danabot | facc56faf6b94301117a3f72132e1c7e06e4852ae1ce89f584c19cd32db401f9

Analysis

max time kernel
146s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe
Size

307KB
MD5

ddf6f2c3455fb5f4738536262dd38afe
SHA1

f800d1f0f3b4de746a0663a13a4c8846b041404e
SHA256

489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55
SHA512

21ffe2954f3c2e42f4400dd3619c9632a8800812c8b9450c5594568ade56e3490b20f4aa0a8684bc53578daa637e7b42055c0771ff20d34e11b91e143899870a
SSDEEP

6144:Bl5ULz/YGW19tz8bG5geqDGO1oK/Fn77jcJ0iPvzpQ6rFiaI:BY3/YGk9mbG54DG4ocFnixnzpQ6rF

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3548-133-0x00000000006B0000-0x00000000006B9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

50 1788 rundll32.exe
52 1788 rundll32.exe
65 1788 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

F68A.exe

pid process

2004 F68A.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1788 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1788 set thread context of 4088 1788 rundll32.exe rundll32.exe

flow	pid	process
50	1788	rundll32.exe
52	1788	rundll32.exe
65	1788	rundll32.exe

pid	process
2004	F68A.exe

pid	process
1788	rundll32.exe

description	pid	process	target process
PID 1788 set thread context of 4088	1788	rundll32.exe	rundll32.exe

Drops file in Program Files directory 25 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\TrackedSend.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\64BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_received.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AXSLE.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-114x114-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\distribute_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_received.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\distribute_form.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2212 2004 WerFault.exe F68A.exe

pid	pid_target	process	target process
2212	2004	WerFault.exe	F68A.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe

Checks processor information in registry 2 TTPs 25 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000093556b95100054656d7000003a0009000400efbe21550a58935571952e0000000000000000000000000000000000000000000000000031695100540065006d007000000014000000
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2056

pid	process
2056

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe

pid	process
3548	489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe
3548	489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056
2056

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2056
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe

pid process

3548 489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe

pid	process
2056

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056
Token: SeShutdownPrivilege	2056
Token: SeCreatePagefilePrivilege	2056

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4088 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2056
2056

pid	process
4088	rundll32.exe

pid	process
2056
2056

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

F68A.exerundll32.exe

description	pid	process	target process
PID 2056 wrote to memory of 2004	2056		F68A.exe
PID 2056 wrote to memory of 2004	2056		F68A.exe
PID 2056 wrote to memory of 2004	2056		F68A.exe
PID 2004 wrote to memory of 1788	2004	F68A.exe	rundll32.exe
PID 2004 wrote to memory of 1788	2004	F68A.exe	rundll32.exe
PID 2004 wrote to memory of 1788	2004	F68A.exe	rundll32.exe
PID 1788 wrote to memory of 4088	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 4088	1788	rundll32.exe	rundll32.exe
PID 1788 wrote to memory of 4088	1788	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe
"C:\Users\Admin\AppData\Local\Temp\489437b24ecd011538918fbd80d3ad06dc2a2b63207dfe937bd3f6dcefe11a55.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3548

C:\Users\Admin\AppData\Local\Temp\F68A.exe
C:\Users\Admin\AppData\Local\Temp\F68A.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14150
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4088

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2004 -s 528
2⤵
- Program crash
PID:2212

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2004 -ip 2004
1⤵
PID:4540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2676

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4460

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\defaultid.dll",aSVETzRj
2⤵
PID:3328

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.dll

Filesize
797KB

MD5
7efc426434c4b7db21f689c553b14697

SHA1
8ffcd5555811ea7e2e759d346778c504525adfb4

SHA256
c9a9961b812fb88fbe1921143fe4b8a2c3e825a8cd8ee59a8d52e4c7ceb74cc0

SHA512
6387a4b4aa365714bc6122910589df128f7a16278aee2f872a988e3709cf3346200f85c6ada8cb3e6eeab1396339419c37b533067981844d1edb1df285a1df55

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\DefaultID.dll

Filesize
797KB

MD5
7efc426434c4b7db21f689c553b14697

SHA1
8ffcd5555811ea7e2e759d346778c504525adfb4

SHA256
c9a9961b812fb88fbe1921143fe4b8a2c3e825a8cd8ee59a8d52e4c7ceb74cc0

SHA512
6387a4b4aa365714bc6122910589df128f7a16278aee2f872a988e3709cf3346200f85c6ada8cb3e6eeab1396339419c37b533067981844d1edb1df285a1df55

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.office32ww.msi.16.x-none.xml

Filesize
331KB

MD5
b5cf5d15a8e6c6f2eb99a5645a2c2336

SHA1
7efe1b634ce1253a6761eb0c54f79dd42b79325f

SHA256
f3b3a6d7eafd8952d6c56b76d084cbc2617407b80e406488ca4961d4e905f38c

SHA512
83f15e9930ea058f8d3d7fe7eac40d85416204b65d7ce0e5b82057bc03f537d84c3c54ec6cc22b530f87a9c7d7d60742bd7bbe749d01454d9fcc32f6f99d32cf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
1KB

MD5
576aefa0d5cef530c59ff90625d60e25

SHA1
19be51d3942120e5474e0711592718da525eaa20

SHA256
f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112

SHA512
0d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
78aa6a83c53a1cf0017320c2dcccbb30

SHA1
8843ac8c4147763d29bb15d673dd8ba30b68b266

SHA256
ecd8480513275d6acd536b9e483d761097bc952beb202f42f9ee33f2ecb926a1

SHA512
4a1dd11e6e54acdf53e3bc29dcc3587106341c2deff511e07bb66679039328992e20f78a8efc9954b492479c0b44491d07b6e24a6d9571ffe509e941aa85bfe0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
78aa6a83c53a1cf0017320c2dcccbb30

SHA1
8843ac8c4147763d29bb15d673dd8ba30b68b266

SHA256
ecd8480513275d6acd536b9e483d761097bc952beb202f42f9ee33f2ecb926a1

SHA512
4a1dd11e6e54acdf53e3bc29dcc3587106341c2deff511e07bb66679039328992e20f78a8efc9954b492479c0b44491d07b6e24a6d9571ffe509e941aa85bfe0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
843B

MD5
8a33c96712ba9c043f7a07d4c437a3fd

SHA1
dbd78a66c461017ee26a751925f9cecdea2590da

SHA256
eb8b0de59dd2efc380f7081af8975f37a83ee72c9c06ef25873f63d224adea1e

SHA512
7b9a15d219e4a5cd9146f8e7ae1d7c3b6f843ed060edf52e4928e349edd821a2d527f8f8402f774559f6cf282c83b751f02d2feaf9e040771c07bc4038a59e5a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
827B

MD5
ded8a0ae2ade3e3cab8bfbfea00b969f

SHA1
73752c78795a78ef3b742ad41737959e6f51ee42

SHA256
ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85

SHA512
3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
27KB

MD5
1cef1a17af19cd221b168384320770e5

SHA1
1b694f2e2c2f87becfd9d4d1b271843c928dbfc4

SHA256
cf103015c20fbe6aebd3b83104eb034f2ff6e40187296a5a7e71a9f77013294b

SHA512
61a7f84dc4970a564056407549bc3664bf67d18a93f86a2be73ea39d8fb5d7007bb7531d881e516196c5139c1c5f67d7b602d0b26dfd1f13ebba7e90e3b8c377

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.P-ARIA-af397ef28e484961ba48646a5d38cf54-77418283-d6f6-4a90-b0c8-37e0f5e7b087-7425.json

Filesize
121B

MD5
656d587b76da4f43efb839ef9a83026e

SHA1
daf648eb7f98cfcec644be29d92c1990c1e56b2c

SHA256
e02fa7cef7c82a24fdcb99658cc8522ba93d7cffb2abffd7f2c633835a968e7d

SHA512
19251a2c09553896a67eac9afee213fd400c436661997de859df6960194a19a728ec0aa1ea11ca1095bd7fde4cc6142ac4973d6d4d600172372f25d6e8031ac7

Download Submit
C:\Users\Admin\AppData\Local\Temp\F68A.exe

Filesize
1.1MB

MD5
f54e72ec43ba9b6d7dcb039cc2ad48f6

SHA1
4dd3e8194b67d5e594eee18101bee38a69d1343a

SHA256
106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

SHA512
50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F68A.exe

Filesize
1.1MB

MD5
f54e72ec43ba9b6d7dcb039cc2ad48f6

SHA1
4dd3e8194b67d5e594eee18101bee38a69d1343a

SHA256
106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

SHA512
50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\defaultid.dll

Filesize
797KB

MD5
7efc426434c4b7db21f689c553b14697

SHA1
8ffcd5555811ea7e2e759d346778c504525adfb4

SHA256
c9a9961b812fb88fbe1921143fe4b8a2c3e825a8cd8ee59a8d52e4c7ceb74cc0

SHA512
6387a4b4aa365714bc6122910589df128f7a16278aee2f872a988e3709cf3346200f85c6ada8cb3e6eeab1396339419c37b533067981844d1edb1df285a1df55

Download Submit
memory/1788-176-0x0000000005450000-0x0000000005590000-memory.dmp

Filesize
1.2MB

Download
memory/1788-175-0x0000000005450000-0x0000000005590000-memory.dmp

Filesize
1.2MB

Download
memory/1788-173-0x0000000005450000-0x0000000005590000-memory.dmp

Filesize
1.2MB

Download
memory/1788-172-0x0000000005450000-0x0000000005590000-memory.dmp

Filesize
1.2MB

Download
memory/1788-171-0x0000000005450000-0x0000000005590000-memory.dmp

Filesize
1.2MB

Download
memory/1788-169-0x0000000004BD0000-0x00000000052F5000-memory.dmp

Filesize
7.1MB

Download
memory/1788-170-0x0000000004BD0000-0x00000000052F5000-memory.dmp

Filesize
7.1MB

Download
memory/1788-174-0x0000000005450000-0x0000000005590000-memory.dmp

Filesize
1.2MB

Download
memory/1788-183-0x0000000004BD0000-0x00000000052F5000-memory.dmp

Filesize
7.1MB

Download
memory/1788-160-0x0000000000000000-mapping.dmp

Download
memory/1788-180-0x00000000054C9000-0x00000000054CB000-memory.dmp

Filesize
8KB

Download
memory/2004-165-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2004-157-0x0000000000000000-mapping.dmp

Download
memory/2004-163-0x0000000002151000-0x000000000223F000-memory.dmp

Filesize
952KB

Download
memory/2004-164-0x00000000023E0000-0x0000000002510000-memory.dmp

Filesize
1.2MB

Download
memory/2056-149-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-138-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-155-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/2056-154-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2056-166-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/2056-167-0x0000000002AC0000-0x0000000002AD0000-memory.dmp

Filesize
64KB

Download
memory/2056-168-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2056-153-0x0000000002AA0000-0x0000000002AB0000-memory.dmp

Filesize
64KB

Download
memory/2056-152-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-151-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-150-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-136-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-148-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-147-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-146-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-137-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-156-0x0000000002AD0000-0x0000000002AE0000-memory.dmp

Filesize
64KB

Download
memory/2056-139-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-145-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-140-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-141-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-144-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-143-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/2056-142-0x0000000002A90000-0x0000000002AA0000-memory.dmp

Filesize
64KB

Download
memory/3328-195-0x0000000000000000-mapping.dmp

Download
memory/3328-199-0x0000000004A90000-0x00000000051B5000-memory.dmp

Filesize
7.1MB

Download
memory/3328-198-0x0000000004A90000-0x00000000051B5000-memory.dmp

Filesize
7.1MB

Download
memory/3548-132-0x0000000000708000-0x000000000071E000-memory.dmp

Filesize
88KB

Download
memory/3548-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3548-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3548-133-0x00000000006B0000-0x00000000006B9000-memory.dmp

Filesize
36KB

Download
memory/4088-178-0x00000269A5450000-0x00000269A5590000-memory.dmp

Filesize
1.2MB

Download
memory/4088-177-0x00007FF6F10D6890-mapping.dmp

Download
memory/4088-182-0x00000269A3A80000-0x00000269A3CAA000-memory.dmp

Filesize
2.2MB

Download
memory/4088-179-0x00000269A5450000-0x00000269A5590000-memory.dmp

Filesize
1.2MB

Download
memory/4088-181-0x00000000007B0000-0x00000000009C9000-memory.dmp

Filesize
2.1MB

Download
memory/4460-196-0x0000000004000000-0x0000000004725000-memory.dmp

Filesize
7.1MB

Download
memory/4460-187-0x0000000004000000-0x0000000004725000-memory.dmp

Filesize
7.1MB

Download