danabot | ff877b5f0373267f1b02e1f897161c1ff8b700eb51af62258256e94f22210cf9

Analysis

max time kernel
124s
max time network
152s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-12-2022 17:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe
Size

1.1MB
MD5

c9234f802b4fb9bcf16237d438fa86e6
SHA1

81b2eb0d8d06c0006929a3e0ebdaf6615aca1908
SHA256

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7
SHA512

8c018af20bad4de00125fe1cdbeb7b8bb059846b7b67c75d31cd12bb909b7f012517bb7d31641a2d7156cf3a9798cccd14dd542f5e2079bd0d47a29c96102bd3
SSDEEP

24576:VM6foBca4H/sQ0NG6LdS9tbtOTxGIraEgsKiZZK3QASvzK6r:jfe/k/su6LatMDcsKKZYSvzKM

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

3 1964 rundll32.exe
6 1964 rundll32.exe
10 1964 rundll32.exe

flow	pid	process
3	1964	rundll32.exe
6	1964	rundll32.exe
10	1964	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VDK10\Parameters\ServiceDll = "C:\\Program Files (x86)\\Windows Media Player\\en-US\\VDK10.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\VDK10\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 2 IoCs

Processes:

rundll32.exesvchost.exe

pid process

1964 rundll32.exe
1100 svchost.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1964	rundll32.exe
1100	svchost.exe

Drops desktop.ini file(s) 2 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	rundll32.exe
File created	C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Desktop.ini	rundll32.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1964 set thread context of 1188 1964 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1964 set thread context of 1188	1964	rundll32.exe	rundll32.exe

Drops file in Program Files directory 32 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Media Player\en-US\VDK10.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Updater.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\SY______.PFM	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\brt.hyp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\pmd.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AcroRd32Info.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\ReadOutLoud.api	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AUMProduct.aup	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\review_browser.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\SY______.PFM	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\VDK10.SYD	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\JPEGIM32.FLT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\eng32.clx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\JPEGIM32.FLT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\AdobeAUM_rootCert.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\GIFIMP32.FLT	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\VDK10.SYD	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\BIB.dll	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\AdobeAUM_rootCert.cer	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\eng32.clx	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\brt.hyp	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\ReadOutLoud.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\BIB.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\AUMProduct.aup	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\pmd.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\GIFIMP32.FLT	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 46 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature	svchost.exe

Modifies registry class 24 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4a0031000000000000000000102054656d700000360008000400efbe00000000000000002a00000000000000000000000000000000000000000000000000540065006d007000000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 7e0074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f3c0008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 4c003100000000000000000010004c6f63616c00380008000400efbe00000000000000002a000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-999675638-2867687379-27515722-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1964 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1188 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1964	rundll32.exe

pid	process
1188	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exerundll32.exe

description	pid	process	target process
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1608 wrote to memory of 1964	1608	08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe	rundll32.exe
PID 1964 wrote to memory of 1188	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1188	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1188	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1188	1964	rundll32.exe	rundll32.exe
PID 1964 wrote to memory of 1188	1964	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe
"C:\Users\Admin\AppData\Local\Temp\08a5c87ab1ea14d269adfc5ae54db174b3465d0a7d9ba590dd6606091440b9b7.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23994
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1188

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:976

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
PID:1100

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windows media player\en-us\vdk10.dll",KSYDT3F1MXBG
2⤵
PID:1816

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\CiST0000.001

Filesize
64KB

MD5
51f751b2cd698441913ce7f776749a0c

SHA1
e047ff4f511484b82407528e068c165d5293580f

SHA256
12af2ccef19bdc51e30f36c7415aa2cf17ddbaad269e1540cfd4cf56362c2008

SHA512
9278fc03c71718f8778520525ac8376d83ac69d6e23fa704371e9ed8bdf94f40e26599598673a49332675f36ff25876cad156e2f2bd1e131de039f417ff0e496

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MKWD_BestBet.H1W

Filesize
357KB

MD5
d9291028aba52f12a29aa45690685bcb

SHA1
695a16bf33965c2aaa5bf91571af10cb1fc660d8

SHA256
a07b1411ee7c5101d0e3ea7ccde5487d0373801a82edc3fb4359140b93d15b8a

SHA512
90b65e48697d67afe002f71fec2a62fd0ba2172ab75b54df2158a3784f6ca310956ec7308240b28260d245434b1f3add2b57e7f743846ce13a95f4340e726f96

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Help_MTOC_help.H1H

Filesize
546KB

MD5
19a20bfbc7cd0721a655986708028cdf

SHA1
0ff8f750a69726090dd506a2bdd1171b4b8b7104

SHA256
583af08e3d32d64f07d39897607ca8008b81872986cbd8d6ff10e6395e509c31

SHA512
f8cf24101dbab289c56773aeb16883d02c0f0e6339e28d403382c548a05542cd41292beab59c70a6fb75bfef7a51faaa3ad8c19abb8be52f4def470ebafb8f9c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Pending.GRL

Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
d22f8d4fe796eebdb90b2684e1e2b434

SHA1
418d914ebf893ec536df1785333f860516c12961

SHA256
d3a107a806584b2c9d4d6b988c4702b61d46a9a11be25e8acf762b722c271a07

SHA512
1cebc383760a409a1e55018cd6e0238213edd4e12e77d4a1eb8f10e261b1d899909b15d0fd24065edb89933a7ebe746900bd9cb685258728707d5b2821dd3d9e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
ac4291c36ab2e3fc69de3a7755847867

SHA1
d6611f42e9ee2db898800c818381c8f8abfe40ab

SHA256
f03c00dec39f2e70fdfaa76b6ed7c27819782a928782819465ca47d37636d320

SHA512
80a4824cb5894ae2ccceb94c91cc164b91c4e8db0596a6a4313dabee290bb65772082a05d1fb46bc10d23f4748f57d202016cc616674964e064b33b8b8c39590

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\overlay.png

Filesize
28KB

MD5
1f93b502e78190a2f496c2d9558e069d

SHA1
6ae6249493d36682270c0d5e3eb3c472fdd2766e

SHA256
5c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e

SHA512
cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile19.bmp

Filesize
48KB

MD5
df26b0a9cf69230bb9a9c49dc30831c3

SHA1
ebbcaa79fd8797996a4704849c6f41702b993daf

SHA256
80134f6d607ea57b73d967361ae39ce71b3339b830cd5382c0b86affdf1df92f

SHA512
c49e63224ef08de54a10ea9a656b5f14e0e26d54ae2519019dd3584db768832c21729d046c6dd84b7893c3156bbf3e8e312e01480fdf79d122b3f88a8ae916a8

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\usertile29.bmp

Filesize
48KB

MD5
6a944c920d471248013a35096b1ce218

SHA1
00a1267a6e631710fc71eb2e2e590e0c693296de

SHA256
75de8e9eb7a045c484cdac6b3fd30fda99ee17cda8d0310897d0b73c2d1c4f87

SHA512
ec0a24dd41958b09e20e7366835ac0f938a45140ebd6915188c206fdbb8e9f728fbe50bb6e242d0804e7e693d4433b2fac586c7a3fb79de329416ad7731d9269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windows media player\en-us\vdk10.dll

Filesize
726KB

MD5
f180040d3959f2cd2b9c7a2481d31a46

SHA1
59471322adb7b5c09a5aa52e7bac875eef0024e8

SHA256
5418ecf78fc136ee346b47ebb04a60b9e087008786800d1d9ae34259393b812d

SHA512
6c3135f448851c6ff95e7ce767425d81eb3950344c144bbe64983eed2e0815ad99c82d957229fcd120443b52d8f952f7ab27c6ab03d57ba4a8854e9cc9223c5d

Download Submit
\Program Files (x86)\Windows Media Player\en-US\VDK10.dll

Filesize
726KB

MD5
f180040d3959f2cd2b9c7a2481d31a46

SHA1
59471322adb7b5c09a5aa52e7bac875eef0024e8

SHA256
5418ecf78fc136ee346b47ebb04a60b9e087008786800d1d9ae34259393b812d

SHA512
6c3135f448851c6ff95e7ce767425d81eb3950344c144bbe64983eed2e0815ad99c82d957229fcd120443b52d8f952f7ab27c6ab03d57ba4a8854e9cc9223c5d

Download Submit
\Program Files (x86)\Windows Media Player\en-US\VDK10.dll

Filesize
726KB

MD5
f180040d3959f2cd2b9c7a2481d31a46

SHA1
59471322adb7b5c09a5aa52e7bac875eef0024e8

SHA256
5418ecf78fc136ee346b47ebb04a60b9e087008786800d1d9ae34259393b812d

SHA512
6c3135f448851c6ff95e7ce767425d81eb3950344c144bbe64983eed2e0815ad99c82d957229fcd120443b52d8f952f7ab27c6ab03d57ba4a8854e9cc9223c5d

Download Submit
\Program Files (x86)\Windows Media Player\en-US\VDK10.dll

Filesize
726KB

MD5
f180040d3959f2cd2b9c7a2481d31a46

SHA1
59471322adb7b5c09a5aa52e7bac875eef0024e8

SHA256
5418ecf78fc136ee346b47ebb04a60b9e087008786800d1d9ae34259393b812d

SHA512
6c3135f448851c6ff95e7ce767425d81eb3950344c144bbe64983eed2e0815ad99c82d957229fcd120443b52d8f952f7ab27c6ab03d57ba4a8854e9cc9223c5d

Download Submit
\Program Files (x86)\Windows Media Player\en-US\VDK10.dll

Filesize
726KB

MD5
f180040d3959f2cd2b9c7a2481d31a46

SHA1
59471322adb7b5c09a5aa52e7bac875eef0024e8

SHA256
5418ecf78fc136ee346b47ebb04a60b9e087008786800d1d9ae34259393b812d

SHA512
6c3135f448851c6ff95e7ce767425d81eb3950344c144bbe64983eed2e0815ad99c82d957229fcd120443b52d8f952f7ab27c6ab03d57ba4a8854e9cc9223c5d

Download Submit
\Program Files (x86)\Windows Media Player\en-US\VDK10.dll

Filesize
726KB

MD5
f180040d3959f2cd2b9c7a2481d31a46

SHA1
59471322adb7b5c09a5aa52e7bac875eef0024e8

SHA256
5418ecf78fc136ee346b47ebb04a60b9e087008786800d1d9ae34259393b812d

SHA512
6c3135f448851c6ff95e7ce767425d81eb3950344c144bbe64983eed2e0815ad99c82d957229fcd120443b52d8f952f7ab27c6ab03d57ba4a8854e9cc9223c5d

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Program Files\Mozilla Firefox\firefox.exe

Filesize
562KB

MD5
d388df6ed5ccbf1acdeda5af2d18cb0b

SHA1
124d3c2ba93644ac6c2d7253de242b46be836692

SHA256
8bcfd8420d721cc0ca50c1bef653e63e013ce201dfcca5927228eb25c9abf606

SHA512
f45200d296f4956ec2c39115095559e7825a748b5481c1a3244edf362a49c40b90d778fcdf4bf629095661d96879c96259574d9bfc29d81b6b14f19f4c32d234

Download Submit
\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
memory/976-113-0x0000000000000000-mapping.dmp

Download
memory/1100-114-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1100-104-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1100-89-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1100-87-0x00000000039B0000-0x00000000040D5000-memory.dmp

Filesize
7.1MB

Download
memory/1188-80-0x0000000000280000-0x0000000000499000-memory.dmp

Filesize
2.1MB

Download
memory/1188-77-0x0000000002070000-0x00000000021B0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-71-0x0000000000280000-0x0000000000499000-memory.dmp

Filesize
2.1MB

Download
memory/1188-81-0x0000000001E40000-0x000000000206A000-memory.dmp

Filesize
2.2MB

Download
memory/1188-79-0x000007FEFBB21000-0x000007FEFBB23000-memory.dmp

Filesize
8KB

Download
memory/1188-76-0x00000000FF0F3CEC-mapping.dmp

Download
memory/1188-78-0x0000000002070000-0x00000000021B0000-memory.dmp

Filesize
1.2MB

Download
memory/1608-60-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1608-59-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/1608-54-0x0000000000280000-0x0000000000356000-memory.dmp

Filesize
856KB

Download
memory/1608-56-0x0000000000280000-0x0000000000356000-memory.dmp

Filesize
856KB

Download
memory/1608-55-0x0000000075A91000-0x0000000075A93000-memory.dmp

Filesize
8KB

Download
memory/1608-57-0x0000000001E60000-0x0000000001F75000-memory.dmp

Filesize
1.1MB

Download
memory/1816-108-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1816-107-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1816-105-0x0000000003910000-0x0000000004035000-memory.dmp

Filesize
7.1MB

Download
memory/1816-98-0x0000000000000000-mapping.dmp

Download
memory/1964-82-0x00000000044B0000-0x0000000004BD5000-memory.dmp

Filesize
7.1MB

Download
memory/1964-58-0x0000000000000000-mapping.dmp

Download
memory/1964-64-0x00000000044B0000-0x0000000004BD5000-memory.dmp

Filesize
7.1MB

Download
memory/1964-66-0x00000000044B0000-0x0000000004BD5000-memory.dmp

Filesize
7.1MB

Download
memory/1964-68-0x0000000004010000-0x0000000004150000-memory.dmp

Filesize
1.2MB

Download
memory/1964-67-0x0000000004010000-0x0000000004150000-memory.dmp

Filesize
1.2MB

Download
memory/1964-69-0x00000000044B0000-0x0000000004BD5000-memory.dmp

Filesize
7.1MB

Download
memory/1964-70-0x0000000005320000-0x0000000005460000-memory.dmp

Filesize
1.2MB

Download
memory/1964-73-0x0000000005320000-0x0000000005460000-memory.dmp

Filesize
1.2MB

Download
memory/1964-74-0x0000000004010000-0x0000000004150000-memory.dmp

Filesize
1.2MB

Download
memory/1964-75-0x0000000004010000-0x0000000004150000-memory.dmp

Filesize
1.2MB

Download