Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2022, 12:47

General

  • Target

    423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe

  • Size

    311KB

  • MD5

    a034cbb1ffdcc27f1eb9d3e90d03a638

  • SHA1

    88d16b6e1b93389a89a2b86a6d57c512b57b678d

  • SHA256

    423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02

  • SHA512

    cae1ba18bd3483c34a2d13731c8e9fdd7cec0d0121b62f842b8eb6fda97f5032af0970f149da953a01ea7bebdd828ffc003a5abc45936c56d4c08b3a109d2376

  • SSDEEP

    6144:40AALtEZ8Ubf52YC96UOQ8IXa1atOgkfH4rWlRjO1n:407hEZ8UbtC4UE1wOgjrW9u

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 38 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 6 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 27 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe
    "C:\Users\Admin\AppData\Local\Temp\423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1128
  • C:\Users\Admin\AppData\Local\Temp\EBBC.exe
    C:\Users\Admin\AppData\Local\Temp\EBBC.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2592
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3060
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1748 -s 528
      2⤵
      • Program crash
      PID:628
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1748 -ip 1748
    1⤵
      PID:4092
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2832
      • C:\Users\Admin\AppData\Roaming\sawhret
        C:\Users\Admin\AppData\Roaming\sawhret
        1⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        • Suspicious behavior: MapViewOfSection
        PID:4876
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4632

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Program Files (x86)\WindowsPowerShell\Modules\libEGL.dll

                Filesize

                726KB

                MD5

                ff41a290eb4ad4cac2c97294dfb9c2f7

                SHA1

                21cf8d73645332a9a4549a2c1b31ec77bfc871e6

                SHA256

                9ca56ec6aae9c91db6373d756a76da1d64150c246e30976b896ee8cd9c3eb823

                SHA512

                270356c5db26cfa4ec88e5b6f5c36a46846add44144ae106b3158eddeaf77a8d7c05926ee1b63ce6850da3c63f423afd11107fb81f76f91c869579b3aec2a42e

              • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

                Filesize

                576KB

                MD5

                03a81356c9b38d2a3e389e3885ff6c5b

                SHA1

                6d87a938979849332856362bee24087a08fbf73d

                SHA256

                08040b5a7c6b4a4ec016375528ad9c0b1a6172aae655070646ee3466be1dd055

                SHA512

                1c2d235f04fa161ce3215c18083851448025015c4e74b23165f40723ce319d83b585aeb18992acd324f45b4b3071762573847ec4ef7c7831317fc6b9efeabe47

              • C:\Users\Admin\AppData\Local\Temp\EBBC.exe

                Filesize

                1.1MB

                MD5

                8a4cb873c04ffe6859dd5bb381fed9b2

                SHA1

                c71cb06097a8172057c7dd0ca61c27e164c1939a

                SHA256

                c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029

                SHA512

                352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

              • C:\Users\Admin\AppData\Local\Temp\EBBC.exe

                Filesize

                1.1MB

                MD5

                8a4cb873c04ffe6859dd5bb381fed9b2

                SHA1

                c71cb06097a8172057c7dd0ca61c27e164c1939a

                SHA256

                c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029

                SHA512

                352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd

              • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                Filesize

                726KB

                MD5

                6ea8a6cc5fed6c664df1b3ef7c56b55d

                SHA1

                6b244d708706441095ae97294928967ddf28432b

                SHA256

                2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                SHA512

                4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

              • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

                Filesize

                726KB

                MD5

                6ea8a6cc5fed6c664df1b3ef7c56b55d

                SHA1

                6b244d708706441095ae97294928967ddf28432b

                SHA256

                2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

                SHA512

                4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

              • C:\Users\Admin\AppData\Roaming\sawhret

                Filesize

                311KB

                MD5

                a034cbb1ffdcc27f1eb9d3e90d03a638

                SHA1

                88d16b6e1b93389a89a2b86a6d57c512b57b678d

                SHA256

                423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02

                SHA512

                cae1ba18bd3483c34a2d13731c8e9fdd7cec0d0121b62f842b8eb6fda97f5032af0970f149da953a01ea7bebdd828ffc003a5abc45936c56d4c08b3a109d2376

              • C:\Users\Admin\AppData\Roaming\sawhret

                Filesize

                311KB

                MD5

                a034cbb1ffdcc27f1eb9d3e90d03a638

                SHA1

                88d16b6e1b93389a89a2b86a6d57c512b57b678d

                SHA256

                423836be3f255bb3f0f2a2524cd24b979ab2f6f8149fd518790de7c4e1b63d02

                SHA512

                cae1ba18bd3483c34a2d13731c8e9fdd7cec0d0121b62f842b8eb6fda97f5032af0970f149da953a01ea7bebdd828ffc003a5abc45936c56d4c08b3a109d2376

              • \??\c:\program files (x86)\windowspowershell\modules\libegl.dll

                Filesize

                726KB

                MD5

                ff41a290eb4ad4cac2c97294dfb9c2f7

                SHA1

                21cf8d73645332a9a4549a2c1b31ec77bfc871e6

                SHA256

                9ca56ec6aae9c91db6373d756a76da1d64150c246e30976b896ee8cd9c3eb823

                SHA512

                270356c5db26cfa4ec88e5b6f5c36a46846add44144ae106b3158eddeaf77a8d7c05926ee1b63ce6850da3c63f423afd11107fb81f76f91c869579b3aec2a42e

              • memory/1128-136-0x0000000002190000-0x0000000002199000-memory.dmp

                Filesize

                36KB

              • memory/1128-137-0x0000000000400000-0x0000000000453000-memory.dmp

                Filesize

                332KB

              • memory/1128-135-0x0000000000558000-0x000000000056E000-memory.dmp

                Filesize

                88KB

              • memory/1128-134-0x0000000000400000-0x0000000000453000-memory.dmp

                Filesize

                332KB

              • memory/1128-133-0x0000000002190000-0x0000000002199000-memory.dmp

                Filesize

                36KB

              • memory/1128-132-0x0000000000558000-0x000000000056E000-memory.dmp

                Filesize

                88KB

              • memory/1748-144-0x0000000002113000-0x00000000021E9000-memory.dmp

                Filesize

                856KB

              • memory/1748-145-0x00000000022F0000-0x0000000002405000-memory.dmp

                Filesize

                1.1MB

              • memory/1748-146-0x0000000000400000-0x0000000000517000-memory.dmp

                Filesize

                1.1MB

              • memory/2592-150-0x0000000005330000-0x0000000005470000-memory.dmp

                Filesize

                1.2MB

              • memory/2592-151-0x0000000005330000-0x0000000005470000-memory.dmp

                Filesize

                1.2MB

              • memory/2592-154-0x0000000005330000-0x0000000005470000-memory.dmp

                Filesize

                1.2MB

              • memory/2592-153-0x0000000005330000-0x0000000005470000-memory.dmp

                Filesize

                1.2MB

              • memory/2592-147-0x0000000004B00000-0x0000000005225000-memory.dmp

                Filesize

                7.1MB

              • memory/2592-148-0x0000000004B00000-0x0000000005225000-memory.dmp

                Filesize

                7.1MB

              • memory/2592-158-0x00000000053A9000-0x00000000053AB000-memory.dmp

                Filesize

                8KB

              • memory/2592-149-0x0000000005330000-0x0000000005470000-memory.dmp

                Filesize

                1.2MB

              • memory/2592-152-0x0000000005330000-0x0000000005470000-memory.dmp

                Filesize

                1.2MB

              • memory/2592-161-0x0000000004B00000-0x0000000005225000-memory.dmp

                Filesize

                7.1MB

              • memory/3060-160-0x000001B754EB0000-0x000001B7550DA000-memory.dmp

                Filesize

                2.2MB

              • memory/3060-159-0x0000000000B70000-0x0000000000D89000-memory.dmp

                Filesize

                2.1MB

              • memory/3060-157-0x000001B756880000-0x000001B7569C0000-memory.dmp

                Filesize

                1.2MB

              • memory/3060-156-0x000001B756880000-0x000001B7569C0000-memory.dmp

                Filesize

                1.2MB

              • memory/4876-164-0x0000000000528000-0x000000000053D000-memory.dmp

                Filesize

                84KB

              • memory/4876-165-0x0000000000400000-0x0000000000453000-memory.dmp

                Filesize

                332KB

              • memory/4876-166-0x0000000000400000-0x0000000000453000-memory.dmp

                Filesize

                332KB