danabot | 60c458f556bbe94bbb29d8db488ad2358d4846654946b0bb5c21cd867be3785a

General

Target

2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe
Size

310KB
MD5

7c0fa0f871ce994b95a7679953dacf6b
SHA1

fe24a1ecec1d2f6526c2c98e135514d57b4ba1e3
SHA256

2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407
SHA512

dcda6ec44ff3d51fa106511ae7f35026e603d26e7372ba31fe42bb408bca710e9e64c57d6d45db18b47408b27192f1ad495a982f48b5db114c5dfc0b7020d487
SSDEEP

6144:pq/PLRi9atHbLX3qUulW0h4dH4rWlRjO1n:pIP9i9aful9zrW9u

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4800-133-0x00000000007F0000-0x00000000007F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

107 1284 rundll32.exe
121 1284 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

E7A5.exe

pid process

3996 E7A5.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1284 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1284 set thread context of 4072 1284 rundll32.exe rundll32.exe

flow	pid	process
107	1284	rundll32.exe
121	1284	rundll32.exe

pid	process
3996	E7A5.exe

pid	process
1284	rundll32.exe

description	pid	process	target process
PID 1284 set thread context of 4072	1284	rundll32.exe	rundll32.exe

Drops file in Program Files directory 37 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Search.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-default.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-default.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_psd.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Search.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Stamp.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_asym.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\close_x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\ReadOutLoud.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ReadOutLoud.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_psd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\sendforsignature.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\close_x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sendforsignature.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_extensions.pak	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\WindowsMedia.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AGMGPUOptIn.ini	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4716 3996 WerFault.exe E7A5.exe

pid	pid_target	process	target process
4716	3996	WerFault.exe	E7A5.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355588e100054656d7000003a0009000400efbe0c55199993555d8e2e00000000000000000000000000000000000000000000000000d40dce00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2212

pid	process
2212

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe

pid	process
4800	2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe
4800	2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212
2212

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2212
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe

pid process

4800 2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe

pid	process
2212

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212
Token: SeShutdownPrivilege	2212
Token: SeCreatePagefilePrivilege	2212

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4072 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2212
2212

pid	process
4072	rundll32.exe

pid	process
2212
2212

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

E7A5.exerundll32.exe

description	pid	process	target process
PID 2212 wrote to memory of 3996	2212		E7A5.exe
PID 2212 wrote to memory of 3996	2212		E7A5.exe
PID 2212 wrote to memory of 3996	2212		E7A5.exe
PID 3996 wrote to memory of 1284	3996	E7A5.exe	rundll32.exe
PID 3996 wrote to memory of 1284	3996	E7A5.exe	rundll32.exe
PID 3996 wrote to memory of 1284	3996	E7A5.exe	rundll32.exe
PID 1284 wrote to memory of 4072	1284	rundll32.exe	rundll32.exe
PID 1284 wrote to memory of 4072	1284	rundll32.exe	rundll32.exe
PID 1284 wrote to memory of 4072	1284	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe
"C:\Users\Admin\AppData\Local\Temp\2b61e88384cfc2638764efece0ea12eb0c3384f1c04bbbbdc2cd81cd037e9407.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4800

C:\Users\Admin\AppData\Local\Temp\E7A5.exe
C:\Users\Admin\AppData\Local\Temp\E7A5.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4072

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3996 -s 536
2⤵
- Program crash
PID:4716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3996 -ip 3996
1⤵
PID:8

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4736

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:408

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll

Filesize
726KB

MD5
4461b18188b1d2f07ad7d41c8a3afc78

SHA1
4c92d8dc3277482b580d7bfeefc5bc98bd129c2a

SHA256
6d060e6ab318fb4eb4e733731b75b5c10471eeb42c0abc21c3248c6f7bec2b62

SHA512
3b44eef7d0aa081ecc08c97c2324ce470e040e7716c6a4857cecb0720b4355bffbe4a435f60c27581fe8c78ea2679a1cf5075377f5edc3b75bba32510dbc5157

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Diagtrack-Listener.etl

Filesize
192KB

MD5
51a969ecc8b831e7815060f47dae5f29

SHA1
2eb91ce77d3929efbfdf4b1ad1a574a7cab652d2

SHA256
a9d06344974fe92aa4eb682e62828c262d8034f8dca495bd993e6207851e77ea

SHA512
7e25cae3f8e402008d15dfce694c92c1e16a40566c81da9060292cba0f8f1ee375923a4478569ec59843c8373737b6c280c9a5e3afbc42169a8ac386cc8c4241

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
e8a81564d30348909ee3c6f4b96b9f10

SHA1
fc13a6af27788f46dececc6ea692d2f6344edb70

SHA256
79c9066000ec9a4883441209a39050f82c5c0a55137d332fd9bf93e3ea24e271

SHA512
2aada1da52488e83217e4098ddffa51349bfe58d3ff4435332c80f4df0ed14ed86c16f9f13de894704f4be277f8a296340f36507adb651544b7e788cd7d373f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7A5.exe

Filesize
1.1MB

MD5
8f4070594e2008388c46be164a59d9ae

SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\E7A5.exe

Filesize
1.1MB

MD5
8f4070594e2008388c46be164a59d9ae

SHA1
bbbfde91f46f1bbfc8139bdd1d44e7a22e185b69

SHA256
37b5287743c5de46c17952589bdc3632a5083450f799f6c8f314afa613f4ae34

SHA512
2897cdbe665f83cebe00fbffa91a0674c756a12fa8ff2da0dba32fb7076bf286cc0d1e17f8ab50dcbc456365ef85caca56b318d9bf50e32b0ee1e1cb3b7ebfb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\ahclient.dll

Filesize
726KB

MD5
4461b18188b1d2f07ad7d41c8a3afc78

SHA1
4c92d8dc3277482b580d7bfeefc5bc98bd129c2a

SHA256
6d060e6ab318fb4eb4e733731b75b5c10471eeb42c0abc21c3248c6f7bec2b62

SHA512
3b44eef7d0aa081ecc08c97c2324ce470e040e7716c6a4857cecb0720b4355bffbe4a435f60c27581fe8c78ea2679a1cf5075377f5edc3b75bba32510dbc5157

Download Submit
memory/408-163-0x0000000002FE0000-0x0000000003705000-memory.dmp

Filesize
7.1MB

Download
memory/1284-149-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/1284-152-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/1284-139-0x0000000000000000-mapping.dmp

Download
memory/1284-154-0x00000000044E9000-0x00000000044EB000-memory.dmp

Filesize
8KB

Download
memory/1284-146-0x0000000005720000-0x0000000005E45000-memory.dmp

Filesize
7.1MB

Download
memory/1284-147-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/1284-148-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/1284-159-0x0000000005720000-0x0000000005E45000-memory.dmp

Filesize
7.1MB

Download
memory/1284-150-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/1284-151-0x0000000004470000-0x00000000045B0000-memory.dmp

Filesize
1.2MB

Download
memory/3996-136-0x0000000000000000-mapping.dmp

Download
memory/3996-142-0x00000000020FB000-0x00000000021D1000-memory.dmp

Filesize
856KB

Download
memory/3996-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3996-143-0x00000000022E0000-0x00000000023F5000-memory.dmp

Filesize
1.1MB

Download
memory/4072-153-0x00007FF71E956890-mapping.dmp

Download
memory/4072-157-0x0000000000E10000-0x0000000001029000-memory.dmp

Filesize
2.1MB

Download
memory/4072-158-0x0000019D341F0000-0x0000019D3441A000-memory.dmp

Filesize
2.2MB

Download
memory/4072-156-0x0000019D35BC0000-0x0000019D35D00000-memory.dmp

Filesize
1.2MB

Download
memory/4072-155-0x0000019D35BC0000-0x0000019D35D00000-memory.dmp

Filesize
1.2MB

Download
memory/4800-132-0x0000000000828000-0x000000000083D000-memory.dmp

Filesize
84KB

Download
memory/4800-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4800-133-0x00000000007F0000-0x00000000007F9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads