danabot | b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 19:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe
Size

1.1MB
MD5

0632c99ab43231f1f8b7c7f6bc8e30d8
SHA1

ea284fc244536dd7f1ef4990879a554cd1375671
SHA256

b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1
SHA512

56dc4e12f80d175901acf8be0d3fa9512ce581774caaa6593a49b1369219022ebfa098e1ba47930f7619174f7afa4b0155bcac4d83162841b40899458cd1c643
SSDEEP

24576:hqWuDPN+TiDuI5YjWNLsWU+ZeUCzhaaaQpGwFP:Ici0jaLelVEnQpxFP

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

3 4716 rundll32.exe
4 4716 rundll32.exe
47 4716 rundll32.exe
49 4716 rundll32.exe

flow	pid	process
3	4716	rundll32.exe
4	4716	rundll32.exe
47	4716	rundll32.exe
49	4716	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AiodLite\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\AiodLite.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\AiodLite\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4716 rundll32.exe
4684 svchost.exe
2252 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4716	rundll32.exe
4684	svchost.exe
2252	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4716 set thread context of 2168 4716 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4716 set thread context of 2168	4716	rundll32.exe	rundll32.exe

Drops file in Program Files directory 20 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\init.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\manifest.json	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\SignHere.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\init.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-hover.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\snapshot_blob.bin	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-hover.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\SignHere.pdf	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\clearkey.dll.sig	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l1-2-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\manifest.json	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hi.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1652 4816 WerFault.exe b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe

pid	pid_target	process	target process
1652	4816	WerFault.exe	b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exerundll32.exesvchost.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F93301E313A53A3B3782D7E95BF594D1694F48E6\Blob = 030000000100000014000000f93301e313a53a3b3782d7e95bf594d1694f48e620000000010000006a02000030820266308201cfa00302010202087310e35e199e8244300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e6169636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313231393230343233345a170d3234313231383230343233345a30503132303006035504030c294d6963726f736f66742041757468656e6169636f646528746d2920526f6f7420417574686f72697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100c3e6f70df43ea67e91da3fc33d6d179a40cdadd04c0d1f8f0d747094bdc1c0c756c38cefe5e5553391448c9f6bad3fb877c36ab0044ec4008b473e112d454cf4b9a772dd9dc56bd2b18e33bf181a4c2a39e0dda02d67e5611270e37d10024deb74d9f37558cd5499eb79e5b5a981e12888e8cc1f8700a01ca04b8380e88b9c210203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e6169636f646528746d2920526f6f7420417574686f72697479300d06092a864886f70d01010b050003818100a37b8d63050679b7e41ac8b8978bbd741dbd40ddf029d541a3b6344e34ee500200afa91b7d35f5e9ae3e90e36ef4c25c13ece42b846b13b471a982b8ac70cd735864d59a17f22f933e259d7770d178708f0aac9dbdc53376e4df807239984fad070c335de27233e38fa8c096cbe5f8323119ff4f67d693fdb6a276ffd12d5da5	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\F93301E313A53A3B3782D7E95BF594D1694F48E6	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
4684	svchost.exe
4684	svchost.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4716	rundll32.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe
4684	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4716 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

2168 rundll32.exe
4716 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4716	rundll32.exe

pid	process
2168	rundll32.exe
4716	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4816 wrote to memory of 4716	4816	b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe	rundll32.exe
PID 4816 wrote to memory of 4716	4816	b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe	rundll32.exe
PID 4816 wrote to memory of 4716	4816	b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe	rundll32.exe
PID 4716 wrote to memory of 2168	4716	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 2168	4716	rundll32.exe	rundll32.exe
PID 4716 wrote to memory of 2168	4716	rundll32.exe	rundll32.exe
PID 4684 wrote to memory of 2252	4684	svchost.exe	rundll32.exe
PID 4684 wrote to memory of 2252	4684	svchost.exe	rundll32.exe
PID 4684 wrote to memory of 2252	4684	svchost.exe	rundll32.exe
PID 4716 wrote to memory of 456	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 456	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 456	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3276	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3276	4716	rundll32.exe	schtasks.exe
PID 4716 wrote to memory of 3276	4716	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe
"C:\Users\Admin\AppData\Local\Temp\b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4816

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4716

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:2168

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:456

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3276

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 532
2⤵
- Program crash
PID:1652

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4816 -ip 4816
1⤵
PID:2000

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4240

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\aiodlite.dll",jERIVQ==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:2252

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll

Filesize
797KB

MD5
5e580baa9ac7d2dc073b06731c20e221

SHA1
81801f2b36c5773e10a483ed238afe3f17aba6b8

SHA256
aee09601d5a6327caabcd1ec8911373e7ef0c74fcae2153a46b392aba86ef41d

SHA512
346a8caf6d940da8a116592ea22a94da09573d36369f1eb91753bda30ef370250b70b03768d744b8366493f41015b119909e794e2d6e5adcef947b5a9aa8f0f8

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll

Filesize
797KB

MD5
5e580baa9ac7d2dc073b06731c20e221

SHA1
81801f2b36c5773e10a483ed238afe3f17aba6b8

SHA256
aee09601d5a6327caabcd1ec8911373e7ef0c74fcae2153a46b392aba86ef41d

SHA512
346a8caf6d940da8a116592ea22a94da09573d36369f1eb91753bda30ef370250b70b03768d744b8366493f41015b119909e794e2d6e5adcef947b5a9aa8f0f8

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
158B

MD5
dd8778eda0b96d5d71716fbb50300293

SHA1
17b3a49fe039ef5c930801c3a77922b30a61ee69

SHA256
61e06f4deff92e80d1605cb17a0c83604ac6cdb72fb3d4b1e3d0eb7e7bbbf4a0

SHA512
4efee799ddfb3d98a6b402aebed2ec79cfbd1cab200bfad1f95af432b91ce11e0404cd1cdf9f5a46324757c135928cb0ce42197c3021ae506ac6dd047127491b

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
10KB

MD5
3ef69b2c0f15e6b97fca1141bc9beb9a

SHA1
421916704e31978eb77421161bb170003a83c1a2

SHA256
f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

SHA512
cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
dc6cb0613948a2e9f1d62b1b509c0b1b

SHA1
a336cef6589cdf6630fdc3dc07566ac70dcae8a5

SHA256
5b1f4db87a730d82fda4a6878fe362a71be9b4e86a610a478182e1b5f2d723f8

SHA512
7c261aa6ca11cc87f633e3a308e881d0abfa85132916a028687ad5d1f8e30e3825d2514478efbfdef3b624da7936b6d112702cc76b312b04289630cc57f1846d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
15KB

MD5
c73eeb9dedd94a612969e003260e6341

SHA1
0451277183bad12e3179c12c0a14694fab52bc8d

SHA256
1ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355

SHA512
d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\aiodlite.dll

Filesize
797KB

MD5
5e580baa9ac7d2dc073b06731c20e221

SHA1
81801f2b36c5773e10a483ed238afe3f17aba6b8

SHA256
aee09601d5a6327caabcd1ec8911373e7ef0c74fcae2153a46b392aba86ef41d

SHA512
346a8caf6d940da8a116592ea22a94da09573d36369f1eb91753bda30ef370250b70b03768d744b8366493f41015b119909e794e2d6e5adcef947b5a9aa8f0f8

Download Submit
memory/456-164-0x0000000000000000-mapping.dmp

Download
memory/2168-148-0x000002719BB40000-0x000002719BC80000-memory.dmp

Filesize
1.2MB

Download
memory/2168-146-0x00007FF662C46890-mapping.dmp

Download
memory/2168-147-0x000002719BB40000-0x000002719BC80000-memory.dmp

Filesize
1.2MB

Download
memory/2168-149-0x0000000000EC0000-0x00000000010D9000-memory.dmp

Filesize
2.1MB

Download
memory/2168-150-0x000002719A150000-0x000002719A37A000-memory.dmp

Filesize
2.2MB

Download
memory/2252-159-0x0000000000000000-mapping.dmp

Download
memory/2252-163-0x0000000004620000-0x0000000004D45000-memory.dmp

Filesize
7.1MB

Download
memory/2252-162-0x0000000004620000-0x0000000004D45000-memory.dmp

Filesize
7.1MB

Download
memory/3276-165-0x0000000000000000-mapping.dmp

Download
memory/4684-155-0x0000000003B40000-0x0000000004265000-memory.dmp

Filesize
7.1MB

Download
memory/4684-161-0x0000000003B40000-0x0000000004265000-memory.dmp

Filesize
7.1MB

Download
memory/4684-166-0x0000000003B40000-0x0000000004265000-memory.dmp

Filesize
7.1MB

Download
memory/4716-143-0x0000000004D80000-0x0000000004EC0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-142-0x0000000004D80000-0x0000000004EC0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-139-0x0000000005140000-0x0000000005865000-memory.dmp

Filesize
7.1MB

Download
memory/4716-138-0x0000000005140000-0x0000000005865000-memory.dmp

Filesize
7.1MB

Download
memory/4716-151-0x0000000005140000-0x0000000005865000-memory.dmp

Filesize
7.1MB

Download
memory/4716-140-0x0000000004D80000-0x0000000004EC0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-132-0x0000000000000000-mapping.dmp

Download
memory/4716-145-0x0000000004D80000-0x0000000004EC0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-144-0x0000000004D80000-0x0000000004EC0000-memory.dmp

Filesize
1.2MB

Download
memory/4716-141-0x0000000004D80000-0x0000000004EC0000-memory.dmp

Filesize
1.2MB

Download
memory/4816-136-0x0000000002400000-0x0000000002530000-memory.dmp

Filesize
1.2MB

Download
memory/4816-137-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/4816-135-0x000000000230B000-0x00000000023F9000-memory.dmp

Filesize
952KB

Download