danabot | ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 17:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe
Size

301KB
MD5

7b05389b0717d2f08c59aaa6d058b209
SHA1

362d18cdfe4af1bdb54a2162070bb43baccfbb62
SHA256

ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554
SHA512

64a9058f94c061d6dc69e3cf5937a420f9ed3a4e619ab97db70218f5c7cb427e92a71b259f244574d381aafb37bf434e3147046a612ecd6c0be2d9c1b12a6f6d
SSDEEP

6144:bLbuFyCYOYdGJN63DlWOzUtxcT7wY+7WYpuz+3ng+E49HwchLP3i:bXuSOQGJqWDu3k6wnVZH9P3

Score

10^/10

danabot smokeloader backdoor banker persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2220-133-0x0000000000500000-0x0000000000509000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

61 112 rundll32.exe
65 112 rundll32.exe
111 112 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

DD64.exe

pid process

3632 DD64.exe

flow	pid	process
61	112	rundll32.exe
65	112	rundll32.exe
111	112	rundll32.exe

pid	process
3632	DD64.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\apple-touch-icon-114x114-precomposed\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\apple-touch-icon-114x114-precomposed.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\apple-touch-icon-114x114-precomposed\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\apple-touch-icon-114x114-precomposed\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalServiceĀ"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\apple-touch-icon-114x114-precomposed\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

112 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 112 set thread context of 4100 112 rundll32.exe rundll32.exe

pid	process
112	rundll32.exe

description	pid	process	target process
PID 112 set thread context of 4100	112	rundll32.exe	rundll32.exe

Drops file in Program Files directory 28 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\move.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-114x114-precomposed.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tr.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Compare_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvDX9.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\drvDX9.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ExtendScript.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.VCLibs.x86.14.00.appx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroLayoutRecognizer.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Compare_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\move.svg	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3856 3632 WerFault.exe DD64.exe

pid	pid_target	process	target process
3856	3632	WerFault.exe	DD64.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093556693100054656d7000003a0009000400efbe0c55199993556a932e00000000000000000000000000000000000000000000000000dc9ad800540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

700

pid	process
700

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe

pid	process
2220	ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe
2220	ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700
700

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

700
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe

pid process

2220 ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe

pid	process
700

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700
Token: SeShutdownPrivilege	700
Token: SeCreatePagefilePrivilege	700

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4100 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

700
700

pid	process
4100	rundll32.exe

pid	process
700
700

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

DD64.exerundll32.exe

description	pid	process	target process
PID 700 wrote to memory of 3632	700		DD64.exe
PID 700 wrote to memory of 3632	700		DD64.exe
PID 700 wrote to memory of 3632	700		DD64.exe
PID 3632 wrote to memory of 112	3632	DD64.exe	rundll32.exe
PID 3632 wrote to memory of 112	3632	DD64.exe	rundll32.exe
PID 3632 wrote to memory of 112	3632	DD64.exe	rundll32.exe
PID 112 wrote to memory of 4100	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 4100	112	rundll32.exe	rundll32.exe
PID 112 wrote to memory of 4100	112	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe
"C:\Users\Admin\AppData\Local\Temp\ad1969d840d4c91dc5c2975b3a7710710043a822a02e4f2480d4622126816554.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2220

C:\Users\Admin\AppData\Local\Temp\DD64.exe
C:\Users\Admin\AppData\Local\Temp\DD64.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp",Sufeidweoe
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 23993
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3632 -s 536
2⤵
- Program crash
PID:3856

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3632 -ip 3632
1⤵
PID:564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2244

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:2984

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\apple-touch-icon-114x114-precomposed.dll",pUJj
2⤵
PID:4164

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-114x114-precomposed.dll

Filesize
726KB

MD5
c30f42d2d066d817801e3b439374320a

SHA1
4ee8f649ac5ccc425e4325062c0b8f7e59002758

SHA256
f113a878b8c45ccba26c81a30d239022ca09b4b4c9bf3945e30b1dd99bc38019

SHA512
1532ceff0f11749ae5abaeee336e8d9713f046226b830824758bc96abf088aa051a2c31c900ff621697b13c31e2906f06646a49b6c8870062872355fbae4c918

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-114x114-precomposed.dll

Filesize
726KB

MD5
c30f42d2d066d817801e3b439374320a

SHA1
4ee8f649ac5ccc425e4325062c0b8f7e59002758

SHA256
f113a878b8c45ccba26c81a30d239022ca09b4b4c9bf3945e30b1dd99bc38019

SHA512
1532ceff0f11749ae5abaeee336e8d9713f046226b830824758bc96abf088aa051a2c31c900ff621697b13c31e2906f06646a49b6c8870062872355fbae4c918

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
10KB

MD5
3ef69b2c0f15e6b97fca1141bc9beb9a

SHA1
421916704e31978eb77421161bb170003a83c1a2

SHA256
f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

SHA512
cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\C2RManifest.shared.Office.x-none.msi.16.x-none.xml

Filesize
719KB

MD5
e9f03f8b71cac83b7d16ef685cabd0d0

SHA1
c5057520e0a65340360219618632037e7c0c474a

SHA256
fff80dc60d751bc2ff8c3085b5c338bc3f149a0e71976c3d82f30a0d43d284db

SHA512
1703ea88d9e8cd768308c246812cdd0d2a733a28e0beb039d019c1efd190ee05f9d045e280de7a75578d4282c161e768a48aebf8d97e58bfc7357cadbd5f208a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
913B

MD5
be48ed7a27efec1cfe2fff47cd7487cf

SHA1
ac37f431251640b5dbe93fc68d97265a22cb68ba

SHA256
49300e653a9546101b9d906d9782250976b92aaa7f6d92b561f130d5ac6c856f

SHA512
4e86e8ac7a21465ef728d6f0c4949394d0145e119886b152b27bce6be4108e784e4f6224937f064741f0dfcdc4d9f9bec6933c30e0b5225a7458154316cd14cb

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
28KB

MD5
b8c1eec848c415eea04839ad0af75950

SHA1
652ccb0f39fcb73b3fe31a231e490bbdb2a1d0bc

SHA256
694699e06fa830a2fb3b79d472b9d2560686e5ebd752022fd902ff2d1e82c162

SHA512
24f5629b1947690ee9fa911f1620a311db6f9433e77f8db67b468fb8624c3adcbfb21138c591a51d4e2e5f595ce9a5684203543890165fd2e88092cf303fe563

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
855B

MD5
dae188e1f4d8d97d8d65164eb0dda551

SHA1
78b54e226446825c56d15a19a3ed4b587a8842a2

SHA256
5bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2

SHA512
941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\MicrosoftOffice2013Office365Win32.xml

Filesize
10KB

MD5
01c9f9a623fc35be445dde3e94c2dfaa

SHA1
a018155617cf96d2337b151513e05f6531f7aba4

SHA256
b9fad09698d5891e5f3d9e707895540f47cb0f480c21732a41fdb6ef2cc0f84d

SHA512
74303d4e827e974e59d7f4f6fc82f3092ff3d64616c3d17392987b23163761218d9516623349c87d728499011bc9867e7bd121f973f01d2cf70626c1eae8149a

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SettingsLocationTemplate2013.xsd

Filesize
11KB

MD5
492e8dea7892f6198ee95b42424eab81

SHA1
246cc91c7d3e5d780e78192ee033f791e516b127

SHA256
e86dc0cf66df362220ae64e89480897d23fc7a54b475be3f7f78fb9cdc9ab3b7

SHA512
577a6b692f0e09e03f294d1aaab112450fcc6abfc6240074997bdeb050f229c4849f76828d815f862b7215ec24cc3aad5aa516da0d0a1ec84b1041fdf2c3a63c

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
6517fa32aaee5e7513906512ac9a6f73

SHA1
6646fe06faa7ae81f60bef6e03dd8cba0027d6c4

SHA256
b793806b451adc93fa5fce68ada98903ef2e0a565bf5d1a30bc4924ab87b6ba5

SHA512
15213a1cfd8a4fa6d78e028bde097b7abbfd8af49dc9edf1d55d7d89f1054073367c1051e056d387e2757f18b998938d7347a27cefacc7c6f689a5e204db5261

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\Shpetph.tmp

Filesize
2.3MB

MD5
6517fa32aaee5e7513906512ac9a6f73

SHA1
6646fe06faa7ae81f60bef6e03dd8cba0027d6c4

SHA256
b793806b451adc93fa5fce68ada98903ef2e0a565bf5d1a30bc4924ab87b6ba5

SHA512
15213a1cfd8a4fa6d78e028bde097b7abbfd8af49dc9edf1d55d7d89f1054073367c1051e056d387e2757f18b998938d7347a27cefacc7c6f689a5e204db5261

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\SmsInterceptStore.db

Filesize
192KB

MD5
b85cff0869b27cb9b319c8695ff13ecb

SHA1
20acc437243a95409d7048c3f50cd6605a460c17

SHA256
c645e9de8051cd91b6fd1829a3ff3b39a9b73fcd7da6ec56c4ef0feb7ca6a440

SHA512
1cded0944a62c0e58a5284aaeb4363bfcecdf83f231604e7e15871e195dde506eba8c91f3d01723eb2fd46cb530ef99e7184da44e3a8038d3328b05b02c31e0e

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\edb00002.log

Filesize
64KB

MD5
a010739065f722393f21b621ef7ee88f

SHA1
bc61a9cb2bb16ae322a5bda09d039d08cd4a05ee

SHA256
e18739b570947f1d59f34fc8defb114338ef1b55c68e12295302b189f66c9680

SHA512
f0709b12217350a98f5572d52eadce36755279d53b4f1dea08b00d2caa090e614c15d27751b3978062de86ec8404f2bdcc8e26d1ae968eb61bf3c8a73fa5c765

Download Submit
C:\ProgramData\{F21FF8C2-A136-6557-C5DD-F59D9999C8E7}\resource.xml

Filesize
1KB

MD5
1d3eb6efb2054c0f8c6dfcc90af00e4e

SHA1
452b9ea9cfbf42179a4e344e38ebad3a7179ead7

SHA256
8fe6157bec03efbc921905d0df8f6f9f4432323f1244fc380ea404d5d0e2c95e

SHA512
a0aefd1bf5bc0b275fbba3af7d06c672d82f3c7b40046f3f11515c6f3467f704d668985816f31f97a64e16c8c1112d78ea1f277e9001a3ef4d65df626544fcaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD64.exe

Filesize
1.0MB

MD5
1a61e55fa3fd1dc5cbf63d91e6c5a93b

SHA1
0f68fc53fafb875aa9150ab4d39b8b5015cac684

SHA256
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a

SHA512
975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\DD64.exe

Filesize
1.0MB

MD5
1a61e55fa3fd1dc5cbf63d91e6c5a93b

SHA1
0f68fc53fafb875aa9150ab4d39b8b5015cac684

SHA256
30b818c6458a2626eee09c58a2f02f11568c85a3011b4fde5b601cf8972d8a2a

SHA512
975c9594a3583bd72d550c57ddd60bec585c87f556aa8118ed4288f0f77e69473a11c0d889692e758363ecdb4c4e9abb6c3d7bb01cc173051bddb9e46ca598d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ipoetwsuqhd.tmp

Filesize
726KB

MD5
6ea8a6cc5fed6c664df1b3ef7c56b55d

SHA1
6b244d708706441095ae97294928967ddf28432b

SHA256
2c7500ac5ebb0116e640747b8a5f0a2648f7d2f5f516ebb398b864cccc626fbe

SHA512
4a328a66df407e4c9fa230287104771ea3b5dd8265d60314797426101a8be19d13bc57de2388f0f90b20ada82d950e156ef4267c029080a6254b80eefd8b8741

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\apple-touch-icon-114x114-precomposed.dll

Filesize
726KB

MD5
c30f42d2d066d817801e3b439374320a

SHA1
4ee8f649ac5ccc425e4325062c0b8f7e59002758

SHA256
f113a878b8c45ccba26c81a30d239022ca09b4b4c9bf3945e30b1dd99bc38019

SHA512
1532ceff0f11749ae5abaeee336e8d9713f046226b830824758bc96abf088aa051a2c31c900ff621697b13c31e2906f06646a49b6c8870062872355fbae4c918

Download Submit
memory/112-146-0x0000000004230000-0x0000000004955000-memory.dmp

Filesize
7.1MB

Download
memory/112-150-0x0000000004AD9000-0x0000000004ADB000-memory.dmp

Filesize
8KB

Download
memory/112-152-0x0000000004A60000-0x0000000004BA0000-memory.dmp

Filesize
1.2MB

Download
memory/112-145-0x0000000004230000-0x0000000004955000-memory.dmp

Filesize
7.1MB

Download
memory/112-148-0x0000000004A60000-0x0000000004BA0000-memory.dmp

Filesize
1.2MB

Download
memory/112-157-0x0000000004AD9000-0x0000000004ADB000-memory.dmp

Filesize
8KB

Download
memory/112-147-0x0000000004A60000-0x0000000004BA0000-memory.dmp

Filesize
1.2MB

Download
memory/112-151-0x0000000004A60000-0x0000000004BA0000-memory.dmp

Filesize
1.2MB

Download
memory/112-160-0x0000000004230000-0x0000000004955000-memory.dmp

Filesize
7.1MB

Download
memory/112-153-0x0000000004A60000-0x0000000004BA0000-memory.dmp

Filesize
1.2MB

Download
memory/112-149-0x0000000004A60000-0x0000000004BA0000-memory.dmp

Filesize
1.2MB

Download
memory/112-139-0x0000000000000000-mapping.dmp

Download
memory/2220-132-0x0000000000528000-0x000000000053E000-memory.dmp

Filesize
88KB

Download
memory/2220-135-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2220-134-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2220-133-0x0000000000500000-0x0000000000509000-memory.dmp

Filesize
36KB

Download
memory/2984-164-0x0000000003730000-0x0000000003E55000-memory.dmp

Filesize
7.1MB

Download
memory/2984-179-0x0000000003730000-0x0000000003E55000-memory.dmp

Filesize
7.1MB

Download
memory/3632-143-0x0000000002340000-0x0000000002455000-memory.dmp

Filesize
1.1MB

Download
memory/3632-144-0x0000000000400000-0x0000000000517000-memory.dmp

Filesize
1.1MB

Download
memory/3632-142-0x00000000021D1000-0x00000000022A7000-memory.dmp

Filesize
856KB

Download
memory/3632-136-0x0000000000000000-mapping.dmp

Download
memory/4100-159-0x00000256CD7A0000-0x00000256CD9CA000-memory.dmp

Filesize
2.2MB

Download
memory/4100-158-0x00000000003B0000-0x00000000005C9000-memory.dmp

Filesize
2.1MB

Download
memory/4100-155-0x00000256CD650000-0x00000256CD790000-memory.dmp

Filesize
1.2MB

Download
memory/4100-156-0x00000256CD650000-0x00000256CD790000-memory.dmp

Filesize
1.2MB

Download
memory/4100-154-0x00007FF6A40C6890-mapping.dmp

Download
memory/4164-177-0x0000000000000000-mapping.dmp

Download
memory/4164-180-0x0000000003ED0000-0x00000000045F5000-memory.dmp

Filesize
7.1MB

Download
memory/4164-181-0x0000000003ED0000-0x00000000045F5000-memory.dmp

Filesize
7.1MB

Download
memory/4164-182-0x0000000003ED0000-0x00000000045F5000-memory.dmp

Filesize
7.1MB

Download