danabot | f5a5e36a899f791fc1b32b50e2f6753ef2e00eab0bfbcc2e544cbed2b190e2c6

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
Size

310KB
MD5

c6d5caf032d4435e71637bd333f174fb
SHA1

1971852a4bedd32ac3a74d7a9600dcb369e71cce
SHA256

36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007
SHA512

7a7176c80ade6000dbb7a4b94cb11f229b360ea8adab69d829cf24541d5f364e9f6143a697f1c839336da98261f9a038aacc4c463b90d67bb2fba56158d8144e
SSDEEP

6144:+gxRLtYltAaD+/eWOGkLc3zJJaRH4rWlRjO1n:+qRpYlt5DXbBotJayrW9u

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4948-133-0x00000000005E0000-0x00000000005E9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

42 2868 rundll32.exe
49 2868 rundll32.exe
66 2868 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

84D.exe

pid process

4060 84D.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2868 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2868 set thread context of 524 2868 rundll32.exe rundll32.exe

flow	pid	process
42	2868	rundll32.exe
49	2868	rundll32.exe
66	2868	rundll32.exe

pid	process
4060	84D.exe

pid	process
2868	rundll32.exe

description	pid	process	target process
PID 2868 set thread context of 524	2868	rundll32.exe	rundll32.exe

Drops file in Program Files directory 26 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeLinguistic.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\Dynamic.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\createpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\editpdf.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\organize.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_all.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\warning.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\server_lg.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Review_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\editpdf.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_all.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4548 4060 WerFault.exe 84D.exe

pid	pid_target	process	target process
4548	4060	WerFault.exe	84D.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

Checks processor information in registry 2 TTPs 23 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009355e990100054656d7000003a0009000400efbe6b557d6c9355ef902e0000000000000000000000000000000000000000000000000009068d00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2620

pid	process
2620

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

pid	process
4948	36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
4948	36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620
2620

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2620
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

pid process

4948 36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe

pid	process
2620

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620
Token: SeShutdownPrivilege	2620
Token: SeCreatePagefilePrivilege	2620

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

524 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2620
2620

pid	process
524	rundll32.exe

pid	process
2620
2620

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

84D.exerundll32.exe

description	pid	process	target process
PID 2620 wrote to memory of 4060	2620		84D.exe
PID 2620 wrote to memory of 4060	2620		84D.exe
PID 2620 wrote to memory of 4060	2620		84D.exe
PID 4060 wrote to memory of 2868	4060	84D.exe	rundll32.exe
PID 4060 wrote to memory of 2868	4060	84D.exe	rundll32.exe
PID 4060 wrote to memory of 2868	4060	84D.exe	rundll32.exe
PID 2868 wrote to memory of 524	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 524	2868	rundll32.exe	rundll32.exe
PID 2868 wrote to memory of 524	2868	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe
"C:\Users\Admin\AppData\Local\Temp\36962dbe21b03b6b13e7a6e607f908eb54c0fa8d511d3d522fcb31322c938007.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4948

C:\Users\Admin\AppData\Local\Temp\84D.exe
C:\Users\Admin\AppData\Local\Temp\84D.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4060

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2868

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23949
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:524

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4060 -s 528
2⤵
- Program crash
PID:4548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4060 -ip 4060
1⤵
PID:1844

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3964

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:1448

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\reviewers.dll",NhMjNHoy
2⤵
PID:2852

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll
Filesize
726KB

MD5
2ed0ae21663cd33729c7b4a622c0ad29

SHA1
50ba3d0df795e8f3380213e0b7c8bc5c7a812f7c

SHA256
0aea91179f12f27a4487c4afff0fc4b0b449965a396dacd9527ff46a815ce871

SHA512
51bf6e4359ff7e10658a45560cb21d8753747d363504f4d36446559050d530a4037a47ecc3b417c2de8b53ebc3010754f45a693d3ea51cad62412779ebbea83c

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.dll
Filesize
726KB

MD5
2ed0ae21663cd33729c7b4a622c0ad29

SHA1
50ba3d0df795e8f3380213e0b7c8bc5c7a812f7c

SHA256
0aea91179f12f27a4487c4afff0fc4b0b449965a396dacd9527ff46a815ce871

SHA512
51bf6e4359ff7e10658a45560cb21d8753747d363504f4d36446559050d530a4037a47ecc3b417c2de8b53ebc3010754f45a693d3ea51cad62412779ebbea83c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.office32ww.msi.16.x-none.xml
Filesize
331KB

MD5
b5cf5d15a8e6c6f2eb99a5645a2c2336

SHA1
7efe1b634ce1253a6761eb0c54f79dd42b79325f

SHA256
f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

SHA512
83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe.xml
Filesize
20KB

MD5
419d040255d3d92a74e19e346588ad4d

SHA1
4f005faf5b002a85a890a76900aec198b0b157ae

SHA256
43b225fa33b598526a7f3813c243575001643d3161ae55ecc9f62d5e2372e4f3

SHA512
9630665cbce8681653c14efb38cae9a28c9deaba7991596bac172e5bff4795c6f98f743b24d40d4abb79c3c07298333af2b559668528694bb8f8e063e1a377ed

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe.xml
Filesize
17KB

MD5
88edd5a41ab82f584c96038657f61fa0

SHA1
7196dd2233a620172932cbe75afc1eae004de540

SHA256
fc79e5ee3a80f00498b8be20796daacc279aee43b522cf3a968266c629e27ff5

SHA512
d75a11ab48d11114c753a1cb7c1cb3ef19e5b5e90818d6842278d28d72d85582aabfbcf324af94abc1fe47ed7b1d7cfd9660852dc59f9026f812a662adfbee4d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
855B

MD5
7ec956334fec33862a86ae1d3db724f5

SHA1
009ef40b310d0068ec42c3ec85a424a147e9e712

SHA256
c861b14bdbc003a3029af12487b4b01b9e3ece914afc6029b4cf59eb3156e3d7

SHA512
ba478d4138c56b6a5e89a0daa58234a2c872e39684c946711b0fc972e63a91ab97bbb5e8300e03094e8fc243f8bf39e1931162bf95762142998428faf69c2af9

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe.xml
Filesize
8KB

MD5
53e4d87ce4e7b6a4c5b2d84c60a70984

SHA1
ad381e6e2d67970b34c356259fa86fa8c3c1de78

SHA256
8e5dd7465c39d653c1ba79e4b154321413b4f3dd7b62f485848a5122fbb868b6

SHA512
2f984aa666cc9458450a6215d333ca3be4ba04a711d2bf4f257fca4e28007b25d0801cacdcd02f8f0b8d9f6f867a89478dd023faf672a88b95eda65091a03b71

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Win32.xml
Filesize
66KB

MD5
d6269a771887562b5461c9a99bcfeacd

SHA1
d4f5647c655af50453e2097eb3e8552318f139a1

SHA256
58e3a955ba9293be903e880620c559bcd4f5b8069c3c23a3f06a9c549ed621d1

SHA512
18b23fea2436cd1c6ac8dd159660f386694abe0d6c2e5bca15e11bbf9da06a620bc4c759af1b5646bed8086576369b051bec0f41837127738bebce9f13b9dc30

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\NetworkPrinters.xml
Filesize
2KB

MD5
774c9f44e6ff0b1798e092ed1df9a1fc

SHA1
a40a3292a55cb4f6f101a04f247f83196bf54716

SHA256
ef22a638f62476efac099497b1251bef64f115fa4752ad20467614571cf5ae5f

SHA512
529e66cd53361e631b7bfabff0063ac37a39e7adb0f2890db461a55de6430059015d6f6ca1cf447da759edd463b32c2007e6411d6d84a999a7d998f574fe2748

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
5a6bff5ae044773979d7f844462774e7

SHA1
1982d88ae91bd0b3b5a3a275a922446278d94cd6

SHA256
18c5dcf1005d4ed3661d00776c47610dd0df97395bbc91a0dd9061a272971364

SHA512
9d43c9997196e6e97b02d91a95a6241b6818408868eaa776644c06b59007f8ad033393829d603fb76036dcbcce830f1cc1e4147abbe1c05314e74e1150f37358

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
1.1MB

MD5
5b826a8aaa393dada8de3b304f6bdd46

SHA1
856a4d9e0b86bec190d4f9a430b52d60be10cb8b

SHA256
522630e6024d465febd641a381df65d36b20f358112cc4dd7e3ecbc0dbe033e0

SHA512
425f47654a3bc7cea97626f544326f7bff806bd5e05889f16c412ad2794d66fa050ad1044c9e4843908d8e8deb1fce0bf5924be1999f7dfed89060dff214adb8

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
Filesize
1KB

MD5
52cf638286d2e53bf8536fb9f4d8014d

SHA1
da04999d41cd61d6f6bf0dd87d515dcc85d33e29

SHA256
c6aea09422e8d810106006e4abe46a68bc918fc2b02ad135c90f68cd648e3b4a

SHA512
2398c927e9818ff3bf663463fb12120b4de3fdd9da2da241edefce2f2e5633f94274d66f1299acc13288bf9a7aca5ca40d91528807968227142e7842867012ed

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\tasks.xml
Filesize
10KB

MD5
c949974e2fc5c8909c2efafb92f7640d

SHA1
ec68489a4a4fa022e5b60901f7221d733365a9c9

SHA256
1131721b6f906cedebbcefe223725ae0f5c7ad0a96219eabaa49dc8d38cedf40

SHA512
8fc8e3cdcb66ec98962d0f888f0abe90e1a18db09144e00494dda9f56eaf7ed623e0ee13efd8a29fbf72c7094bbc9f489baf2d54e8170bb4b04d5363ec354362

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json
Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user-48.png
Filesize
617B

MD5
e738274439f0bcf555425a00af9a2f75

SHA1
cf0d5425bda34e865bc73601ac299d425d9064ef

SHA256
191e237f5a862cdbafa4562bebf080680a051d2c07b4f256c9b856f10d63d010

SHA512
2c2c1ccb38d14150dcb89249c3a2ee995e9467fb99ea20cc4819c4a683b50be0753b04264048084ae2611399b56736ca50d7a94dd98bd3dd055f430471188c8d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\utc.cert.json
Filesize
2KB

MD5
635a39ff9f822dcfd1fb3c22e6ffeb45

SHA1
148a7e0a56504cae9219d0ed0f9aa8fb0ce7f7ca

SHA256
dc9c38e035984439878ac48131835b0ad4d113c9bdfe6ce62f23c069a04edbcd

SHA512
f246594c76d4740fab3552b0c738ea5dea75d6f81a4ca956c524ca0d09a4d1e71060d11447ac8de2810364828660ee328211ba727231172b30e636d84cd3747e

Download Submit
C:\Users\Admin\AppData\Local\Temp\84D.exe
Filesize
1.0MB

MD5
1a61e55fa3fd1dc5cbf63d91e6c5a93b

SHA1
0f68fc53fafb875aa9150ab4d39b8b5015cac684

SHA256
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a

SHA512
975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\84D.exe
Filesize
1.0MB

MD5
1a61e55fa3fd1dc5cbf63d91e6c5a93b

SHA1
0f68fc53fafb875aa9150ab4d39b8b5015cac684

SHA256
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a

SHA512
975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\reviewers.dll
Filesize
726KB

MD5
2ed0ae21663cd33729c7b4a622c0ad29

SHA1
50ba3d0df795e8f3380213e0b7c8bc5c7a812f7c

SHA256
0aea91179f12f27a4487c4afff0fc4b0b449965a396dacd9527ff46a815ce871

SHA512
51bf6e4359ff7e10658a45560cb21d8753747d363504f4d36446559050d530a4037a47ecc3b417c2de8b53ebc3010754f45a693d3ea51cad62412779ebbea83c

Download Submit
memory/524-154-0x0000017B66530000-0x0000017B66670000-memory.dmp

Filesize
1.2MB

Download
memory/524-153-0x00007FF6D88E6890-mapping.dmp

Download
memory/524-155-0x0000017B66530000-0x0000017B66670000-memory.dmp

Filesize
1.2MB

Download
memory/524-157-0x0000000000750000-0x0000000000969000-memory.dmp

Filesize
2.1MB

Download
memory/524-158-0x0000017B64B60000-0x0000017B64D8A000-memory.dmp

Filesize
2.2MB

Download
memory/1448-163-0x0000000003B60000-0x0000000004285000-memory.dmp

Filesize
7.1MB

Download
memory/2852-176-0x0000000000000000-mapping.dmp

Download
memory/2868-147-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/2868-145-0x0000000004340000-0x0000000004A65000-memory.dmp

Filesize
7.1MB

Download
memory/2868-159-0x0000000004340000-0x0000000004A65000-memory.dmp

Filesize
7.1MB

Download
memory/2868-156-0x0000000004C79000-0x0000000004C7B000-memory.dmp

Filesize
8KB

Download
memory/2868-150-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/2868-149-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/2868-146-0x0000000004340000-0x0000000004A65000-memory.dmp

Filesize
7.1MB

Download
memory/2868-148-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/2868-151-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/2868-139-0x0000000000000000-mapping.dmp

Download
memory/2868-152-0x0000000004C00000-0x0000000004D40000-memory.dmp

Filesize
1.2MB

Download
memory/4060-142-0x0000000000657000-0x000000000072D000-memory.dmp

Filesize
856KB

Download
memory/4060-143-0x00000000022D0000-0x00000000023E5000-memory.dmp

Filesize
1.1MB

Download
memory/4060-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4060-136-0x0000000000000000-mapping.dmp

Download
memory/4948-133-0x00000000005E0000-0x00000000005E9000-memory.dmp

Filesize
36KB

Download
memory/4948-135-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-134-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4948-132-0x00000000006F8000-0x000000000070D000-memory.dmp

Filesize
84KB

Download