Overview

overview

10

Static

static

d75b501a09...ac.exe

windows7-x64

10

d75b501a09...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 16:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

  • Size

    311KB

  • MD5

    ff8b0ef6c574e5f6f1fa4c4eb75c637d

  • SHA1

    3263f6595d1329cea9348b34a9857a98998a33c6

  • SHA256

    d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac

  • SHA512

    9c2d049aaf278d86db69256dd312cf34d1d1b6dcabe964b93ab2a29b21f9045bceaaf809b46c92e6c4f5d5f27befda9692712fc23c4d45de2bef147c98708ff4

  • SSDEEP

    6144:zjB1L2OqdTTq9rZ0NCKg4bBYqH4rWlRjO1n:zPHqdTuduLlarW9u

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 2 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 20 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
    "C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4900
  • C:\Users\Admin\AppData\Local\Temp\DFF5.exe
    C:\Users\Admin\AppData\Local\Temp\DFF5.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4376
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:1860
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3960
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4376 -s 536
      2⤵
      • Program crash
      PID:1176
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4376 -ip 4376
    1⤵
      PID:2924
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:752
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4784
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\lighttheme.acrot.dll",YDgoNkJBQTc=
            2⤵
              PID:4596

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\LightTheme.acrot.dll
            Filesize

            726KB

            MD5

            f55482f5e9193ab1a96624d1141e5295

            SHA1

            b68846e0e176627833b7d9d39d2faaf3eb6a346f

            SHA256

            9acee974f297425167e238dfb90e36d909ad071a1d1515764624f87e4ba83165

            SHA512

            a6e643ebed09ef3d9b889f1cb31675954cd4f04e42da071eb92aad020e140719434bc7f3415fc87499ec584b47a22150ab5675ded152edaf74ea9ec91bfc6707

            Download Submit

          • C:\Program Files (x86)\WindowsPowerShell\Modules\LightTheme.acrot.dll
            Filesize

            726KB

            MD5

            f55482f5e9193ab1a96624d1141e5295

            SHA1

            b68846e0e176627833b7d9d39d2faaf3eb6a346f

            SHA256

            9acee974f297425167e238dfb90e36d909ad071a1d1515764624f87e4ba83165

            SHA512

            a6e643ebed09ef3d9b889f1cb31675954cd4f04e42da071eb92aad020e140719434bc7f3415fc87499ec584b47a22150ab5675ded152edaf74ea9ec91bfc6707

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.PowerPoint.PowerPoint.x-none.msi.16.x-none.xml
            Filesize

            109KB

            MD5

            1ff29aea22999055b5c3dda5785a807c

            SHA1

            cd93580b22754e44c6fda2b1127bf6539deea0c6

            SHA256

            a738adb72546d0ea134a20abe3adbeb8bc6c7b90d04cc72d2f217c154c83ce11

            SHA512

            ab28afe92584956fd6656d05a9e910bf45312b2f7b23e97ab92e4a95ae014300c16a509c1e81dc18c7e180cf9c6a74a2146cf0b53083a4d9c99c0eb97b0323c5

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
            Filesize

            820B

            MD5

            09eb72768015735e81d549d7a5087631

            SHA1

            0dc0de9d9f1f94a73b760e13dbfb033d58b2962c

            SHA256

            803200facef08eb731bceb63813c1c873628a271ada9661dda6bb4b638ccb5f8

            SHA512

            240680b7e01215938623781f3431fb5ae8a2630590285a824f7e41e63e8e06f6fa79e641f4ace6d9dcb96f0c3fe3e928f5ac0eb2992158bda8cb83e95c7e916a

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOutlook2013CAWin64.xml
            Filesize

            1KB

            MD5

            880227fa1e5c41f3a7ea11e13f156de7

            SHA1

            042b7a68c2b3c588522edd750209bb4576638991

            SHA256

            c7f9df2f4c59a9f856761c82d28874f752cad8bdca8102bff4ff41c514f0b9fc

            SHA512

            caa06d82bb2e828e4e08fcca96c4b789b31611864b827ae9468e9dfbadbe10a48ae366d3d96bf92567f41d0c6792986363a0dfa6564332296fe1c111ffef4f30

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SettingsLocationTemplate.xsd
            Filesize

            9KB

            MD5

            f35965aa615dd128c2b95cfe925145c3

            SHA1

            57346050388048feb8034d5011b105018483b4a0

            SHA256

            ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398

            SHA512

            82767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            02d91034829459f8f388719d048e411e

            SHA1

            f44dfb37ea9dcc6e9ebaf60ea9787547af230021

            SHA256

            7b860b52f5ff6dafdbc45c3560cd46e6c3bb5fa7d50857758f8ac9950edeb740

            SHA512

            8d7e3071bf70d309d72f4b8ddaed88dd60af36fe7888452dda0704939bae41f119e01547fa5022dd3533c40aeb7f5ebf81f8ce0a247defbd350b32c641aabff3

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            24d5920a17e88afc68d76d8f4a67ecb5

            SHA1

            f7d20c057e847b99bd3ee5253beab282874f7393

            SHA256

            f474d1ea8fef690ac77f59ff7549a3977683a9a929cb15f656ade497face138e

            SHA512

            d1598eed76a3ce170bce01463f7cecba709f506d5d518dc9db2a05e48d3a1b0df086bfaa7712c6f751fdb401462158e9de82220587c3782905a556536cfe814e

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ThemeSettings2013.xml
            Filesize

            2KB

            MD5

            986d31966b8370330842dc0cd8eac1f1

            SHA1

            3e96a8f449cc3930a0cec85f2e24190452b058eb

            SHA256

            56e478dcefd0863a8af9edb7d4f8bc746d077e5f5df637bad19e66cbbbe20cb0

            SHA512

            7ed19b3eeeb35882795a3d4a20193b9a60e905ea855704afdc5ea7e3b27c3d954061ba04eff5ed9f7cf44aff7c9b4f443c74cfd6088027fb830ad49c59eceefd

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\netfol.ico
            Filesize

            28KB

            MD5

            3fa8c6dc1f72c3f9f8670a3e236459f2

            SHA1

            fcca30e9c5f861ac907150c76ca5f2174d214b7b

            SHA256

            dca1bd2f368d6165695ac6f48239722b9d38226bef45764a0076bbfa184cb0a7

            SHA512

            af6654f32cf0638204293e0117ff43e59f68537e391d3f4b1c7758632767eaa474d7cb44f3b4b7f9ba6cdefda9ec9368cf07814aed4e79949001bd44ede262ec

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\wlidsvcconfig.xml
            Filesize

            12KB

            MD5

            f9f25c79e2df9c8c8209b5d052a557b0

            SHA1

            2d4a14e2df96245a599bacb530e396c2900a5b61

            SHA256

            385214231d70603caaf00c1f2e9f115be35cc603d289dd878069f9933aa591b5

            SHA512

            7c9d68d4f96cef25f4703fe4db68fda9689308df759ef05666421c74f0e57b4c25fa8d1c6cf9e5a6a0e9a81d230669b8656279076e60ebfd1ba5b56770fa4ca2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DFF5.exe
            Filesize

            1.1MB

            MD5

            8f4070594e2008388c46be164a59d9ae

            SHA1

            bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

            SHA256

            37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

            SHA512

            2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\DFF5.exe
            Filesize

            1.1MB

            MD5

            8f4070594e2008388c46be164a59d9ae

            SHA1

            bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

            SHA256

            37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

            SHA512

            2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit

          • \??\c:\program files (x86)\windowspowershell\modules\lighttheme.acrot.dll
            Filesize

            726KB

            MD5

            f55482f5e9193ab1a96624d1141e5295

            SHA1

            b68846e0e176627833b7d9d39d2faaf3eb6a346f

            SHA256

            9acee974f297425167e238dfb90e36d909ad071a1d1515764624f87e4ba83165

            SHA512

            a6e643ebed09ef3d9b889f1cb31675954cd4f04e42da071eb92aad020e140719434bc7f3415fc87499ec584b47a22150ab5675ded152edaf74ea9ec91bfc6707

            Download Submit

          • memory/1860-148-0x00000000043A0000-0x0000000004AC5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/1860-149-0x0000000004BE0000-0x0000000004D20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1860-150-0x0000000004BE0000-0x0000000004D20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1860-151-0x0000000004BE0000-0x0000000004D20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1860-152-0x0000000004BE0000-0x0000000004D20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1860-154-0x0000000004BE0000-0x0000000004D20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1860-141-0x0000000000000000-mapping.dmp

            Download

          • memory/1860-153-0x0000000004BE0000-0x0000000004D20000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1860-156-0x0000000004C59000-0x0000000004C5B000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1860-147-0x00000000043A0000-0x0000000004AC5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/1860-161-0x00000000043A0000-0x0000000004AC5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3960-155-0x00007FF716906890-mapping.dmp

            Download

          • memory/3960-160-0x0000014888770000-0x000001488899A000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/3960-158-0x0000014889FB0000-0x000001488A0F0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3960-159-0x00000000002A0000-0x00000000004B9000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3960-157-0x0000014889FB0000-0x000001488A0F0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4376-146-0x0000000000400000-0x0000000000517000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4376-145-0x00000000022B0000-0x00000000023C5000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/4376-144-0x00000000021D5000-0x00000000022AB000-memory.dmp

            Filesize

            856KB

            Download

          • memory/4376-138-0x0000000000000000-mapping.dmp

            Download

          • memory/4596-174-0x0000000000000000-mapping.dmp

            Download

          • memory/4596-178-0x0000000004880000-0x0000000004FA5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4596-177-0x0000000004880000-0x0000000004FA5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4784-165-0x00000000035D0000-0x0000000003CF5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4784-176-0x00000000035D0000-0x0000000003CF5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4900-132-0x0000000000508000-0x000000000051E000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4900-134-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/4900-133-0x00000000004E0000-0x00000000004E9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4900-135-0x0000000000508000-0x000000000051E000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4900-136-0x00000000004E0000-0x00000000004E9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/4900-137-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download