Overview

overview

10

Static

static

d75b501a09...ac.exe

windows7-x64

10

d75b501a09...ac.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 16:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe

  • Size

    311KB

  • MD5

    ff8b0ef6c574e5f6f1fa4c4eb75c637d

  • SHA1

    3263f6595d1329cea9348b34a9857a98998a33c6

  • SHA256

    d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac

  • SHA512

    9c2d049aaf278d86db69256dd312cf34d1d1b6dcabe964b93ab2a29b21f9045bceaaf809b46c92e6c4f5d5f27befda9692712fc23c4d45de2bef147c98708ff4

  • SSDEEP

    6144:zjB1L2OqdTTq9rZ0NCKg4bBYqH4rWlRjO1n:zPHqdTuduLlarW9u

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 24 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe
    "C:\Users\Admin\AppData\Local\Temp\d75b501a09398280bf6e9250ac56763182136b4980d86e43c93d0ad8fa9981ac.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:4460
  • C:\Users\Admin\AppData\Local\Temp\D650.exe
    C:\Users\Admin\AppData\Local\Temp\D650.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2236
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:216
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:404
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2236 -s 536
      2⤵
      • Program crash
      PID:1328
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2236 -ip 2236
    1⤵
      PID:3520
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1808
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4412
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\ccme_base_non_fips.dll",nltDOVFERA==
            2⤵
              PID:5088

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll
            Filesize

            726KB

            MD5

            d51ee4fdb7d19c5a8be113e7e1f86206

            SHA1

            7d47659b826d5973468652a8f6e794552b47ccfe

            SHA256

            065abc98507852ff09e385c81f4dd36fcc9e504d91fb9978621603392c11cc4c

            SHA512

            8c4b380cb95b74b395ddfa5bf9cdcdcf44022bbd64a2345652397ff7d82fb37c4801a37f96128390665e17558ffccb2590421c1a4eba0f07fec37446b1921393

            Download Submit

          • C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll
            Filesize

            726KB

            MD5

            d51ee4fdb7d19c5a8be113e7e1f86206

            SHA1

            7d47659b826d5973468652a8f6e794552b47ccfe

            SHA256

            065abc98507852ff09e385c81f4dd36fcc9e504d91fb9978621603392c11cc4c

            SHA512

            8c4b380cb95b74b395ddfa5bf9cdcdcf44022bbd64a2345652397ff7d82fb37c4801a37f96128390665e17558ffccb2590421c1a4eba0f07fec37446b1921393

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml
            Filesize

            9KB

            MD5

            996f11041df0526341cebbbd40a98390

            SHA1

            37f652515ef8c662840086d743f7f68d327cce52

            SHA256

            bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e

            SHA512

            6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            959e74cf619d124843abfeb4908a0c46

            SHA1

            efc5662d72deb6acc94954bb1491e5dab1b97390

            SHA256

            82f8d5091a93b8cc19c85fe20a525f8062a0636ffb3427cdb72150fb91b71aa5

            SHA512

            01773cac05061fc075c85cf827604feb3de398e4a4591e2a3acadd1a5f6a3636833d184ef57b09d32f43645e9984da96cb23717837f1b6e969f3c45b30c26876

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
            Filesize

            2.3MB

            MD5

            959e74cf619d124843abfeb4908a0c46

            SHA1

            efc5662d72deb6acc94954bb1491e5dab1b97390

            SHA256

            82f8d5091a93b8cc19c85fe20a525f8062a0636ffb3427cdb72150fb91b71aa5

            SHA512

            01773cac05061fc075c85cf827604feb3de398e4a4591e2a3acadd1a5f6a3636833d184ef57b09d32f43645e9984da96cb23717837f1b6e969f3c45b30c26876

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\background.png
            Filesize

            126KB

            MD5

            9adaf3a844ce0ce36bfed07fa2d7ef66

            SHA1

            3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

            SHA256

            d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

            SHA512

            e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\folder.ico
            Filesize

            52KB

            MD5

            bbf9dbdc079c0cd95f78d728aa3912d4

            SHA1

            051f76cc8c6520768bac9559bb329abeebd70d7c

            SHA256

            bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2

            SHA512

            af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-4bb4d6f7cafc4e9292f972dca2dcde42-bd019ee8-e59c-4b0f-a02c-84e72157a3ef-7485.json
            Filesize

            121B

            MD5

            289935a24fcaf93d1d41b4842414bdb0

            SHA1

            5e83951c0aeaefa25b0f918e9b3ceddb7d23d949

            SHA256

            12493caa467a364b7cc88d930fb41372ae8960605b12547f0283577b1564c58c

            SHA512

            e8dfa0c926def3a80aef8ace3edd8da408cf3e286a3bd5769db29c0d99be7febf166131b750898f48aa6932de6b4b8598f076b90aa9666696de9d7cc29063aa8

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.cert.json
            Filesize

            2KB

            MD5

            635a39ff9f822dcfd1fb3c22e6ffeb45

            SHA1

            148a7e0a56504cae9219d0ed0f9aa8fb0ce7f7ca

            SHA256

            dc9c38e035984439878ac48131835b0ad4d113c9bdfe6ce62f23c069a04edbcd

            SHA512

            f246594c76d4740fab3552b0c738ea5dea75d6f81a4ca956c524ca0d09a4d1e71060d11447ac8de2810364828660ee328211ba727231172b30e636d84cd3747e

            Download Submit

          • C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\watermark.png
            Filesize

            28KB

            MD5

            1f93b502e78190a2f496c2d9558e069d

            SHA1

            6ae6249493d36682270c0d5e3eb3c472fdd2766e

            SHA256

            5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

            SHA512

            cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D650.exe
            Filesize

            1.1MB

            MD5

            8f4070594e2008388c46be164a59d9ae

            SHA1

            bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

            SHA256

            37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

            SHA512

            2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D650.exe
            Filesize

            1.1MB

            MD5

            8f4070594e2008388c46be164a59d9ae

            SHA1

            bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

            SHA256

            37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

            SHA512

            2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
            Filesize

            726KB

            MD5

            6ea8a6cc5fed6c664df1b3ef7c56b55d

            SHA1

            6b244d708706441095ae97294928967ddf28432b

            SHA256

            2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

            SHA512

            4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

            Download Submit

          • \??\c:\program files (x86)\windowspowershell\modules\ccme_base_non_fips.dll
            Filesize

            726KB

            MD5

            d51ee4fdb7d19c5a8be113e7e1f86206

            SHA1

            7d47659b826d5973468652a8f6e794552b47ccfe

            SHA256

            065abc98507852ff09e385c81f4dd36fcc9e504d91fb9978621603392c11cc4c

            SHA512

            8c4b380cb95b74b395ddfa5bf9cdcdcf44022bbd64a2345652397ff7d82fb37c4801a37f96128390665e17558ffccb2590421c1a4eba0f07fec37446b1921393

            Download Submit

          • memory/216-152-0x00000000043A0000-0x00000000044E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/216-155-0x0000000004419000-0x000000000441B000-memory.dmp

            Filesize

            8KB

            Download

          • memory/216-149-0x00000000043A0000-0x00000000044E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/216-150-0x00000000043A0000-0x00000000044E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/216-151-0x00000000043A0000-0x00000000044E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/216-139-0x0000000000000000-mapping.dmp

            Download

          • memory/216-146-0x0000000005230000-0x0000000005955000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/216-148-0x00000000043A0000-0x00000000044E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/216-145-0x0000000005230000-0x0000000005955000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/216-147-0x00000000043A0000-0x00000000044E0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/216-160-0x0000000005230000-0x0000000005955000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/404-154-0x000001C4CB570000-0x000001C4CB6B0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/404-159-0x000001C4C9BA0000-0x000001C4C9DCA000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/404-158-0x000001C4C9BA0000-0x000001C4C9DCA000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/404-157-0x0000000000830000-0x0000000000A49000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/404-156-0x000001C4CB570000-0x000001C4CB6B0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/404-153-0x00007FF6A0756890-mapping.dmp

            Download

          • memory/2236-142-0x000000000208F000-0x0000000002165000-memory.dmp

            Filesize

            856KB

            Download

          • memory/2236-144-0x0000000000400000-0x0000000000517000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2236-143-0x0000000002270000-0x0000000002385000-memory.dmp

            Filesize

            1.1MB

            Download

          • memory/2236-136-0x0000000000000000-mapping.dmp

            Download

          • memory/4412-164-0x00000000034E0000-0x0000000003C05000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4412-174-0x00000000034E0000-0x0000000003C05000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4460-132-0x0000000000638000-0x000000000064E000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4460-135-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/4460-134-0x0000000000400000-0x0000000000453000-memory.dmp

            Filesize

            332KB

            Download

          • memory/4460-133-0x00000000005F0000-0x00000000005F9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/5088-172-0x0000000000000000-mapping.dmp

            Download