Overview

overview

10

Static

static

be102c9565...2a.exe

windows7-x64

10

be102c9565...2a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 19:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    be102c956532ace6f47db2cb6ecda04e16e075789ab901c0352405b517c57f2a.exe

  • Size

    215KB

  • MD5

    576dce20db5acd0597a24264bee12bf4

  • SHA1

    681fd5e94767cab6959e62329fb2aa30859e4890

  • SHA256

    be102c956532ace6f47db2cb6ecda04e16e075789ab901c0352405b517c57f2a

  • SHA512

    704183bb1541b396c1384bb7bea4248ffe9fdb966bd7a08d91af03d22ee395c93269ebf3f4b85855529929f324f50e6bc61aa4882a830f9fb0dcddc2bb6824cb

  • SSDEEP

    6144:KGSLyLSX6J5RKeJAo/hULP0q3QCjcbXF:KGS+GX6QeJAsC02QCYbXF

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 19 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\be102c956532ace6f47db2cb6ecda04e16e075789ab901c0352405b517c57f2a.exe
    "C:\Users\Admin\AppData\Local\Temp\be102c956532ace6f47db2cb6ecda04e16e075789ab901c0352405b517c57f2a.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2552
  • C:\Users\Admin\AppData\Local\Temp\D3DF.exe
    C:\Users\Admin\AppData\Local\Temp\D3DF.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2712
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4724
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3568
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2712 -s 556
      2⤵
      • Program crash
      PID:4544
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 2712 -ip 2712
    1⤵
      PID:4144
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:3896
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:4924
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\s_shared_multi_filetype.dll",Z0AnNQ==
            2⤵
              PID:1936

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.dll
            Filesize

            797KB

            MD5

            1cb382eebcc19d370a8c57ee8e50a72b

            SHA1

            280a7c57c09b77ef03e5d36b524378bd82552dc1

            SHA256

            2e2f528c0fdee8c0e0fe761d9dbb0dafd0d3d4149fffef2c7d6dc4d0d1a58665

            SHA512

            4e7e80dfc62c497766f472c76b767a7dcc858cf1c49e0558f48717ba00218b10d132004af72c7d7a844946c9a701ee032ed3dab94436582bdf95d9922ee99f92

            Download Submit

          • C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.dll
            Filesize

            797KB

            MD5

            1cb382eebcc19d370a8c57ee8e50a72b

            SHA1

            280a7c57c09b77ef03e5d36b524378bd82552dc1

            SHA256

            2e2f528c0fdee8c0e0fe761d9dbb0dafd0d3d4149fffef2c7d6dc4d0d1a58665

            SHA512

            4e7e80dfc62c497766f472c76b767a7dcc858cf1c49e0558f48717ba00218b10d132004af72c7d7a844946c9a701ee032ed3dab94436582bdf95d9922ee99f92

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Active.GRL
            Filesize

            14KB

            MD5

            fffde3df0d91311b7fe3f9bc8642a9ec

            SHA1

            50987906817aab51e2cc29fbce47ac5f0936a44e

            SHA256

            bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

            SHA512

            5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            cded3cea455a08d674e7e878382bc680

            SHA1

            014d2a1760a16d220fbb1094a6c3f31f6ac8f186

            SHA256

            74b77a9fbf6b7737a5b1429ba2a4be89ac771719560dcc628d1497816acf9a0a

            SHA512

            c6ac91b4716afd0b3eae2a1b2affce33a6f872f108c938edb753f79ef14c4e2620903dbe088c0fe2907aa307c8eb06a483b71fc94dedd55ba4cc6e75cab767a8

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            c9071346a316cdd3838ad44f7f7f52c5

            SHA1

            228247e8d12b60fa768107bf9465af69bcf69bea

            SHA256

            fe888e72d174cb5003d604105c4f964f63713143e5586518bec3280568d75bd2

            SHA512

            f03ce3c2cfdf45f5f7b1967fa8f3558095bea9dd68137b156824faf140135ae341c88ecf523b6bd7a0302225f9f114eaf749ff690f00ef44f70b5ff4a8fed507

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe.xml
            Filesize

            2KB

            MD5

            c8d6f0d26db52746e243b785c269cacd

            SHA1

            b06dc537fb0bbd424c0bb0c7a5ee0a85839e04f1

            SHA256

            d3352e34ef1b362934f938a2c2710261ca18c5e5e4922167a73539d945a95e21

            SHA512

            c674886978f91b35978544ad18ceb54aa7b2d8dfd8d9e0ddb752854ef211539e79a24d553d9a1a91c7e6711743e2bbd70c24611dac063c2d61379cc7f8ef3020

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
            Filesize

            827B

            MD5

            ded8a0ae2ade3e3cab8bfbfea00b969f

            SHA1

            73752c78795a78ef3b742ad41737959e6f51ee42

            SHA256

            ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85

            SHA512

            3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c.xml
            Filesize

            862B

            MD5

            c017cbd831d5fe3da5d63535c0a7cac9

            SHA1

            4266aab95f2a6988bf07637bf9591bb363f542b5

            SHA256

            ad263ad6a68bc9376a151f62188941748b467f82e9638fdfd937047e289edf6a

            SHA512

            f96a087201821c6299acb8d1e428a4d58ff9d31a1c5d9f20d24ff1e9e9e97aacdb31ca818d6c53caa0d7da4b3a48a54cf2a39259ed2d362f9aa082c065d6c40c

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2013BackupWin32.xml
            Filesize

            12KB

            MD5

            879dbf8cded6ac59df3fb0f32aa9eec6

            SHA1

            844be6baee27e23e5821491fc9532269b1143142

            SHA256

            3e0f02c2bd9c695d43963c9085e496ab42e7914bdc05f511d56442883c6c9687

            SHA512

            2d3be800531b56ea768c458fbcb2a563df27a2c981b6e0203dd98559eda4772c93588374b12b5a239de64e63f0b922556bcccd68a3ea4ffcbb8e53740a9e65ab

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.log
            Filesize

            64KB

            MD5

            950a765b75342020ecbff26deb862205

            SHA1

            33ac73e52fc7cc4f2f9b4606682371e23605c4a2

            SHA256

            d1b17e354889dc00d1ac3eb275b27d1fc8cadec10e5a2bc231cf01f07d703b6f

            SHA512

            369d758a487fb682563beda27e7ec964c8cda924a2f32dbec0c591dc7f637b19c7141d0f7579dc585db0fcc7fe80b601b64dc66d7c39e764f966dbde051c0765

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D3DF.exe
            Filesize

            1.1MB

            MD5

            f54e72ec43ba9b6d7dcb039cc2ad48f6

            SHA1

            4dd3e8194b67d5e594eee18101bee38a69d1343a

            SHA256

            106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

            SHA512

            50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D3DF.exe
            Filesize

            1.1MB

            MD5

            f54e72ec43ba9b6d7dcb039cc2ad48f6

            SHA1

            4dd3e8194b67d5e594eee18101bee38a69d1343a

            SHA256

            106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

            SHA512

            50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit

          • \??\c:\program files (x86)\windowspowershell\modules\s_shared_multi_filetype.dll
            Filesize

            797KB

            MD5

            1cb382eebcc19d370a8c57ee8e50a72b

            SHA1

            280a7c57c09b77ef03e5d36b524378bd82552dc1

            SHA256

            2e2f528c0fdee8c0e0fe761d9dbb0dafd0d3d4149fffef2c7d6dc4d0d1a58665

            SHA512

            4e7e80dfc62c497766f472c76b767a7dcc858cf1c49e0558f48717ba00218b10d132004af72c7d7a844946c9a701ee032ed3dab94436582bdf95d9922ee99f92

            Download Submit

          • memory/1936-172-0x0000000000000000-mapping.dmp

            Download

          • memory/1936-174-0x0000000004500000-0x0000000004C25000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/2552-132-0x0000000000608000-0x0000000000619000-memory.dmp

            Filesize

            68KB

            Download

          • memory/2552-135-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/2552-134-0x0000000000400000-0x000000000045D000-memory.dmp

            Filesize

            372KB

            Download

          • memory/2552-133-0x0000000002190000-0x0000000002199000-memory.dmp

            Filesize

            36KB

            Download

          • memory/2712-142-0x00000000021E0000-0x00000000022CE000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2712-136-0x0000000000000000-mapping.dmp

            Download

          • memory/2712-143-0x0000000002390000-0x00000000024C0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/2712-144-0x0000000000400000-0x0000000000531000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3568-153-0x0000022AF75E0000-0x0000022AF7720000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3568-156-0x00000000002B0000-0x00000000004C9000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/3568-157-0x0000022AF7730000-0x0000022AF795A000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/3568-155-0x0000022AF75E0000-0x0000022AF7720000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/3568-158-0x0000022AF7730000-0x0000022AF795A000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/3568-152-0x00007FF65D106890-mapping.dmp

            Download

          • memory/4724-151-0x00000000044C0000-0x0000000004600000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4724-149-0x00000000044C0000-0x0000000004600000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4724-148-0x00000000044C0000-0x0000000004600000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4724-146-0x00000000044C0000-0x0000000004600000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4724-147-0x00000000044C0000-0x0000000004600000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4724-145-0x0000000005770000-0x0000000005E95000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4724-150-0x00000000044C0000-0x0000000004600000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/4724-154-0x0000000004539000-0x000000000453B000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4724-139-0x0000000000000000-mapping.dmp

            Download

          • memory/4724-159-0x0000000005770000-0x0000000005E95000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4924-163-0x00000000039D0000-0x00000000040F5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/4924-171-0x00000000039D0000-0x00000000040F5000-memory.dmp

            Filesize

            7.1MB

            Download