Overview

overview

10

Static

static

a1a43bced8...fc.exe

windows7-x64

10

a1a43bced8...fc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 16:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe

  • Size

    311KB

  • MD5

    382f445fa18126435bbd631d6720bf88

  • SHA1

    4d714a4c71e87dddaea89f8ada74f9feb2e83a6d

  • SHA256

    a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc

  • SHA512

    abf5c104c74aa27f3dab57971820d97a9c25f765e20e273433dafaa1b4a447cd4f781b1f47a6af8c0350c29cf05fe918b807b2d410ae3b500fe2d2876169f978

  • SSDEEP

    6144:k9R3L2Hj5hkGIFcPlS9LP/M1FxPH4rWlRjO1n:kL8j5hkGIF0s9LXmxArW9u

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 23 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 16 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe
    "C:\Users\Admin\AppData\Local\Temp\a1a43bced8befc305406d985748df07d8ee0cfeb1d76a271ec4f5499ea6423fc.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4280
  • C:\Users\Admin\AppData\Local\Temp\C4EB.exe
    C:\Users\Admin\AppData\Local\Temp\C4EB.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1420
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1420 -s 528
      2⤵
      • Program crash
      PID:4752
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1420 -ip 1420
    1⤵
      PID:4104
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2308
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:2820
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\main-cef-win8.dll",UR8yM0tqUDhV
            2⤵
              PID:4492

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.dll
            Filesize

            726KB

            MD5

            122ba5fd203480d74ed14e5c8e71a2c2

            SHA1

            8bf22d4f877b787443b03be41e3d3c49d4673188

            SHA256

            9f0a3b3f82c9fbd0809ee68096724a43660bd2bd90427aafaadac77b4ae4344e

            SHA512

            04281f4e56d29010572dce854a09bbe2ce24b050a15318d7505cd9bea68ec1e6f1a8e815b61c8f3e60f08b2a457659f6faa7f59f72b773404c362451689a1896

            Download Submit
          • C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.dll
            Filesize

            726KB

            MD5

            122ba5fd203480d74ed14e5c8e71a2c2

            SHA1

            8bf22d4f877b787443b03be41e3d3c49d4673188

            SHA256

            9f0a3b3f82c9fbd0809ee68096724a43660bd2bd90427aafaadac77b4ae4344e

            SHA512

            04281f4e56d29010572dce854a09bbe2ce24b050a15318d7505cd9bea68ec1e6f1a8e815b61c8f3e60f08b2a457659f6faa7f59f72b773404c362451689a1896

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.OSMUX.OSMUX.x-none.msi.16.x-none.xml
            Filesize

            2KB

            MD5

            e52262399745fe981a7fba69c55f09dc

            SHA1

            795a06836db2ead992013b55d2d5a87420be43e7

            SHA256

            838e2cd11573dfcbb74c47621b30c5a7b62b2a063a41282a8e117b7b8fd5ebbc

            SHA512

            4b146141538edc8428d0bb0c8f314e3cc2f87e9888a82471f5c870a0779655944f8cfc34f5bc7bb2769d08d3ef3bac2cdf4f428d970bc1b480bce722a3b0291e

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml
            Filesize

            30KB

            MD5

            98de295b21abe2451f86b82df3be269a

            SHA1

            1665a23d307748e8c1c0164ba7939275f9fb676c

            SHA256

            fd3507cd60edf41093c8fe843d1601e33db9cbe1cd36247cec587c265109bcfa

            SHA512

            230ae283c81771496dcae9ef84787379712106738ea82754b101af9047ae27cadb8b1f4aed00d146a699c22fd1c505c31068418a70d2b535c85c3017726d91cc

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmuxmui.msi.16.en-us.xml
            Filesize

            10KB

            MD5

            220ae72aa2505c9276da2056b7e34936

            SHA1

            6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

            SHA256

            afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

            SHA512

            cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiST0000.001
            Filesize

            64KB

            MD5

            f2896182a74e8e8402e890172c9e90ae

            SHA1

            2929cd1f29ca5805406c001ce61209db8977470f

            SHA256

            0ff9f58a1277b6e92cb5f2c016f92f0ace2b750367434bc5b5119589f6de8580

            SHA512

            dc27bb76da9dcad0c38ce33e11ae045c7da131a112e9b17e6e0606c4daac150813cfea4eed537c84d9eeeabdca40c5eadb46a0f73b9076f29f5c52d1af6988e0

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013BackupWin32.xml
            Filesize

            12KB

            MD5

            879dbf8cded6ac59df3fb0f32aa9eec6

            SHA1

            844be6baee27e23e5821491fc9532269b1143142

            SHA256

            3e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687

            SHA512

            2d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013BackupWin64.xml
            Filesize

            12KB

            MD5

            d24bea7d3b999f28e375d1d061a03d97

            SHA1

            95b207708762aa4752c77728128cbe3033646204

            SHA256

            57184b71b7d7525fbd75b1dda77bd26a5344b5cbd58ec5070fa5e1b4e073aef2

            SHA512

            3d3f06cd59a5bf8e9284ed1972a373ac1c63b0cba997d9559834db748ec41a90e42650d0ba05bf351456c2de12970f79d2d34f7a6c6445d2e55812682a5b406e

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            0654caeff6e8dbdec20e661aed5d146d

            SHA1

            3f3f148e990d8e24e158c56907bc614886cc3d0f

            SHA256

            a4dc816c9f4f5ceaa2bd1bef92644decaefd4332c405d9cbe768993f97353cbb

            SHA512

            f0a05b91dc72f711e73ecb28e3b562061095134fb3f27a63ae1e90a75ab9fabbf19e91c83458a613a5144e2fa9d8d57af08d47b38fec6a52ca29848247208147

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SmsInterceptStore.jfm
            Filesize

            16KB

            MD5

            25367ac011cf6be75ac0f88835d008a3

            SHA1

            14c631e08ac81359ea4a05bab4409a9fda1a9579

            SHA256

            765c7f04ae4c6b8ff1d644fd3c3b00a046f4e9cdfe3516ac568316a17f93cff2

            SHA512

            27ec56a47e7338532c000282fd494ccf6311f16a547b96524c5aa9aa8a96cc825c1b5204deff08cbfe414e8ed4a5daf9c255a4f3762d0d465691a21a7061d796

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edb.jcp
            Filesize

            8KB

            MD5

            2367dfc292b40e5d0a9fe8eda3ccf108

            SHA1

            79d410f12bd34d9546fbcacb3d796d1f33286ce3

            SHA256

            c5b73b03e8764d923248910bdfb27f28e84fe16973e4d2492dedae01ee921552

            SHA512

            977ad803262d100a944e789f2dcad9fa1b038808efc39980bf1b56fbc854bfd7e59b97c36c918032057bcfc267751e056b98148c8b91c5fd0fd31ac38ba6ec3e

            Download Submit
          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\scan_property.ico
            Filesize

            65KB

            MD5

            a348f66a6427a599596849f4256a5b8d

            SHA1

            1edc7072a3cdaaa191065ce17855e6a596cfe6de

            SHA256

            7e2789e022e43c931114d6a712e0ddeaa925975e08a77e3c403cd705c3b819e8

            SHA512

            2a564e12977ab9fc745563626e53eb882d0d3ed2c1c70eda231a9630066fb4d43a85ab919678faaf8e19252e2b93da1f2e43aad0768e46b9ec5587dadb26ea24

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\C4EB.exe
            Filesize

            1.1MB

            MD5

            8f4070594e2008388c46be164a59d9ae

            SHA1

            bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

            SHA256

            37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

            SHA512

            2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\C4EB.exe
            Filesize

            1.1MB

            MD5

            8f4070594e2008388c46be164a59d9ae

            SHA1

            bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

            SHA256

            37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

            SHA512

            2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit
          • \??\c:\program files (x86)\windowspowershell\modules\main-cef-win8.dll
            Filesize

            726KB

            MD5

            122ba5fd203480d74ed14e5c8e71a2c2

            SHA1

            8bf22d4f877b787443b03be41e3d3c49d4673188

            SHA256

            9f0a3b3f82c9fbd0809ee68096724a43660bd2bd90427aafaadac77b4ae4344e

            SHA512

            04281f4e56d29010572dce854a09bbe2ce24b050a15318d7505cd9bea68ec1e6f1a8e815b61c8f3e60f08b2a457659f6faa7f59f72b773404c362451689a1896

            Download Submit
          • memory/1420-143-0x00000000022E0000-0x00000000023F5000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/1420-136-0x0000000000000000-mapping.dmp
            Download
          • memory/1420-142-0x0000000001FF3000-0x00000000020C9000-memory.dmp
            Filesize

            856KB

            Download
          • memory/1420-144-0x0000000000400000-0x0000000000517000-memory.dmp
            Filesize

            1.1MB

            Download
          • memory/2820-163-0x0000000003910000-0x0000000004035000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/2820-176-0x0000000003910000-0x0000000004035000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/3404-153-0x00007FF6A4346890-mapping.dmp
            Download
          • memory/3404-154-0x00000267090B0000-0x00000267091F0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/3404-155-0x00000267090B0000-0x00000267091F0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/3404-157-0x0000000000E00000-0x0000000001019000-memory.dmp
            Filesize

            2.1MB

            Download
          • memory/3404-158-0x0000026709230000-0x000002670945A000-memory.dmp
            Filesize

            2.2MB

            Download
          • memory/4280-135-0x0000000000400000-0x0000000000453000-memory.dmp
            Filesize

            332KB

            Download
          • memory/4280-132-0x00000000006C8000-0x00000000006DE000-memory.dmp
            Filesize

            88KB

            Download
          • memory/4280-133-0x0000000002190000-0x0000000002199000-memory.dmp
            Filesize

            36KB

            Download
          • memory/4280-134-0x0000000000400000-0x0000000000453000-memory.dmp
            Filesize

            332KB

            Download
          • memory/4492-177-0x0000000003ED0000-0x00000000045F5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4492-175-0x0000000003ED0000-0x00000000045F5000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4492-173-0x0000000000000000-mapping.dmp
            Download
          • memory/4868-145-0x0000000004C50000-0x0000000005375000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4868-156-0x00000000055E9000-0x00000000055EB000-memory.dmp
            Filesize

            8KB

            Download
          • memory/4868-139-0x0000000000000000-mapping.dmp
            Download
          • memory/4868-152-0x0000000005570000-0x00000000056B0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4868-150-0x0000000005570000-0x00000000056B0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4868-159-0x0000000004C50000-0x0000000005375000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4868-147-0x0000000005570000-0x00000000056B0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4868-146-0x0000000004C50000-0x0000000005375000-memory.dmp
            Filesize

            7.1MB

            Download
          • memory/4868-149-0x0000000005570000-0x00000000056B0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4868-148-0x0000000005570000-0x00000000056B0000-memory.dmp
            Filesize

            1.2MB

            Download
          • memory/4868-151-0x0000000005570000-0x00000000056B0000-memory.dmp
            Filesize

            1.2MB

            Download