danabot | 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 14:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe
Size

1.1MB
MD5

8f4070594e2008388c46be164a59d9ae
SHA1

bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69
SHA256

37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34
SHA512

2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8
SSDEEP

24576:D4MwERrcsuCg2luv/4QwWU7kTV4t83ZUcwFP:MhMcsBl2whOHUDFP

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 1252 rundll32.exe
11 1252 rundll32.exe
42 1252 rundll32.exe
44 1252 rundll32.exe

flow	pid	process
10	1252	rundll32.exe
11	1252	rundll32.exe
42	1252	rundll32.exe
44	1252	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Compare_R_RHP..dll츀"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Compare_R_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Compare_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1252 rundll32.exe
3912 svchost.exe
2660 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1252	rundll32.exe
3912	svchost.exe
2660	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1252 set thread context of 3676 1252 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1252 set thread context of 3676	1252	rundll32.exe	rundll32.exe

Drops file in Program Files directory 49 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-locale-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_sent.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\aic_file_icons_retina_thumb_new.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP..dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\descript.ion	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_sent.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\en.ttt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-private-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ext.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.pdf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\es.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\IA2Marshal.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

956 4924 WerFault.exe 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe

pid	pid_target	process	target process
956	4924	WerFault.exe	37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\77586E43F2CE4501CEB1C82DF3A5F33166C60C82\Blob = 03000000010000001400000077586e43f2ce4501ceb1c82df3a5f33166c60c8220000000010000004b02000030820247308201b0a003020102020874aa59446437fa49300d06092a864886f70d01010b0500304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b3009060355040613025553301e170d3230313231393135353234355a170d3234313231383135353234355a304f3115301306035504030c0c495352472052686f7420583131293027060355040a0c20496e7465726e65742053656375726974792052657365617263682047726f7570310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100cbbfd4fbf81e862e0d6d3bb1a20370306784933a20602299df35d7ac9b5f1312edd4bfc02f916c2d30453e3dc9fa4bcef088d9f1764a8cb4d3ceb9294236f5a11b51aac5c0e7c3fb882579102f9e974fd07a63d4bfe85921824ab169e26eedd926573d3bf4c0aeacdf25937d6c3c1fc10b0df3afdab306c7d6b10729fa8569810203010001a32c302a300f0603551d130101ff040530030101ff30170603551d110410300e820c495352472052686f74205831300d06092a864886f70d01010b050003818100b5834880d49083301ef6ced451f012fa726bf2867d16727aac8e936263d4cc4a130c8023e691dc0cbd6d5beb4a4e4fc53b7dcc966e41394b2e3606bd74f95c1e464499f7f80203dd3fc5daabf348108f7a57c24f075c3a8f50ab98358229fa5161208b2689d2623ff084d5d4392b2b0bfef7904c1e5d3a06792e791190b7c254	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\77586E43F2CE4501CEB1C82DF3A5F33166C60C82	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3912	svchost.exe
3912	svchost.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
1252	rundll32.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe
3912	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1252 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3676 rundll32.exe
1252 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1252	rundll32.exe

pid	process
3676	rundll32.exe
1252	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4924 wrote to memory of 1252	4924	37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe	rundll32.exe
PID 4924 wrote to memory of 1252	4924	37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe	rundll32.exe
PID 4924 wrote to memory of 1252	4924	37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe	rundll32.exe
PID 1252 wrote to memory of 3676	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 3676	1252	rundll32.exe	rundll32.exe
PID 1252 wrote to memory of 3676	1252	rundll32.exe	rundll32.exe
PID 3912 wrote to memory of 2660	3912	svchost.exe	rundll32.exe
PID 3912 wrote to memory of 2660	3912	svchost.exe	rundll32.exe
PID 3912 wrote to memory of 2660	3912	svchost.exe	rundll32.exe
PID 1252 wrote to memory of 5112	1252	rundll32.exe	schtasks.exe
PID 1252 wrote to memory of 5112	1252	rundll32.exe	schtasks.exe
PID 1252 wrote to memory of 5112	1252	rundll32.exe	schtasks.exe
PID 1252 wrote to memory of 3944	1252	rundll32.exe	schtasks.exe
PID 1252 wrote to memory of 3944	1252	rundll32.exe	schtasks.exe
PID 1252 wrote to memory of 3944	1252	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe
"C:\Users\Admin\AppData\Local\Temp\37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1252

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3676

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:5112

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3944

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4924 -s 536
2⤵
- Program crash
PID:956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4924 -ip 4924
1⤵
PID:1300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4228

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3912

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\compare_r_rhp..dll",fWMaODJGQQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2660

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP..dll
Filesize
726KB

MD5
c9c39a86b314df57c332445236d1dc43

SHA1
d67ce9db6189ee6367179a0d80cc316a747d29c0

SHA256
e5d2038a55d04e9d32dbcc5b754c61f53b22e0ff213cd184545541edfbfae4ab

SHA512
d0a2eaf0ada9e2ff7c9d518b2cdb353fbc9f732a64e6bd287ddb92f6c9b4169e46f65fdd9f651f0337dd70ac130f94acfbadd754d191ebae2cc33945db8fa46a

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP..dll
Filesize
726KB

MD5
c9c39a86b314df57c332445236d1dc43

SHA1
d67ce9db6189ee6367179a0d80cc316a747d29c0

SHA256
e5d2038a55d04e9d32dbcc5b754c61f53b22e0ff213cd184545541edfbfae4ab

SHA512
d0a2eaf0ada9e2ff7c9d518b2cdb353fbc9f732a64e6bd287ddb92f6c9b4169e46f65fdd9f651f0337dd70ac130f94acfbadd754d191ebae2cc33945db8fa46a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml
Filesize
109KB

MD5
1ff29aea22999055b5c3dda5785a807c

SHA1
cd93580b22754e44c6fda2b1127bf6539deea0c6

SHA256
a738adb72546d0ea134a20abe3adbeb8bc6c7b90d04cc72d2f217c154c83ce11

SHA512
ab28afe92584956fd6656d05a9e910bf45312b2f7b23e97ab92e4a95ae014300c16a509c1e81dc18c7e180cf9c6a74a2146cf0b53083a4d9c99c0eb97b0323c5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.Proof.Culture.msi.16.en-us.xml
Filesize
25KB

MD5
c61439f60c39268b94a18e5d51f0b26e

SHA1
4ee213d4f4438b2fd8841bcb7ee07ca0f4742b3a

SHA256
06bc78753a1130463805f6ee03e1c2fe991e04d14e02ad852e8f857c43e24213

SHA512
88310fcea8cfa7fa1f028d4af3d529ef92cad0002705a5c720e5779cf465555917ac63042d999c575c22889b229e624f3da01525797dd262309d95461b75b45c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32mui.msi.16.en-us.xml
Filesize
16KB

MD5
ada34b241139f06addc86a9e8d1108f0

SHA1
909a92a4e970ae4edcfc365a119d4f4410b0bcf6

SHA256
3069814db0a03ed2ce383cb97739d07545d3b67a2b532d9c07d0d5aa3c6a4f3a

SHA512
2797c6087798660773cfa65f002a4232d75c8b8f787deb12364af683653b41de411ca2de54be1aa86356ba3b6203775c9afaedd513ad33c26f273047f87537a0

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
350dab619d466050e7566f1b82993d58

SHA1
5da8f090da73d529b8ce455857228cad4323afc6

SHA256
8785b195b76b12c1257e19accc028385aba6742e7f8bf9a431c51b3f97711b41

SHA512
f048153e1560501a9ef381f5e6231f3af730ca2b8d6d606ae1f835f50226cd0a3aa1c0ed72264152ef62684f69b100f954998c4681cd5d9103e41f11e55912b4

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\stream.x64.en-us.dat.cat
Filesize
109KB

MD5
2800ad935a91f65e3a39d28d7ec8b12b

SHA1
2e87ae6f577e833894abaa85117f29fd8c2178db

SHA256
7a9e9a26077199809f7a69d4486b58d98b5b972a2652084de0e212bc070410bd

SHA512
3564cdd0ff8efd862f6f3e123f8a5990d255bf735ee7eed3d622ecd40dfe53b9e1ae0c623a9d0036ca73e24a7c4f91b9a0174129084536362d23b10e6c730dff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\compare_r_rhp..dll
Filesize
726KB

MD5
c9c39a86b314df57c332445236d1dc43

SHA1
d67ce9db6189ee6367179a0d80cc316a747d29c0

SHA256
e5d2038a55d04e9d32dbcc5b754c61f53b22e0ff213cd184545541edfbfae4ab

SHA512
d0a2eaf0ada9e2ff7c9d518b2cdb353fbc9f732a64e6bd287ddb92f6c9b4169e46f65fdd9f651f0337dd70ac130f94acfbadd754d191ebae2cc33945db8fa46a

Download Submit
memory/1252-132-0x0000000000000000-mapping.dmp

Download
memory/1252-143-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/1252-145-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/1252-139-0x00000000042E0000-0x0000000004A05000-memory.dmp

Filesize
7.1MB

Download
memory/1252-144-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/1252-138-0x00000000042E0000-0x0000000004A05000-memory.dmp

Filesize
7.1MB

Download
memory/1252-149-0x0000000004B89000-0x0000000004B8B000-memory.dmp

Filesize
8KB

Download
memory/1252-142-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/1252-140-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/1252-141-0x0000000004B10000-0x0000000004C50000-memory.dmp

Filesize
1.2MB

Download
memory/1252-152-0x00000000042E0000-0x0000000004A05000-memory.dmp

Filesize
7.1MB

Download
memory/2660-161-0x0000000000000000-mapping.dmp

Download
memory/2660-165-0x0000000003DA0000-0x00000000044C5000-memory.dmp

Filesize
7.1MB

Download
memory/2660-164-0x0000000003DA0000-0x00000000044C5000-memory.dmp

Filesize
7.1MB

Download
memory/3676-147-0x0000014B9A050000-0x0000014B9A190000-memory.dmp

Filesize
1.2MB

Download
memory/3676-151-0x0000014B98680000-0x0000014B988AA000-memory.dmp

Filesize
2.2MB

Download
memory/3676-150-0x0000000000350000-0x0000000000569000-memory.dmp

Filesize
2.1MB

Download
memory/3676-148-0x0000014B9A050000-0x0000014B9A190000-memory.dmp

Filesize
1.2MB

Download
memory/3676-146-0x00007FF7AE4F6890-mapping.dmp

Download
memory/3912-163-0x0000000003B80000-0x00000000042A5000-memory.dmp

Filesize
7.1MB

Download
memory/3912-156-0x0000000003B80000-0x00000000042A5000-memory.dmp

Filesize
7.1MB

Download
memory/3912-168-0x0000000003B80000-0x00000000042A5000-memory.dmp

Filesize
7.1MB

Download
memory/3944-167-0x0000000000000000-mapping.dmp

Download
memory/4924-135-0x0000000002267000-0x000000000233D000-memory.dmp

Filesize
856KB

Download
memory/4924-136-0x00000000023B0000-0x00000000024C5000-memory.dmp

Filesize
1.1MB

Download
memory/4924-137-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/5112-166-0x0000000000000000-mapping.dmp

Download