danabot | 37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 16:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lapov.exe
Size

1.1MB
MD5

8f4070594e2008388c46be164a59d9ae
SHA1

bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69
SHA256

37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34
SHA512

2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8
SSDEEP

24576:D4MwERrcsuCg2luv/4QwWU7kTV4t83ZUcwFP:MhMcsBl2whOHUDFP

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 932 rundll32.exe
11 932 rundll32.exe
39 932 rundll32.exe
41 932 rundll32.exe

flow	pid	process
10	932	rundll32.exe
11	932	rundll32.exe
39	932	rundll32.exe
41	932	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DataMatrix\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DataMatrix.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DataMatrix\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

932 rundll32.exe
2248 svchost.exe
3800 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
932	rundll32.exe
2248	svchost.exe
3800	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 932 set thread context of 2776 932 rundll32.exe rundll32.exe

description	pid	process	target process
PID 932 set thread context of 2776	932	rundll32.exe	rundll32.exe

Drops file in Program Files directory 50 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_super.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\he.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-multibyte-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\gu.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\io.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-filesystem-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Exp_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-default.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_asym.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-time-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\channel-prefs.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\co.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-timezone-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cs.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1592 4868 WerFault.exe lapov.exe

pid	pid_target	process	target process
1592	4868	WerFault.exe	lapov.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\956EE49C3E1F541635349AD811073F5907CBD35B	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\956EE49C3E1F541635349AD811073F5907CBD35B\Blob = 030000000100000014000000956ee49c3e1f541635349ad811073f5907cbd35b2000000001000000b0020000308202ac30820215a0030201020208284684e57dbf0081300d06092a864886f70d01010b050030733132303006035504030c294d6963726f736f667420526f6f7420436972746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e64301e170d3230313231393137333631395a170d3234313231383137333631395a30733132303006035504030c294d6963726f736f667420526f6f7420436972746966696361746520417574686f726974792032303131311e301c060355040a0c154d6963726f736f667420436f72706f726174696f6e310b30090603550406130255533110300e06035504070c075265646d6f6e6430819f300d06092a864886f70d010101050003818d00308189028181009d38f0264aca3af285d6bab36cc76b495a7ea669b2e638bd0d39fefce45b1d29d606115619962a8475ef34f3023cf99f54081d73a940319ba84d83310004d339dd06129427796f25ac7042d505371c94e0e11d5cc1cde39b8d8db700ed2fbc014edf1898ba908edaf6c98502528196b2708ed5773f4227b5ce9aaa89ba5df5e10203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f667420526f6f7420436972746966696361746520417574686f726974792032303131300d06092a864886f70d01010b0500038181001040552139af134306cd108f6eb46185b0c495a4025f2a7e835666b956003cb6b4edd17397569295ab23a7bed97f5d94f79433d421f7f84282a2ea0f5930bb8e239089bf34f1f5e526d40c379c13ffe87ed2fc5625fec276b73c148213589f14e2fd7b31139038f597dd194c0f2e1da266ac9cbd393cb8bf4cf3c8287fe68489	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

svchost.exerundll32.exe

pid	process
2248	svchost.exe
2248	svchost.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
932	rundll32.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe
2248	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 932 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2776 rundll32.exe
932 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	932	rundll32.exe

pid	process
2776	rundll32.exe
932	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

lapov.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4868 wrote to memory of 932	4868	lapov.exe	rundll32.exe
PID 4868 wrote to memory of 932	4868	lapov.exe	rundll32.exe
PID 4868 wrote to memory of 932	4868	lapov.exe	rundll32.exe
PID 932 wrote to memory of 2776	932	rundll32.exe	rundll32.exe
PID 932 wrote to memory of 2776	932	rundll32.exe	rundll32.exe
PID 932 wrote to memory of 2776	932	rundll32.exe	rundll32.exe
PID 2248 wrote to memory of 3800	2248	svchost.exe	rundll32.exe
PID 2248 wrote to memory of 3800	2248	svchost.exe	rundll32.exe
PID 2248 wrote to memory of 3800	2248	svchost.exe	rundll32.exe
PID 932 wrote to memory of 2968	932	rundll32.exe	schtasks.exe
PID 932 wrote to memory of 2968	932	rundll32.exe	schtasks.exe
PID 932 wrote to memory of 2968	932	rundll32.exe	schtasks.exe
PID 932 wrote to memory of 4400	932	rundll32.exe	schtasks.exe
PID 932 wrote to memory of 4400	932	rundll32.exe	schtasks.exe
PID 932 wrote to memory of 4400	932	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\lapov.exe
"C:\Users\Admin\AppData\Local\Temp\lapov.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:932

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2776

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2968

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4400

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4868 -s 556
2⤵
- Program crash
PID:1592

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4868 -ip 4868
1⤵
PID:2680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1756

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\datamatrix.dll",QBAw
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3800

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.dll
Filesize
726KB

MD5
59f8d272fa79746daaea7b238ee10543

SHA1
dfd6df1e8b63e105c8d2f73da9baba04b4a44852

SHA256
bbaf6b074b66d7813fe599826fe57f07288de357a10d50f9b3edc147432fd389

SHA512
dc13849c6066aa73f68f30e2aa742cc3603962725c2fc21f0623bf92cfd08a2d5750cdb38b60ceeb962b1e4a3448ace508c650006aea533bdab01e8c8a1bba3f

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.dll
Filesize
726KB

MD5
59f8d272fa79746daaea7b238ee10543

SHA1
dfd6df1e8b63e105c8d2f73da9baba04b4a44852

SHA256
bbaf6b074b66d7813fe599826fe57f07288de357a10d50f9b3edc147432fd389

SHA512
dc13849c6066aa73f68f30e2aa742cc3603962725c2fc21f0623bf92cfd08a2d5750cdb38b60ceeb962b1e4a3448ace508c650006aea533bdab01e8c8a1bba3f

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.officemuiset.msi.16.en-us.xml
Filesize
1KB

MD5
576aefa0d5cef530c59ff90625d60e25

SHA1
19be51d3942120e5474e0711592718da525eaa20

SHA256
f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112

SHA512
0d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\EventStore.db
Filesize
20KB

MD5
3aee4f856582f8548c3c910d1112c8ca

SHA1
f7a2af6e15359a0752d4a971a442008ae0f583ed

SHA256
61986768c35b97c771b1a9cf2df03055f2cf3099a0c9d11dd657b8ff615d4ccc

SHA512
0a80ce18344a09a59d42f615e51a27cbf51c081f2273611bcaad1c73681f8161e94175ecb06d3e16e1283f4a556e239b726013176898039c8160e77f72d8b235

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe.xml
Filesize
22KB

MD5
e0deca52ec488a29758550b78fa3b719

SHA1
188ae9939a0875f11a611ee7d8604c7a348bc0d2

SHA256
9337e81fdc5c57705e3c587ce9bf99bc176e127acd2539eb6a18c3a6c2b87816

SHA512
ce84157a418fa8b2d5b576da37796b323b8d2a5e8af6e9651c23ecfb1a32dc0f65872d2919f148c5deaed4acd5b4336767fd949fd98ab2aafbf36abaeca863f3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013BackupWin64.xml
Filesize
12KB

MD5
d24bea7d3b999f28e375d1d061a03d97

SHA1
95b207708762aa4752c77728128cbe3033646204

SHA256
57184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2

SHA512
3d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
04498daff3b5b06f4b3f0a7955b52ce1

SHA1
5e8e650e218257002855d44d7a69286d22f14bb1

SHA256
1c8b0a3b67f5a36a5441ca54ab4f54a6adb12e7b3ac9a0e6a10e10b524180f6a

SHA512
7dccbbc3e9a08c95d50cc645e79917986110cc12bab1550a937f6d7dc6cfa8240d491f1ce0599bc30733af032529af714bd3589d387e21cff9a3d216809953ee

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edbtmp.log
Filesize
64KB

MD5
99ad56a911a4564e192d9b4a7729a8c0

SHA1
0188a3305f09da158509628f89f216650ad20e2b

SHA256
41d270b5acaeaea09458f93148020b9f143a2ad186f8720c0a33d3ba7da7ee93

SHA512
54a816732d3215a9b0e1865f0265899901809d210c157d2599abf761409d42bf9b62459b177573df19070c877b70b05c9a485ac7041627e544bc616ebead6f7c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\ringtones.ico
Filesize
50KB

MD5
8b30e7cbd25f178baac418e9b507b61e

SHA1
73c93d967571bb88b1bdf33477e7a5f758fc18e9

SHA256
0afa2eb896ffe20c5244dd191be791231c8b5b71eff200e75a3150a8e3296f30

SHA512
6b0ff7ff67cbb4c8611696273ee16fc5d57b53ea7869e0c97686583d7875faa65f04d7678017628a11420000f8bb869f6dca5fcbefb53b1824443fa73544944d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\setup.ini
Filesize
214B

MD5
d8b2e1bfe12db863bdccdd49a5e1c8b5

SHA1
9c979907f03887b270d4e87b0cdd5377cff3692c

SHA256
00b5526d5cffb22eb22eb663fd3863c3f287c5bfc951f1d45cdd0cf0b25c2301

SHA512
3bf15a8620fa2269fb1fc7280bc203d62160f66d0cfcdc6422b0d33ab3745c6be864a8b51728f92b9e63ba3d7b1504ad8448996f14e866102369ea91b3ad7d41

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-194626ba46434f9ab441dd7ebda2aa64-5f64bebb-ac28-4cc7-bd52-570c8fe077c9-7717.json
Filesize
121B

MD5
6a54f657c1dbaa9695f572f9ee021921

SHA1
f0f8b933b907476b37c64032225db701c9e665e6

SHA256
296f68d7119893842d8b740edb3e0decf9d14eb5f0b62f806846251869cfa46d

SHA512
5cce6d3f2650201e8f70bfd5f61bc8904ea61a457dd8dde3b255dd52d484084e80d0e163823cceb7238449a5e6589be0b265815c95e49bc6589706ea0167eb54

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json
Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\wlidsvcconfig.xml
Filesize
13KB

MD5
54ce00c79c9e2a0326f56975194ac567

SHA1
e3399f728767145761a7415a765b9aa36538775f

SHA256
873cea12cd4b0d258868adc08b1a2db6f9d870c2ed84cabac2eaed07f3cbc7f0

SHA512
a4a08c627f85d30a37b5ed34b18f11d94aa4ecc9dfa7b7af0a971276a8ab441f8e0f118dd1b81f101d035ae7bb400505716325d60b7d4a52ae7429fade6be466

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\datamatrix.dll
Filesize
726KB

MD5
59f8d272fa79746daaea7b238ee10543

SHA1
dfd6df1e8b63e105c8d2f73da9baba04b4a44852

SHA256
bbaf6b074b66d7813fe599826fe57f07288de357a10d50f9b3edc147432fd389

SHA512
dc13849c6066aa73f68f30e2aa742cc3603962725c2fc21f0623bf92cfd08a2d5750cdb38b60ceeb962b1e4a3448ace508c650006aea533bdab01e8c8a1bba3f

Download Submit
memory/932-143-0x0000000004FF0000-0x0000000005130000-memory.dmp

Filesize
1.2MB

Download
memory/932-132-0x0000000000000000-mapping.dmp

Download
memory/932-139-0x00000000046D0000-0x0000000004DF5000-memory.dmp

Filesize
7.1MB

Download
memory/932-152-0x00000000046D0000-0x0000000004DF5000-memory.dmp

Filesize
7.1MB

Download
memory/932-149-0x0000000005069000-0x000000000506B000-memory.dmp

Filesize
8KB

Download
memory/932-138-0x00000000046D0000-0x0000000004DF5000-memory.dmp

Filesize
7.1MB

Download
memory/932-141-0x0000000004FF0000-0x0000000005130000-memory.dmp

Filesize
1.2MB

Download
memory/932-140-0x0000000004FF0000-0x0000000005130000-memory.dmp

Filesize
1.2MB

Download
memory/932-142-0x0000000004FF0000-0x0000000005130000-memory.dmp

Filesize
1.2MB

Download
memory/932-145-0x0000000004FF0000-0x0000000005130000-memory.dmp

Filesize
1.2MB

Download
memory/932-144-0x0000000004FF0000-0x0000000005130000-memory.dmp

Filesize
1.2MB

Download
memory/2248-156-0x0000000003880000-0x0000000003FA5000-memory.dmp

Filesize
7.1MB

Download
memory/2248-170-0x0000000003880000-0x0000000003FA5000-memory.dmp

Filesize
7.1MB

Download
memory/2248-175-0x0000000003880000-0x0000000003FA5000-memory.dmp

Filesize
7.1MB

Download
memory/2776-147-0x00000211E6D80000-0x00000211E6EC0000-memory.dmp

Filesize
1.2MB

Download
memory/2776-146-0x00007FF63B236890-mapping.dmp

Download
memory/2776-151-0x00000211E53B0000-0x00000211E55DA000-memory.dmp

Filesize
2.2MB

Download
memory/2776-148-0x00000211E6D80000-0x00000211E6EC0000-memory.dmp

Filesize
1.2MB

Download
memory/2776-150-0x0000000000010000-0x0000000000229000-memory.dmp

Filesize
2.1MB

Download
memory/2968-173-0x0000000000000000-mapping.dmp

Download
memory/3800-168-0x0000000000000000-mapping.dmp

Download
memory/3800-171-0x0000000004030000-0x0000000004755000-memory.dmp

Filesize
7.1MB

Download
memory/3800-172-0x0000000004030000-0x0000000004755000-memory.dmp

Filesize
7.1MB

Download
memory/4400-174-0x0000000000000000-mapping.dmp

Download
memory/4868-137-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4868-136-0x0000000002360000-0x0000000002475000-memory.dmp

Filesize
1.1MB

Download
memory/4868-135-0x0000000002259000-0x000000000232F000-memory.dmp

Filesize
856KB

Download