danabot | 2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe
Size

302KB
MD5

7539f39bcce65161807dc9de5614107c
SHA1

d4db1f71c00c27fa5db4a174d1d96aa80b1df351
SHA256

2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11
SHA512

a85a65cc8d889c08a2e2a5f5fef27fe11ed70decfe9b2abc448d4d9708de4ad110f7a0ee92655a8170547ff16e95db2ab03061e1721996ab8682b7234b51004f
SSDEEP

6144:eLY0T34t9psWMChy1z+3ng+E49HwchLP3i:eU0TGBMChydwnVZH9P3

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2052-133-0x0000000002180000-0x0000000002189000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

57 1528 rundll32.exe
74 1528 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

EB30.exe

pid process

208 EB30.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1528 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1528 set thread context of 3604 1528 rundll32.exe rundll32.exe

flow	pid	process
57	1528	rundll32.exe
74	1528	rundll32.exe

pid	process
208	EB30.exe

pid	process
1528	rundll32.exe

description	pid	process	target process
PID 1528 set thread context of 3604	1528	rundll32.exe	rundll32.exe

Drops file in Program Files directory 40 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\index.html	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pmd.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\icudtl.dat	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reader_sl.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXE8SharedExpat.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\StorageConnectors.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\server_lg.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\index.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroRd32Info.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ADelRCP.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4176 208 WerFault.exe EB30.exe

pid	pid_target	process	target process
4176	208	WerFault.exe	EB30.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093550b8a100054656d7000003a0009000400efbe6b557d6c9355108a2e0000000000000000000000000000000000000000000000000085d57800540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2528

pid	process
2528

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe

pid	process
2052	2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe
2052	2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528
2528

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2528
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe

pid process

2052 2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe

pid	process
2528

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528
Token: SeShutdownPrivilege	2528
Token: SeCreatePagefilePrivilege	2528

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3604 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2528
2528

pid	process
3604	rundll32.exe

pid	process
2528
2528

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

EB30.exerundll32.exe

description	pid	process	target process
PID 2528 wrote to memory of 208	2528		EB30.exe
PID 2528 wrote to memory of 208	2528		EB30.exe
PID 2528 wrote to memory of 208	2528		EB30.exe
PID 208 wrote to memory of 1528	208	EB30.exe	rundll32.exe
PID 208 wrote to memory of 1528	208	EB30.exe	rundll32.exe
PID 208 wrote to memory of 1528	208	EB30.exe	rundll32.exe
PID 1528 wrote to memory of 3604	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 3604	1528	rundll32.exe	rundll32.exe
PID 1528 wrote to memory of 3604	1528	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe
"C:\Users\Admin\AppData\Local\Temp\2dcbf09da73ae7dba603b58e868ee859ecf52009fe642aa6694914e27e2b6b11.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2052

C:\Users\Admin\AppData\Local\Temp\EB30.exe
C:\Users\Admin\AppData\Local\Temp\EB30.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:208

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1528

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 208 -s 528
2⤵
- Program crash
PID:4176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 208 -ip 208
1⤵
PID:1508

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2968

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4924

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\ccme_base_non_fips.dll",Yys4NTU=
2⤵
PID:4784

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll

Filesize
726KB

MD5
93ca3df769e27647a4ba4a502b4d5a95

SHA1
fdc8e4f74055a7fae1f5bb6aec6897284b805825

SHA256
a294e47668ed1400e59d9e94795eae6807406dc790530ec7bb724af980877ee9

SHA512
5d39fba36ab2304719f498c1df2bbd1b98b12e29c476ce20ab0450722688ebfd824e224e3d8130dc73bc870a50590a9518cc899476810558a37c60d220ba0255

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll

Filesize
726KB

MD5
93ca3df769e27647a4ba4a502b4d5a95

SHA1
fdc8e4f74055a7fae1f5bb6aec6897284b805825

SHA256
a294e47668ed1400e59d9e94795eae6807406dc790530ec7bb724af980877ee9

SHA512
5d39fba36ab2304719f498c1df2bbd1b98b12e29c476ce20ab0450722688ebfd824e224e3d8130dc73bc870a50590a9518cc899476810558a37c60d220ba0255

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml

Filesize
2KB

MD5
d2d725a3c34b3597b164a038ec06085a

SHA1
52eb2334afeccafd46b205de0d2c7306cb7b7c8d

SHA256
01bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00

SHA512
6f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
855B

MD5
dae188e1f4d8d97d8d65164eb0dda551

SHA1
78b54e226446825c56d15a19a3ed4b587a8842a2

SHA256
5bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2

SHA512
941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Win64.xml

Filesize
66KB

MD5
c08e2d9084398ad29bb453183bb2155d

SHA1
285b0d897ff73444a74bf9e253d30f7cb1f4f2be

SHA256
9ddc306cee7a71d98fe59c39ce5fb74cc7e36c54a55cc46f2e8136c12e890418

SHA512
d032acce3071bb26d688aa4a816d09b6852c3ccb179f66a0001038b94f556a4b04401e02a4dc3b8eb7f4c4aa0fb74aa009a5db786972c56cb08d5dbeeaefad83

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
efa3848840899319a99e7aa83bfd10f5

SHA1
71ccdea499edcd939041a22b1d2ef8d3df787794

SHA256
bce64a34d7d785c77c43e29a1859c320e17516a94266ac7e0e210ca783aaa0dd

SHA512
2c475614c8d5bb0a5515e62a98a73ad14202446aa4d5b770d249785e8f0790e3c8d900bab7edd3fe488070f485ac35c4b2b1e893fbdf4505e974d57a29265be1

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\abcpy.ini

Filesize
608B

MD5
818d3a4899c5596d8d8da00a87e6d8bb

SHA1
4e0e04f5ca5d81661702877852fd9d059722762f

SHA256
9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d

SHA512
1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edbtmp.log

Filesize
64KB

MD5
a837784c7c1026936fcd1705045afda4

SHA1
067b38e0467bfe15497ce925f99f1a656a06cc66

SHA256
2edf25e7126f6e23ad22ed858db278cc1f773d87f3989ea83305bd77d4639791

SHA512
86a0a4ac85ecbbacde8c26cbd6631eb734ee4a7f3b4f4258d80c7ed4f7316fad3d69f3969440d808e61147e1bbbebd1e3bee49b25c57a534c4e47129e8ae5569

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-Eco3PTelDefault.json

Filesize
57B

MD5
b658c06c14ff523bce634e14236c9441

SHA1
aa15105fc5cbee478303c5a1d8814a88197573be

SHA256
29633ff726d1c72f895545fd97d546035e7045a046b3d2888ff0950e67b8eb82

SHA512
3326a97db218aa09814e80317c1150f8a6808e8b6aab07af27c8126688b30964cc85936940d310c1d4d6190c49eaa01ee51d598775ec8c156676bbfd53f8f4cc

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.cert.json

Filesize
2KB

MD5
635a39ff9f822dcfd1fb3c22e6ffeb45

SHA1
148a7e0a56504cae9219d0ed0f9aa8fb0ce7f7ca

SHA256
dc9c38e035984439878ac48131835b0ad4d113c9bdfe6ce62f23c069a04edbcd

SHA512
f246594c76d4740fab3552b0c738ea5dea75d6f81a4ca956c524ca0d09a4d1e71060d11447ac8de2810364828660ee328211ba727231172b30e636d84cd3747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB30.exe

Filesize
1.1MB

MD5
8f4070594e2008388c46be164a59d9ae

SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB30.exe

Filesize
1.1MB

MD5
8f4070594e2008388c46be164a59d9ae

SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\ccme_base_non_fips.dll

Filesize
726KB

MD5
93ca3df769e27647a4ba4a502b4d5a95

SHA1
fdc8e4f74055a7fae1f5bb6aec6897284b805825

SHA256
a294e47668ed1400e59d9e94795eae6807406dc790530ec7bb724af980877ee9

SHA512
5d39fba36ab2304719f498c1df2bbd1b98b12e29c476ce20ab0450722688ebfd824e224e3d8130dc73bc870a50590a9518cc899476810558a37c60d220ba0255

Download Submit
memory/208-143-0x0000000002240000-0x0000000002355000-memory.dmp

Filesize
1.1MB

Download
memory/208-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/208-136-0x0000000000000000-mapping.dmp

Download
memory/208-142-0x000000000205D000-0x0000000002133000-memory.dmp

Filesize
856KB

Download
memory/1528-139-0x0000000000000000-mapping.dmp

Download
memory/1528-146-0x0000000005390000-0x0000000005AB5000-memory.dmp

Filesize
7.1MB

Download
memory/1528-151-0x0000000004500000-0x0000000004640000-memory.dmp

Filesize
1.2MB

Download
memory/1528-153-0x0000000004500000-0x0000000004640000-memory.dmp

Filesize
1.2MB

Download
memory/1528-150-0x0000000004500000-0x0000000004640000-memory.dmp

Filesize
1.2MB

Download
memory/1528-148-0x0000000004500000-0x0000000004640000-memory.dmp

Filesize
1.2MB

Download
memory/1528-149-0x0000000004500000-0x0000000004640000-memory.dmp

Filesize
1.2MB

Download
memory/1528-152-0x0000000004579000-0x000000000457B000-memory.dmp

Filesize
8KB

Download
memory/1528-159-0x0000000005390000-0x0000000005AB5000-memory.dmp

Filesize
7.1MB

Download
memory/1528-147-0x0000000004500000-0x0000000004640000-memory.dmp

Filesize
1.2MB

Download
memory/1528-145-0x0000000005390000-0x0000000005AB5000-memory.dmp

Filesize
7.1MB

Download
memory/2052-132-0x00000000005F8000-0x000000000060E000-memory.dmp

Filesize
88KB

Download
memory/2052-135-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-134-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2052-133-0x0000000002180000-0x0000000002189000-memory.dmp

Filesize
36KB

Download
memory/3604-158-0x00000243D9E80000-0x00000243DA0AA000-memory.dmp

Filesize
2.2MB

Download
memory/3604-157-0x0000000000A40000-0x0000000000C59000-memory.dmp

Filesize
2.1MB

Download
memory/3604-155-0x00000243D9D00000-0x00000243D9E40000-memory.dmp

Filesize
1.2MB

Download
memory/3604-156-0x00000243D9D00000-0x00000243D9E40000-memory.dmp

Filesize
1.2MB

Download
memory/3604-154-0x00007FF79F356890-mapping.dmp

Download
memory/4784-172-0x0000000000000000-mapping.dmp

Download
memory/4784-174-0x0000000003F50000-0x0000000004675000-memory.dmp

Filesize
7.1MB

Download
memory/4784-175-0x0000000003F50000-0x0000000004675000-memory.dmp

Filesize
7.1MB

Download
memory/4924-164-0x0000000003680000-0x0000000003DA5000-memory.dmp

Filesize
7.1MB

Download
memory/4924-163-0x0000000003680000-0x0000000003DA5000-memory.dmp

Filesize
7.1MB

Download