory.dmp

                    Filesize

                    7.1MB

                  • memory/5080-163-0x0000000003470000-0x0000000003B95000-memory.dmp

                    Filesize

                    7.1MB