Analysis
-
max time kernel
142s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
19-12-2022 13:34
General
-
Target
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe
-
Size
311KB
-
MD5
382f445fa18126435bbd631d6720bf88
-
SHA1
4d714a4c71e87dddaea89f8ada74f9feb2e83a6d
-
SHA256
a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc
-
SHA512
abf5c104c74aa27f3dab57971820d97a9c25f765e20e273433dafaa1b4a447cd4f781b1f47a6af8c0350c29cf05fe918b807b2d410ae3b500fe2d2876169f978
-
SSDEEP
6144:k9R3L2Hj5hkGIFcPlS9LP/M1FxPH4rWlRjO1n:kL8j5hkGIF0s9LXmxArW9u
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 32 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe"C:\Users\Admin\AppData\Local\Temp\a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\BCFC.exeC:\Users\Admin\AppData\Local\Temp\BCFC.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239793⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3140 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3140 -ip 31401⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\viewerps.dll",nkpUQXhx2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\ViewerPS.dllFilesize
726KB
MD5ddaccee169da4acce9f7377688f27fde
SHA199ac72ff0d7ec2447d4e1879150d0f071aa8fed6
SHA256f688959f9119dee5943f8c7c0f97b794512aa14d7662886353e35c94a410f6cb
SHA512b61294e9146efbf7732f3def9d5608dbdfac1fe68325a2029b32b4d878317429a2552d7dd76db012fcfb03dc1642116f40bcb16d815215d8a4569e58f247922b
-
C:\Program Files (x86)\WindowsPowerShell\Modules\ViewerPS.dllFilesize
726KB
MD5ddaccee169da4acce9f7377688f27fde
SHA199ac72ff0d7ec2447d4e1879150d0f071aa8fed6
SHA256f688959f9119dee5943f8c7c0f97b794512aa14d7662886353e35c94a410f6cb
SHA512b61294e9146efbf7732f3def9d5608dbdfac1fe68325a2029b32b4d878317429a2552d7dd76db012fcfb03dc1642116f40bcb16d815215d8a4569e58f247922b
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32ww.msi.16.x-none.xmlFilesize
331KB
MD5b5cf5d15a8e6c6f2eb99a5645a2c2336
SHA17efe1b634ce1253a6761eb0c54f79dd42b79325f
SHA256f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c
SHA51283f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xmlFilesize
13KB
MD5c7405e2e68aec89e44862595ccc0d186
SHA12cc8d73f93dd875134917795633bb606911f1069
SHA2569a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37
SHA5120cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe.xmlFilesize
7KB
MD5cc4cc0e085cfafe9c540f7a6a4cad93e
SHA18982a1b3d8f3d8bc37b1c12f9a7f594723d03247
SHA256fa0819943729b9c38d89e92fcbc31ba393b49baa524bfa4ee9f2f471f8fcf756
SHA512b8f591ee4b5b241025a0d583efed50fb548a180599bc4dab2f7b978da4daf08ca917e539354e2510aaca35257854034de3e3f3a8242eaa71f5ec9c4b3dc289d5
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
839B
MD55ddffd275e173019cb301fe2c96a2f3f
SHA10303cebf14f4304d93733426aee485e4bf7efe29
SHA256d1e768a7bb7a5851697a2a5bec63670c9d90b72d1f77169ef231c265b9cb8272
SHA512e92f31f56dc2f5dfa0963978239303d2c5755b5bfa363910f18e5168703d3ddfc506ad522915b90f9d489997a66a3db780762e750a658ac7835b75d8d299684a
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5fb6ca0eabc5ef74a0e826d9dd225e346
SHA1564281df79abcb55a5a4481f5be0bd9d09213272
SHA256e2aebf5b22d995721f6f8aca57fcd004318bb710b2cf4a46bd675a622e14fc63
SHA512830f404f28408e63f8a7d0edae85596baa278f05f179373a67f0fcc1f2ca394154dd56b8401cf3f1e087f273d2f897f214d9cc54a2bf3eeb6db8c0ded0aebd60
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5fb6ca0eabc5ef74a0e826d9dd225e346
SHA1564281df79abcb55a5a4481f5be0bd9d09213272
SHA256e2aebf5b22d995721f6f8aca57fcd004318bb710b2cf4a46bd675a622e14fc63
SHA512830f404f28408e63f8a7d0edae85596baa278f05f179373a67f0fcc1f2ca394154dd56b8401cf3f1e087f273d2f897f214d9cc54a2bf3eeb6db8c0ded0aebd60
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\TELEMETRY.ASM-WINDOWSSQ.jsonFilesize
53B
MD56b5c875287b25d64563bd7c830621b66
SHA1df0c4dcbbf3ce6706cae126955b4fcb88be0694a
SHA2569d45f7e6114d2088ab05423697cafedc0a9926f785358cb2faddc4f1e45b193d
SHA512608b92078a9082b4bfe2b066891127713cfd4329d8b26a3747b672c19e41e25242f60153517227a04a3f2b355805584cd4fe2f2dece45b1cd5dfc814a486d229
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ThemeSettings2013.xmlFilesize
2KB
MD5986d31966b8370330842dc0cd8eac1f1
SHA13e96a8f449cc3930a0cec85f2e24190452b058eb
SHA25656e478dcefd0863a8af9edb7d4f8bc746d077e5f5df637bad19e66cbbbe20cb0
SHA5127ed19b3eeeb35882795a3d4a20193b9a60e905ea855704afdc5ea7e3b27c3d954061ba04eff5ed9f7cf44aff7c9b4f443c74cfd6088027fb830ad49c59eceefd
-
C:\Users\Admin\AppData\Local\Temp\BCFC.exeFilesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
C:\Users\Admin\AppData\Local\Temp\BCFC.exeFilesize
1.1MB
MD58a4cb873c04ffe6859dd5bb381fed9b2
SHA1c71cb06097a8172057c7dd0ca61c27e164c1939a
SHA256c51c27c86facb3ce46801e6a9f900292b5ba336760708438483e5246b7440029
SHA512352510a901636c9880afea8bdb1b9a8da63bed989b959ef1a560ec6baf59ea09ada9b04f853a838938510507b0d4d3aab484b46876a9801d7f9b138af7bd0fbd
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\viewerps.dllFilesize
726KB
MD5ddaccee169da4acce9f7377688f27fde
SHA199ac72ff0d7ec2447d4e1879150d0f071aa8fed6
SHA256f688959f9119dee5943f8c7c0f97b794512aa14d7662886353e35c94a410f6cb
SHA512b61294e9146efbf7732f3def9d5608dbdfac1fe68325a2029b32b4d878317429a2552d7dd76db012fcfb03dc1642116f40bcb16d815215d8a4569e58f247922b
-
memory/1696-176-0x00000000042D0000-0x00000000049F5000-memory.dmpFilesize
7.1MB
-
memory/1696-175-0x00000000042D0000-0x00000000049F5000-memory.dmpFilesize
7.1MB
-
memory/1696-172-0x0000000000000000-mapping.dmp
-
memory/2104-174-0x0000000003010000-0x0000000003735000-memory.dmpFilesize
7.1MB
-
memory/2104-164-0x0000000003010000-0x0000000003735000-memory.dmpFilesize
7.1MB
-
memory/2240-133-0x00000000006B0000-0x00000000006B9000-memory.dmpFilesize
36KB
-
memory/2240-134-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2240-135-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/2240-132-0x0000000000718000-0x000000000072E000-memory.dmpFilesize
88KB
-
memory/3140-136-0x0000000000000000-mapping.dmp
-
memory/3140-141-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3140-145-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/3140-139-0x000000000211E000-0x00000000021F4000-memory.dmpFilesize
856KB
-
memory/3140-140-0x0000000002300000-0x0000000002415000-memory.dmpFilesize
1.1MB
-
memory/3144-150-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-148-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-153-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-146-0x0000000005040000-0x0000000005765000-memory.dmpFilesize
7.1MB
-
memory/3144-142-0x0000000000000000-mapping.dmp
-
memory/3144-147-0x0000000005040000-0x0000000005765000-memory.dmpFilesize
7.1MB
-
memory/3144-160-0x0000000005040000-0x0000000005765000-memory.dmpFilesize
7.1MB
-
memory/3144-149-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-157-0x0000000003E09000-0x0000000003E0B000-memory.dmpFilesize
8KB
-
memory/3144-152-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3144-151-0x0000000003D90000-0x0000000003ED0000-memory.dmpFilesize
1.2MB
-
memory/3432-178-0x0000000000000000-mapping.dmp
-
memory/4028-177-0x0000000000000000-mapping.dmp
-
memory/4760-158-0x0000000000910000-0x0000000000B29000-memory.dmpFilesize
2.1MB
-
memory/4760-159-0x000001E707D00000-0x000001E707F2A000-memory.dmpFilesize
2.2MB
-
memory/4760-155-0x000001E7096D0000-0x000001E709810000-memory.dmpFilesize
1.2MB
-
memory/4760-156-0x000001E7096D0000-0x000001E709810000-memory.dmpFilesize
1.2MB
-
memory/4760-154-0x00007FF742D76890-mapping.dmp