Overview

overview

10

Static

static

10c740c522...21.exe

windows7-x64

10

10c740c522...21.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2022 18:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10c740c5223c231638ce0698e795f6dfe44fffe25b694a7005efd72e30fe1a21.exe

  • Size

    306KB

  • MD5

    f7ea58fd88a74d2ae69347cff426747b

  • SHA1

    96de6d8700a1e8cf0cee0242799704f974ea94ee

  • SHA256

    10c740c5223c231638ce0698e795f6dfe44fffe25b694a7005efd72e30fe1a21

  • SHA512

    b7277938a9f425587e092a8d27065a429bca826d3a83409dbf0bbec6ae07ecbc8cdd1ad7c32ad8aeaf32277e41202662a64485a7e79b5c0ba8bb27ad74484727

  • SSDEEP

    6144:5CfALtfX0FlgFP8QN5ASLsCVf0iPvzpQ6rFiaI:5xxfXUm8QNWSL3hxnzpQ6rF

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 41 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 22 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\10c740c5223c231638ce0698e795f6dfe44fffe25b694a7005efd72e30fe1a21.exe
    "C:\Users\Admin\AppData\Local\Temp\10c740c5223c231638ce0698e795f6dfe44fffe25b694a7005efd72e30fe1a21.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1328
  • C:\Users\Admin\AppData\Local\Temp\F031.exe
    C:\Users\Admin\AppData\Local\Temp\F031.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:4680
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:4892
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2680 -s 528
      2⤵
      • Program crash
      PID:428
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2680 -ip 2680
    1⤵
      PID:3224
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:1372
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:744

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\WindowsPowerShell\Modules\natives_blob.dll
          Filesize

          797KB

          MD5

          29a13ea3665aa4a8794adc0c86579314

          SHA1

          0e9a38d0cddab5b8a826e8f995aa3040d6994d84

          SHA256

          51f3dd999bcd73125680094aa480798125ab2206651fdec26d80d9251d595264

          SHA512

          6edc10377cd60905072d35c1164a6c1dbbd76b093cc3c58762cbd5cddc6857d2646761a2132d5cbb9e5c4ac16e828da90ed24ae1bc049e8be0d489f5079adf98

          Download Submit

        • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\1527c705-839a-4832-9118-54d4Bd6a0c89_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
          Filesize

          2KB

          MD5

          d2d725a3c34b3597b164a038ec06085a

          SHA1

          52eb2334afeccafd46b205de0d2c7306cb7b7c8d

          SHA256

          01bc9a89105cebd77ff81b814f794a71cbccf40f4d3e663758e63e202f5e1f00

          SHA512

          6f23fc81a4a5308966892ef880048ff079aec5968af5d6fcc0315c05533d597865b0572d18e0368da4ff85c9136b87a4cb9e878bc28738a18025d576b5a3f306

          Download Submit

        • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
          Filesize

          2.3MB

          MD5

          f6086a433edaa413b2e81e4415553b00

          SHA1

          f941347ba0661cec1d93223f42fd048438ace8da

          SHA256

          1bfcad3ed5e0538a877ee4c590eaed22215a231fddd57a685dae9df877c9b8fe

          SHA512

          e9fe453fd262ecd8b2d9a4727d2ce7a27059091a055c384466020659595872f23d54fa5184a33d919d1a79c5b33266b728d5e2060a1cc55e90a5ac7402ecf67d

          Download Submit

        • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\settings.ico
          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\F031.exe
          Filesize

          1.1MB

          MD5

          f54e72ec43ba9b6d7dcb039cc2ad48f6

          SHA1

          4dd3e8194b67d5e594eee18101bee38a69d1343a

          SHA256

          106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

          SHA512

          50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\F031.exe
          Filesize

          1.1MB

          MD5

          f54e72ec43ba9b6d7dcb039cc2ad48f6

          SHA1

          4dd3e8194b67d5e594eee18101bee38a69d1343a

          SHA256

          106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

          SHA512

          50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
          Filesize

          797KB

          MD5

          24925b25552a7d8f1d3292071e545920

          SHA1

          f786e1d40df30f6fed0301d60c823b655f2d6eac

          SHA256

          9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

          SHA512

          242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
          Filesize

          797KB

          MD5

          24925b25552a7d8f1d3292071e545920

          SHA1

          f786e1d40df30f6fed0301d60c823b655f2d6eac

          SHA256

          9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

          SHA512

          242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

          Download Submit

        • \??\c:\program files (x86)\windowspowershell\modules\natives_blob.dll
          Filesize

          797KB

          MD5

          29a13ea3665aa4a8794adc0c86579314

          SHA1

          0e9a38d0cddab5b8a826e8f995aa3040d6994d84

          SHA256

          51f3dd999bcd73125680094aa480798125ab2206651fdec26d80d9251d595264

          SHA512

          6edc10377cd60905072d35c1164a6c1dbbd76b093cc3c58762cbd5cddc6857d2646761a2132d5cbb9e5c4ac16e828da90ed24ae1bc049e8be0d489f5079adf98

          Download Submit

        • memory/744-165-0x00000000039B0000-0x00000000040D5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/1328-135-0x0000000000858000-0x000000000086E000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1328-132-0x0000000000858000-0x000000000086E000-memory.dmp

          Filesize

          88KB

          Download

        • memory/1328-136-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/1328-134-0x0000000000400000-0x0000000000452000-memory.dmp

          Filesize

          328KB

          Download

        • memory/1328-133-0x00000000007F0000-0x00000000007F9000-memory.dmp

          Filesize

          36KB

          Download

        • memory/2680-137-0x0000000000000000-mapping.dmp

          Download

        • memory/2680-146-0x0000000000400000-0x0000000000531000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2680-142-0x0000000000400000-0x0000000000531000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2680-141-0x00000000022F0000-0x0000000002420000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/2680-140-0x0000000002063000-0x0000000002151000-memory.dmp

          Filesize

          952KB

          Download

        • memory/4680-149-0x00000000054B0000-0x00000000055F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4680-151-0x00000000054B0000-0x00000000055F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4680-143-0x0000000000000000-mapping.dmp

          Download

        • memory/4680-153-0x00000000054B0000-0x00000000055F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4680-154-0x00000000054B0000-0x00000000055F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4680-147-0x0000000004CC0000-0x00000000053E5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/4680-156-0x0000000005529000-0x000000000552B000-memory.dmp

          Filesize

          8KB

          Download

        • memory/4680-148-0x0000000004CC0000-0x00000000053E5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/4680-150-0x00000000054B0000-0x00000000055F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4680-161-0x0000000004CC0000-0x00000000053E5000-memory.dmp

          Filesize

          7.1MB

          Download

        • memory/4680-152-0x00000000054B0000-0x00000000055F0000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4892-158-0x0000016E4CBD0000-0x0000016E4CD10000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4892-160-0x0000016E4B200000-0x0000016E4B42A000-memory.dmp

          Filesize

          2.2MB

          Download

        • memory/4892-159-0x0000000000E30000-0x0000000001049000-memory.dmp

          Filesize

          2.1MB

          Download

        • memory/4892-157-0x0000016E4CBD0000-0x0000016E4CD10000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/4892-155-0x00007FF716906890-mapping.dmp

          Download