danabot | 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc

Analysis

max time kernel
143s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 14:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
Size

311KB
MD5

e471ee462cabc829b7f98094ec9ed40c
SHA1

6f9bc1e5a5df156c9f0fc8fbd6cfc52eef7dd868
SHA256

3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc
SHA512

22b5ae685ea50787fc5048e9ce894fe7aaca952b321e2af66967a3fb676f578754eb194a710af7072e3604e18a0a016f2df8a96f05d0ccf1009fb3c4e89b3259
SSDEEP

6144:sSlLoqgLs+GSquhTLIpbPIiIHmvEK8H4rWlRjO1n:ssUqgVqynIpbPIDGcKfrW9u

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/404-133-0x0000000002050000-0x0000000002059000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

30 2276 rundll32.exe
35 2276 rundll32.exe
54 2276 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

CAE6.exe

pid process

5076 CAE6.exe

flow	pid	process
30	2276	rundll32.exe
35	2276	rundll32.exe
54	2276	rundll32.exe

pid	process
5076	CAE6.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\icudtl\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\icudtl.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\icudtl\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

2276 rundll32.exe
4564 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2276 set thread context of 4360 2276 rundll32.exe rundll32.exe

pid	process
2276	rundll32.exe
4564	svchost.exe

description	pid	process	target process
PID 2276 set thread context of 4360	2276	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-144x144-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\cloud_icon.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudtl.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

760 5076 WerFault.exe CAE6.exe

pid	pid_target	process	target process
760	5076	WerFault.exe	CAE6.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe

Checks processor information in registry 2 TTPs 50 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093559b7a100054656d7000003a0009000400efbe6b558a6c9355a27a2e00000000000000000000000000000000000000000000000000ed21d700540065006d007000000014000000
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

1056

pid	process
1056

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe

pid	process
404	3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
404	3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056
1056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

1056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe

pid process

404 3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe

pid	process
1056

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056
Token: SeShutdownPrivilege	1056
Token: SeCreatePagefilePrivilege	1056

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4360 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

1056
1056

pid	process
4360	rundll32.exe

pid	process
1056
1056

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

CAE6.exerundll32.exe

description	pid	process	target process
PID 1056 wrote to memory of 5076	1056		CAE6.exe
PID 1056 wrote to memory of 5076	1056		CAE6.exe
PID 1056 wrote to memory of 5076	1056		CAE6.exe
PID 5076 wrote to memory of 2276	5076	CAE6.exe	rundll32.exe
PID 5076 wrote to memory of 2276	5076	CAE6.exe	rundll32.exe
PID 5076 wrote to memory of 2276	5076	CAE6.exe	rundll32.exe
PID 2276 wrote to memory of 4360	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 4360	2276	rundll32.exe	rundll32.exe
PID 2276 wrote to memory of 4360	2276	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe
"C:\Users\Admin\AppData\Local\Temp\3edc45f11df046eea8b38f63c244b77db7562a77931b3b62ddda1c7ec233cbfc.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:404

C:\Users\Admin\AppData\Local\Temp\CAE6.exe
C:\Users\Admin\AppData\Local\Temp\CAE6.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5076

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23973
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4360

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3984

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5076 -s 528
2⤵
- Program crash
PID:760

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 5076 -ip 5076
1⤵
PID:4492

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4564

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\icudtl.dll",GRkA
2⤵
PID:1612

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\icudtl.dll
Filesize
726KB

MD5
06a7ada0820f67af8a35319c67934c24

SHA1
b79650b0ca8196131bea513a15c846f08e116aa1

SHA256
e1a5cd53ba4d9022b6a25f1a5c818b53939fe64023271fccd4e2787e4f8953d9

SHA512
f1bf92ffbac01291c32f294eeab24db607213da49db27cfab8e6b1aa8748a663381ebae569ad66d946a2dc095f3381004213292dc36e20742caa4937348475d2

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\icudtl.dll
Filesize
726KB

MD5
06a7ada0820f67af8a35319c67934c24

SHA1
b79650b0ca8196131bea513a15c846f08e116aa1

SHA256
e1a5cd53ba4d9022b6a25f1a5c818b53939fe64023271fccd4e2787e4f8953d9

SHA512
f1bf92ffbac01291c32f294eeab24db607213da49db27cfab8e6b1aa8748a663381ebae569ad66d946a2dc095f3381004213292dc36e20742caa4937348475d2

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_2019.125.2243.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
2bc8ee174a90308d275eda81bf42d95e

SHA1
284647d3ee515e4794d1984d2f01989f33121d2d

SHA256
d8bd4c83debd08b1a21d24b3c4a445512ef1931717c01e113fbfc20f47157ea8

SHA512
fe5d552cbfea372817d64c69f22cbf1a02d1b7ef27ef4a0acf68247a2794f58d09b0147ef110a0267bda87c6712ba18dc261a8c9c7e3ed4c1352bb324ed42327

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c.xml
Filesize
3KB

MD5
7c7088d81be7468216906e3c2e9b171b

SHA1
2c4acc956ac68eae04b8f86c93a62f411ed730a7

SHA256
9db8e860ebfbcec743ab4779801f4b4772ec6b5d295c894dd3a58c9767f08564

SHA512
6a2e6a3a26cc0c98db5039514d56232d592ed44b72ebe27dfe9fb965ce6fedc4202ecc3f49cf6be01aaa4780b7ad31f158523c51a158ad99ad86c596794cc9c4

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftNotepad.xml
Filesize
957B

MD5
06f405331f1f99bd455f4afa7b8ee0cc

SHA1
815d8d81c01208aef4bc1a0048b2d4f4171b26f6

SHA256
b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790

SHA512
a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
61f1f317648b7d7885bf9d4a97375d41

SHA1
668faf90153bb15cac59db51caabd01a2317d5ef

SHA256
ba835d772e98dc27ac2b4c5648c521bec38f88e944dc1f4472284eafd8a7e025

SHA512
04c8b5ad471a8ff051aabc8137a088c5144c2e076534dec0785472de48ec135c2b954dd1d4c0f4ddeef3563c4e4724898a9a3b12b5f7d5771c69ea20350d2db2

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\c5e2524a-ea46-4f67-841f-6a9465d9d515_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
b92eea712a8a63a66e21156d66a5fcfc

SHA1
86f3274afee32518c49307c92b586ca67fbd98ae

SHA256
d6ca1a7c439c5e1d33f71959740e9991c89152ff6f4c429c146d13f40a4b428e

SHA512
94577d5a1b344af5862e9f0ed430cbae21f4d955604684faf57e236a6aeb03f0340816dc8b4d758f943e24e105d0dce420984b082621f6f57745ba758870464f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
Filesize
1KB

MD5
6097c7d404561758417639b12d27baf9

SHA1
21d00beeae632bd9e507c9fa76d64ebfc72d4618

SHA256
df08eac8ede4a75785dcee3fc0819d22e2f9b6af07b2fe42149401aaa788f1d4

SHA512
b4716a20095942973f2ac292acf8693d6a68fdb96317438f057039a31d19de1030622b092b0f02b61a409a5b6581baf7506cd4c58f79c4c36cf01abc131cc3db

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE6.exe
Filesize
1.1MB

MD5
076f3ebdf25ab73e33b760c7171db59a

SHA1
76ec6960e35a5b4adb6886479355c9a93bddcc00

SHA256
57d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21

SHA512
8e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CAE6.exe
Filesize
1.1MB

MD5
076f3ebdf25ab73e33b760c7171db59a

SHA1
76ec6960e35a5b4adb6886479355c9a93bddcc00

SHA256
57d4d742672d0b1a350de9a156f806404a137fe73c32363df3976a5205cade21

SHA512
8e40439ec3331b877b81ee3daf15bc647cdb00092e7d50bd5df47f322d200ea1e6e3e3d8cb3951c9d8d253ae8e56de0102f98f330a29d4ba950739feb7dddba5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\icudtl.dll
Filesize
726KB

MD5
06a7ada0820f67af8a35319c67934c24

SHA1
b79650b0ca8196131bea513a15c846f08e116aa1

SHA256
e1a5cd53ba4d9022b6a25f1a5c818b53939fe64023271fccd4e2787e4f8953d9

SHA512
f1bf92ffbac01291c32f294eeab24db607213da49db27cfab8e6b1aa8748a663381ebae569ad66d946a2dc095f3381004213292dc36e20742caa4937348475d2

Download Submit
memory/404-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-132-0x00000000004E9000-0x00000000004FE000-memory.dmp

Filesize
84KB

Download
memory/404-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/404-133-0x0000000002050000-0x0000000002059000-memory.dmp

Filesize
36KB

Download
memory/1612-170-0x0000000000000000-mapping.dmp

Download
memory/1612-172-0x00000000049F0000-0x0000000005115000-memory.dmp

Filesize
7.1MB

Download
memory/1612-174-0x00000000049F0000-0x0000000005115000-memory.dmp

Filesize
7.1MB

Download
memory/2276-154-0x0000000004F19000-0x0000000004F1B000-memory.dmp

Filesize
8KB

Download
memory/2276-145-0x00000000046B0000-0x0000000004DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2276-152-0x0000000004EA0000-0x0000000004FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2276-139-0x0000000000000000-mapping.dmp

Download
memory/2276-146-0x00000000046B0000-0x0000000004DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2276-147-0x0000000004EA0000-0x0000000004FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2276-148-0x0000000004EA0000-0x0000000004FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2276-159-0x00000000046B0000-0x0000000004DD5000-memory.dmp

Filesize
7.1MB

Download
memory/2276-149-0x0000000004EA0000-0x0000000004FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2276-151-0x0000000004EA0000-0x0000000004FE0000-memory.dmp

Filesize
1.2MB

Download
memory/2276-150-0x0000000004EA0000-0x0000000004FE0000-memory.dmp

Filesize
1.2MB

Download
memory/3984-175-0x0000000000000000-mapping.dmp

Download
memory/4360-155-0x0000018B78B60000-0x0000018B78CA0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-158-0x0000000000E50000-0x0000000001069000-memory.dmp

Filesize
2.1MB

Download
memory/4360-157-0x0000018B78B60000-0x0000018B78CA0000-memory.dmp

Filesize
1.2MB

Download
memory/4360-156-0x0000018B77190000-0x0000018B773BA000-memory.dmp

Filesize
2.2MB

Download
memory/4360-153-0x00007FF6E22E6890-mapping.dmp

Download
memory/4360-160-0x0000018B77190000-0x0000018B773BA000-memory.dmp

Filesize
2.2MB

Download
memory/4564-173-0x0000000003B60000-0x0000000004285000-memory.dmp

Filesize
7.1MB

Download
memory/4564-164-0x0000000003B60000-0x0000000004285000-memory.dmp

Filesize
7.1MB

Download
memory/5076-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/5076-143-0x0000000002260000-0x0000000002375000-memory.dmp

Filesize
1.1MB

Download
memory/5076-142-0x0000000002159000-0x000000000222F000-memory.dmp

Filesize
856KB

Download
memory/5076-136-0x0000000000000000-mapping.dmp

Download