Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
19-12-2022 16:20
General
-
Target
d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
-
Size
311KB
-
MD5
ff8b0ef6c574e5f6f1fa4c4eb75c637d
-
SHA1
3263f6595d1329cea9348b34a9857a98998a33c6
-
SHA256
d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac
-
SHA512
9c2d049aaf278d86db69256dd312cf34d1d1b6dcabe964b93ab2a29b21f9045bceaaf809b46c92e6c4f5d5f27befda9692712fc23c4d45de2bef147c98708ff4
-
SSDEEP
6144:zjB1L2OqdTTq9rZ0NCKg4bBYqH4rWlRjO1n:zPHqdTuduLlarW9u
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 2 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 24 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 18 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe"C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\D650.exeC:\Users\Admin\AppData\Local\Temp\D650.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 239933⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2236 -ip 22361⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\ccme_base_non_fips.dll",nltDOVFERA==2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dllFilesize
726KB
MD5d51ee4fdb7d19c5a8be113e7e1f86206
SHA17d47659b826d5973468652a8f6e794552b47ccfe
SHA256065abc98507852ff09e385c81f4dd36fcc9e504d91fb9978621603392c11cc4c
SHA5128c4b380cb95b74b395ddfa5bf9cdcdcf44022bbd64a2345652397ff7d82fb37c4801a37f96128390665e17558ffccb2590421c1a4eba0f07fec37446b1921393
-
C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dllFilesize
726KB
MD5d51ee4fdb7d19c5a8be113e7e1f86206
SHA17d47659b826d5973468652a8f6e794552b47ccfe
SHA256065abc98507852ff09e385c81f4dd36fcc9e504d91fb9978621603392c11cc4c
SHA5128c4b380cb95b74b395ddfa5bf9cdcdcf44022bbd64a2345652397ff7d82fb37c4801a37f96128390665e17558ffccb2590421c1a4eba0f07fec37446b1921393
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xmlFilesize
9KB
MD5996f11041df0526341cebbbd40a98390
SHA137f652515ef8c662840086d743f7f68d327cce52
SHA256bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e
SHA5126cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5959e74cf619d124843abfeb4908a0c46
SHA1efc5662d72deb6acc94954bb1491e5dab1b97390
SHA25682f8d5091a93b8cc19c85fe20a525f8062a0636ffb3427cdb72150fb91b71aa5
SHA51201773cac05061fc075c85cf827604feb3de398e4a4591e2a3acadd1a5f6a3636833d184ef57b09d32f43645e9984da96cb23717837f1b6e969f3c45b30c26876
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmpFilesize
2.3MB
MD5959e74cf619d124843abfeb4908a0c46
SHA1efc5662d72deb6acc94954bb1491e5dab1b97390
SHA25682f8d5091a93b8cc19c85fe20a525f8062a0636ffb3427cdb72150fb91b71aa5
SHA51201773cac05061fc075c85cf827604feb3de398e4a4591e2a3acadd1a5f6a3636833d184ef57b09d32f43645e9984da96cb23717837f1b6e969f3c45b30c26876
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\background.pngFilesize
126KB
MD59adaf3a844ce0ce36bfed07fa2d7ef66
SHA13a804355d5062a6d2ed9653d66e9e4aebaf90bc0
SHA256d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698
SHA512e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\folder.icoFilesize
52KB
MD5bbf9dbdc079c0cd95f78d728aa3912d4
SHA1051f76cc8c6520768bac9559bb329abeebd70d7c
SHA256bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2
SHA512af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.jsonFilesize
121B
MD5289935a24fcaf93d1d41b4842414bdb0
SHA15e83951c0aeaefa25b0f918e9b3ceddb7d23d949
SHA25612493caa467a364b7cc88d930fb41372ae8960605b12547f0283577b1564c58c
SHA512e8dfa0c926def3a80aef8ace3edd8da408cf3e286a3bd5769db29c0d99be7febf166131b750898f48aa6932de6b4b8598f076b90aa9666696de9d7cc29063aa8
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.cert.jsonFilesize
2KB
MD5635a39ff9f822dcfd1fb3c22e6ffeb45
SHA1148a7e0a56504cae9219d0ed0f9aa8fb0ce7f7ca
SHA256dc9c38e035984439878ac48131835b0ad4d113c9bdfe6ce62f23c069a04edbcd
SHA512f246594c76d4740fab3552b0c738ea5dea75d6f81a4ca956c524ca0d09a4d1e71060d11447ac8de2810364828660ee328211ba727231172b30e636d84cd3747e
-
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\watermark.pngFilesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
C:\Users\Admin\AppData\Local\Temp\D650.exeFilesize
1.1MB
MD58f4070594e2008388c46be164a59d9ae
SHA1bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69
SHA25637b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34
SHA5122897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8
-
C:\Users\Admin\AppData\Local\Temp\D650.exeFilesize
1.1MB
MD58f4070594e2008388c46be164a59d9ae
SHA1bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69
SHA25637b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34
SHA5122897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmpFilesize
726KB
MD56ea8a6cc5fed6c664df1b3ef7c56b55d
SHA16b244d708706441095ae97294928967ddf28432b
SHA2562c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe
SHA5124a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741
-
\??\c:\program files (x86)\windowspowershell\modules\ccme_base_non_fips.dllFilesize
726KB
MD5d51ee4fdb7d19c5a8be113e7e1f86206
SHA17d47659b826d5973468652a8f6e794552b47ccfe
SHA256065abc98507852ff09e385c81f4dd36fcc9e504d91fb9978621603392c11cc4c
SHA5128c4b380cb95b74b395ddfa5bf9cdcdcf44022bbd64a2345652397ff7d82fb37c4801a37f96128390665e17558ffccb2590421c1a4eba0f07fec37446b1921393
-
memory/216-152-0x00000000043A0000-0x00000000044E0000-memory.dmpFilesize
1.2MB
-
memory/216-155-0x0000000004419000-0x000000000441B000-memory.dmpFilesize
8KB
-
memory/216-149-0x00000000043A0000-0x00000000044E0000-memory.dmpFilesize
1.2MB
-
memory/216-150-0x00000000043A0000-0x00000000044E0000-memory.dmpFilesize
1.2MB
-
memory/216-151-0x00000000043A0000-0x00000000044E0000-memory.dmpFilesize
1.2MB
-
memory/216-139-0x0000000000000000-mapping.dmp
-
memory/216-146-0x0000000005230000-0x0000000005955000-memory.dmpFilesize
7.1MB
-
memory/216-148-0x00000000043A0000-0x00000000044E0000-memory.dmpFilesize
1.2MB
-
memory/216-145-0x0000000005230000-0x0000000005955000-memory.dmpFilesize
7.1MB
-
memory/216-147-0x00000000043A0000-0x00000000044E0000-memory.dmpFilesize
1.2MB
-
memory/216-160-0x0000000005230000-0x0000000005955000-memory.dmpFilesize
7.1MB
-
memory/404-154-0x000001C4CB570000-0x000001C4CB6B0000-memory.dmpFilesize
1.2MB
-
memory/404-159-0x000001C4C9BA0000-0x000001C4C9DCA000-memory.dmpFilesize
2.2MB
-
memory/404-158-0x000001C4C9BA0000-0x000001C4C9DCA000-memory.dmpFilesize
2.2MB
-
memory/404-157-0x0000000000830000-0x0000000000A49000-memory.dmpFilesize
2.1MB
-
memory/404-156-0x000001C4CB570000-0x000001C4CB6B0000-memory.dmpFilesize
1.2MB
-
memory/404-153-0x00007FF6A0756890-mapping.dmp
-
memory/2236-142-0x000000000208F000-0x0000000002165000-memory.dmpFilesize
856KB
-
memory/2236-144-0x0000000000400000-0x0000000000517000-memory.dmpFilesize
1.1MB
-
memory/2236-143-0x0000000002270000-0x0000000002385000-memory.dmpFilesize
1.1MB
-
memory/2236-136-0x0000000000000000-mapping.dmp
-
memory/4412-164-0x00000000034E0000-0x0000000003C05000-memory.dmpFilesize
7.1MB
-
memory/4412-174-0x00000000034E0000-0x0000000003C05000-memory.dmpFilesize
7.1MB
-
memory/4460-132-0x0000000000638000-0x000000000064E000-memory.dmpFilesize
88KB
-
memory/4460-135-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4460-134-0x0000000000400000-0x0000000000453000-memory.dmpFilesize
332KB
-
memory/4460-133-0x00000000005F0000-0x00000000005F9000-memory.dmpFilesize
36KB
-
memory/5088-172-0x0000000000000000-mapping.dmp
