danabot | 30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a

Analysis

max time kernel
148s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.0MB
MD5

1a61e55fa3fd1dc5cbf63d91e6c5a93b
SHA1

0f68fc53fafb875aa9150ab4d39b8b5015cac684
SHA256

30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a
SHA512

975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8
SSDEEP

24576:iEGwNZdOMFdGiOlPwFU0yB8zuj+9LJwFP:UwNLKiOlPEjyfOuFP

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

4 1592 rundll32.exe
5 1592 rundll32.exe
41 1592 rundll32.exe
43 1592 rundll32.exe

flow	pid	process
4	1592	rundll32.exe
5	1592	rundll32.exe
41	1592	rundll32.exe
43	1592	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BIBUtils\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\BIBUtils.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\BIBUtils\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1592 rundll32.exe
3120 svchost.exe
4060 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1592	rundll32.exe
3120	svchost.exe
4060	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1592 set thread context of 5040 1592 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1592 set thread context of 5040	1592	rundll32.exe	rundll32.exe

Drops file in Program Files directory 46 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-math-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\base_uris.js	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Eula.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\license.html	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.sig	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\move.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-57x57-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\is.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-process-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-convert-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\license.html	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.ini	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\el.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\OptimizePDF_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\id.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\OptimizePDF_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\cy.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1044 3464 WerFault.exe tmp.exe

pid	pid_target	process	target process
1044	3464	WerFault.exe	tmp.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B985DB265F7E6ED8AE418EA61FC4563A0CA14486	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\B985DB265F7E6ED8AE418EA61FC4563A0CA14486\Blob = 030000000100000014000000b985db265f7e6ed8ae418ea61fc4563a0ca1448620000000010000006a02000030820266308201cfa003020102020848d587275824e209300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e7469636f646a28746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313231393138323335305a170d3234313231383138323335305a30503132303006035504030c294d6963726f736f66742041757468656e7469636f646a28746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c472f11685418fd34288a77f3384a1b3f142741aed54ba62f44ac08b1acde4c52ccb4a6099c13dbfc7569f24cdd656f855bca0d148c27fb6827853d54def5bcac493981a38be4b00c9b6356ca0f697b877a7f3771a7d9f19f64d7213dab4c14f0be5498afe7f84b9618f1509685bfa31d73d4390de2cfe33a08b57611e847b090203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e7469636f646a28746d2920526f6f7420417574686f72697479300d06092a864886f70d01010b0500038181006b492bffa73b9ae957b108a30eab681e0f6db5ad6da4d565a71fc1521b6d00e3e343a52461a8beba6bafa2e509a301af0e05a0159899b523bb656cdac880ff91f346308624dfa8c2212b7872f27ec70b0af7704fd7e5a166a298014c1a4239192bed52dcf59b2bc65e9564a9e533e0cbf06216b8882ae7dcadf38d4065e630df	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3120	svchost.exe
3120	svchost.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
1592	rundll32.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe
3120	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1592 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

5040 rundll32.exe
1592 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1592	rundll32.exe

pid	process
5040	rundll32.exe
1592	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exerundll32.exesvchost.exe

description	pid	process	target process
PID 3464 wrote to memory of 1592	3464	tmp.exe	rundll32.exe
PID 3464 wrote to memory of 1592	3464	tmp.exe	rundll32.exe
PID 3464 wrote to memory of 1592	3464	tmp.exe	rundll32.exe
PID 1592 wrote to memory of 5040	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 5040	1592	rundll32.exe	rundll32.exe
PID 1592 wrote to memory of 5040	1592	rundll32.exe	rundll32.exe
PID 3120 wrote to memory of 4060	3120	svchost.exe	rundll32.exe
PID 3120 wrote to memory of 4060	3120	svchost.exe	rundll32.exe
PID 3120 wrote to memory of 4060	3120	svchost.exe	rundll32.exe
PID 1592 wrote to memory of 4936	1592	rundll32.exe	schtasks.exe
PID 1592 wrote to memory of 4936	1592	rundll32.exe	schtasks.exe
PID 1592 wrote to memory of 4936	1592	rundll32.exe	schtasks.exe
PID 1592 wrote to memory of 452	1592	rundll32.exe	schtasks.exe
PID 1592 wrote to memory of 452	1592	rundll32.exe	schtasks.exe
PID 1592 wrote to memory of 452	1592	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1592

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23979
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4936

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:452

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3464 -s 536
2⤵
- Program crash
PID:1044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 3464 -ip 3464
1⤵
PID:4212

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3056

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\bibutils.dll",awhjQQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4060

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll
Filesize
726KB

MD5
2ed0ae21663cd33729c7b4a622c0ad29

SHA1
50ba3d0df795e8f3380213e0b7c8bc5c7a812f7c

SHA256
0aea91179f12f27a4487c4afff0fc4b0b449965a396dacd9527ff46a815ce871

SHA512
51bf6e4359ff7e10658a45560cb21d8753747d363504f4d36446559050d530a4037a47ecc3b417c2de8b53ebc3010754f45a693d3ea51cad62412779ebbea83c

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\BIBUtils.dll
Filesize
726KB

MD5
2ed0ae21663cd33729c7b4a622c0ad29

SHA1
50ba3d0df795e8f3380213e0b7c8bc5c7a812f7c

SHA256
0aea91179f12f27a4487c4afff0fc4b0b449965a396dacd9527ff46a815ce871

SHA512
51bf6e4359ff7e10658a45560cb21d8753747d363504f4d36446559050d530a4037a47ecc3b417c2de8b53ebc3010754f45a693d3ea51cad62412779ebbea83c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.excelmui.msi.16.en-us.xml
Filesize
39KB

MD5
93b791b81e660e839ef91e881d0d40ba

SHA1
f28bf43cb01d5d6f0714b40c0183c0f920704b7a

SHA256
94e7e8449e52aa41decd74e1fa8bc6d688a1fc1e6dcbd015ff19ece64dedfe32

SHA512
3bfff8518d32d599f29c254b9f1de7337d49aa027ff0c0c3345698695a87ddc145c13855e7a7a434f7d29eaa60ce44161b47e40a95df8c54c686dadaf894ec63

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\DeploymentConfig.2.xml
Filesize
1KB

MD5
3793544370ec1fddcf5ba6ae099f2538

SHA1
c784c5d8d1c496ab7ba1150782d20cba67b76321

SHA256
87975551187040cc2505a12ac285c042b8e70921a55808ecf982c7cd37df0ae2

SHA512
debdde56e6e087ff04863490223229d37828e348f7630d6c33aae1f113cce4be75f1420c593268ef5f5bd3026dccb062015781ba83dcaffa2b9bb37b55efc319

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.AccountsControl_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
13KB

MD5
c7405e2e68aec89e44862595ccc0d186

SHA1
2cc8d73f93dd875134917795633bb606911f1069

SHA256
9a9adc35b9debbd0ded2aa1684769afd7fbb09b2e1afa20b19893de5fdbabe37

SHA512
0cb3190812b404ff0cc32bc0442c8e0cc26ee989fbcab7284b21dbd134664f1b38fd3cb7e9a98898dd64b445ace1a117bd00cac793336fb25a819e17c60cab22

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
cc4cc0e085cfafe9c540f7a6a4cad93e

SHA1
8982a1b3d8f3d8bc37b1c12f9a7f594723d03247

SHA256
fa0819943729b9c38d89e92fcbc31ba393b49baa524bfa4ee9f2f471f8fcf756

SHA512
b8f591ee4b5b241025a0d583efed50fb548a180599bc4dab2f7b978da4daf08ca917e539354e2510aaca35257854034de3e3f3a8242eaa71f5ec9c4b3dc289d5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
839B

MD5
5ddffd275e173019cb301fe2c96a2f3f

SHA1
0303cebf14f4304d93733426aee485e4bf7efe29

SHA256
d1e768a7bb7a5851697a2a5bec63670c9d90b72d1f77169ef231c265b9cb8272

SHA512
e92f31f56dc2f5dfa0963978239303d2c5755b5bfa363910f18e5168703d3ddfc506ad522915b90f9d489997a66a3db780762e750a658ac7835b75d8d299684a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp
Filesize
2.3MB

MD5
1bcfaa6dd7a5e1ee78e74066e350dc5e

SHA1
72fe0dd30e9733836c08c7013b74905c4933ada6

SHA256
65e89b599a212a9b191546b53c30f1928742bbb0a11de9bc2b7794b08ff61b00

SHA512
aba8b333f23220c6f432335a13818d4d737cbd3e0a8c671d7086bae25a379ac7d79f94e741240cbc2749368132cb5838143275e06dd2a583a76795d029225dc1

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\qmgr.db
Filesize
768KB

MD5
28162e7b1ec7202327a487f83d38a873

SHA1
ae1052802005d2f0e1aaf378bbba3a7c80176896

SHA256
53a3d757852db77bf8fda088c34d7759508f1c6af57e998aa1be96cba8557a17

SHA512
345cbbbb1a62ff1f340bd66b5afafa8de10eecbf1a5126eb0fae080914c4d1a09e69c93f3f84a70ac0443d0aeff530fbc187db4c3078ebb1443e36b527b6800b

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml
Filesize
1KB

MD5
93a100713ff56b66e15f984d3100aab7

SHA1
4ffb9e5c0d7687a38cc9b9f767bd4b9d4a325656

SHA256
0c80edf0d6699061728f917d731ea29e7ad3c7f2ea067d4510a01369255cbd26

SHA512
df8b5e56e9dcf0c3e4737e8ab878a4182c757d731f8e893c0285fa5e5d89faec75f4f1f0e8fbf2d502a28632410198ae6dfed82ac5a593d23cf5c2bd59c3c4fc

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user-192.png
Filesize
2KB

MD5
00974aab6b9832933e8ac609e50e5dce

SHA1
6fa57587c15d3de9c9ace6da93ab80830bd87771

SHA256
7e9997f40d13b32c724ca4ecef283f377ce9965d31534167994e654d6e6623b6

SHA512
c104286c58629920fa51b5f764c409b87ce9cbff3ea33d634cfa5d7804294a345c5e4150780f84d85c8a7a0aea7d6089eb4f31494096a4c5e9982364f9ad2e47

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\user-48.png
Filesize
617B

MD5
e738274439f0bcf555425a00af9a2f75

SHA1
cf0d5425bda34e865bc73601ac299d425d9064ef

SHA256
191e237f5a862cdbafa4562bebf080680a051d2c07b4f256c9b856f10d63d010

SHA512
2c2c1ccb38d14150dcb89249c3a2ee995e9467fb99ea20cc4819c4a683b50be0753b04264048084ae2611399b56736ca50d7a94dd98bd3dd055f430471188c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp
Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\bibutils.dll
Filesize
726KB

MD5
2ed0ae21663cd33729c7b4a622c0ad29

SHA1
50ba3d0df795e8f3380213e0b7c8bc5c7a812f7c

SHA256
0aea91179f12f27a4487c4afff0fc4b0b449965a396dacd9527ff46a815ce871

SHA512
51bf6e4359ff7e10658a45560cb21d8753747d363504f4d36446559050d530a4037a47ecc3b417c2de8b53ebc3010754f45a693d3ea51cad62412779ebbea83c

Download Submit
memory/452-174-0x0000000000000000-mapping.dmp

Download
memory/1592-135-0x0000000000000000-mapping.dmp

Download
memory/1592-139-0x0000000004890000-0x0000000004FB5000-memory.dmp

Filesize
7.1MB

Download
memory/1592-149-0x0000000004529000-0x000000000452B000-memory.dmp

Filesize
8KB

Download
memory/1592-140-0x0000000004890000-0x0000000004FB5000-memory.dmp

Filesize
7.1MB

Download
memory/1592-153-0x0000000004890000-0x0000000004FB5000-memory.dmp

Filesize
7.1MB

Download
memory/1592-141-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-145-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-142-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-143-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-146-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/1592-144-0x00000000044B0000-0x00000000045F0000-memory.dmp

Filesize
1.2MB

Download
memory/3120-157-0x0000000003170000-0x0000000003895000-memory.dmp

Filesize
7.1MB

Download
memory/3120-175-0x0000000003170000-0x0000000003895000-memory.dmp

Filesize
7.1MB

Download
memory/3120-171-0x0000000003170000-0x0000000003895000-memory.dmp

Filesize
7.1MB

Download
memory/3464-133-0x00000000024E0000-0x00000000025F5000-memory.dmp

Filesize
1.1MB

Download
memory/3464-132-0x00000000023FD000-0x00000000024D3000-memory.dmp

Filesize
856KB

Download
memory/3464-134-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3464-138-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/4060-170-0x0000000004920000-0x0000000005045000-memory.dmp

Filesize
7.1MB

Download
memory/4060-168-0x0000000000000000-mapping.dmp

Download
memory/4060-172-0x0000000004920000-0x0000000005045000-memory.dmp

Filesize
7.1MB

Download
memory/4060-176-0x0000000004920000-0x0000000005045000-memory.dmp

Filesize
7.1MB

Download
memory/4936-173-0x0000000000000000-mapping.dmp

Download
memory/5040-147-0x00007FF619046890-mapping.dmp

Download
memory/5040-148-0x000002AF09EE0000-0x000002AF0A020000-memory.dmp

Filesize
1.2MB

Download
memory/5040-152-0x000002AF0A030000-0x000002AF0A25A000-memory.dmp

Filesize
2.2MB

Download
memory/5040-151-0x0000000000C40000-0x0000000000E59000-memory.dmp

Filesize
2.1MB

Download
memory/5040-150-0x000002AF09EE0000-0x000002AF0A020000-memory.dmp

Filesize
1.2MB

Download