danabot | 1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650

Analysis

max time kernel
144s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
19-12-2022 19:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe
Size

304KB
MD5

4ac59181a0ee5c6ee04a59a34ca8094e
SHA1

a0a5d7bdb66c114d69b1f6737e42bdee9d6aec7a
SHA256

1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650
SHA512

d08e6cff11c3df1febf9be47a3b07548d4c045546813a9623872cb60faf942b68f656b9fcb9be72146c11c3ee1c48ef5ebde179a6d3241fd7169a9799c111961
SSDEEP

6144:5LdY8AWV18l6I3B9z+3ng+E49HwchLP3i:5u8A4Q6I3BlwnVZH9P3

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2240-133-0x00000000005F0000-0x00000000005F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

39 4448 rundll32.exe
55 4448 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

C2A9.exe

pid process

2476 C2A9.exe

flow	pid	process
39	4448	rundll32.exe
55	4448	rundll32.exe

pid	process
2476	C2A9.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_filetype_xd\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\s_filetype_xd.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\s_filetype_xd\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

4448 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4448 set thread context of 3392 4448 rundll32.exe rundll32.exe

pid	process
4448	rundll32.exe

description	pid	process	target process
PID 4448 set thread context of 3392	4448	rundll32.exe	rundll32.exe

Drops file in Program Files directory 20 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\COPYING.LGPLv2.1.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\StorageConnectors.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AXSLE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\back-arrow-disabled.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\back-arrow-disabled.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Microsoft.VCLibs.x86.14.00.appx	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\COPYING.LGPLv2.1.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\StorageConnectors.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.VCLibs.x86.14.00.appx	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3564 2476 WerFault.exe C2A9.exe

pid	pid_target	process	target process
3564	2476	WerFault.exe	C2A9.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe

Checks processor information in registry 2 TTPs 19 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e00310000000000935532a7100054656d7000003a0009000400efbe6b55586c935538a72e00000000000000000000000000000000000000000000000000fc021c00540065006d007000000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2680

pid	process
2680

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe

pid	process
2240	1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe
2240	1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680
2680

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2680
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe

pid process

2240 1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe

pid	process
2680

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680
Token: SeShutdownPrivilege	2680
Token: SeCreatePagefilePrivilege	2680

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3392 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2680
2680

pid	process
3392	rundll32.exe

pid	process
2680
2680

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

C2A9.exerundll32.exe

description	pid	process	target process
PID 2680 wrote to memory of 2476	2680		C2A9.exe
PID 2680 wrote to memory of 2476	2680		C2A9.exe
PID 2680 wrote to memory of 2476	2680		C2A9.exe
PID 2476 wrote to memory of 4448	2476	C2A9.exe	rundll32.exe
PID 2476 wrote to memory of 4448	2476	C2A9.exe	rundll32.exe
PID 2476 wrote to memory of 4448	2476	C2A9.exe	rundll32.exe
PID 4448 wrote to memory of 3392	4448	rundll32.exe	rundll32.exe
PID 4448 wrote to memory of 3392	4448	rundll32.exe	rundll32.exe
PID 4448 wrote to memory of 3392	4448	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe
"C:\Users\Admin\AppData\Local\Temp\1fa0e4fb0da07e924666aa1f93a917cc3e1fdec01fdc2c2a5f8abab4472ae650.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2240

C:\Users\Admin\AppData\Local\Temp\C2A9.exe
C:\Users\Admin\AppData\Local\Temp\C2A9.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4448

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3392

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 528
2⤵
- Program crash
PID:3564

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2476 -ip 2476
1⤵
PID:4260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3952

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:1336

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\s_filetype_xd.dll",JA4WNW5uRjM=
2⤵
PID:3592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.dll

Filesize
797KB

MD5
29a13ea3665aa4a8794adc0c86579314

SHA1
0e9a38d0cddab5b8a826e8f995aa3040d6994d84

SHA256
51f3dd999bcd73125680094aa480798125ab2206651fdec26d80d9251d595264

SHA512
6edc10377cd60905072d35c1164a6c1dbbd76b093cc3c58762cbd5cddc6857d2646761a2132d5cbb9e5c4ac16e828da90ed24ae1bc049e8be0d489f5079adf98

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.dll

Filesize
797KB

MD5
29a13ea3665aa4a8794adc0c86579314

SHA1
0e9a38d0cddab5b8a826e8f995aa3040d6994d84

SHA256
51f3dd999bcd73125680094aa480798125ab2206651fdec26d80d9251d595264

SHA512
6edc10377cd60905072d35c1164a6c1dbbd76b093cc3c58762cbd5cddc6857d2646761a2132d5cbb9e5c4ac16e828da90ed24ae1bc049e8be0d489f5079adf98

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xml

Filesize
14KB

MD5
cc78ff3a9bbf1967185797f3eac2090a

SHA1
80204fdfac8110dddc7e5c59ada69feef33a0614

SHA256
7afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3

SHA512
5ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.officemuiset.msi.16.en-us.xml

Filesize
1KB

MD5
576aefa0d5cef530c59ff90625d60e25

SHA1
19be51d3942120e5474e0711592718da525eaa20

SHA256
f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112

SHA512
0d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
78b9b946cb15bf3c35ff539ea348d4b1

SHA1
b54c3c91392d7099dff6cd412dcc908e7701e559

SHA256
8ee63fc3535ddb98a094a536825513754cb1e1cd5071214365d098f0e9f039f6

SHA512
135050005269a276d37c89256b2a28f71645f58f6fe4a0a66885f11ca67e15b622879cc473dd5661cc11e1825276a936fab444d54670ca28933a6654cb1efc5c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
78b9b946cb15bf3c35ff539ea348d4b1

SHA1
b54c3c91392d7099dff6cd412dcc908e7701e559

SHA256
8ee63fc3535ddb98a094a536825513754cb1e1cd5071214365d098f0e9f039f6

SHA512
135050005269a276d37c89256b2a28f71645f58f6fe4a0a66885f11ca67e15b622879cc473dd5661cc11e1825276a936fab444d54670ca28933a6654cb1efc5c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
6c2429d1fdb4a93ebca14340b9fb8fb7

SHA1
e757fc9e129850598fff1931d496fb7c7b21d4d6

SHA256
52b30a2b9d6a5c18dd585e3efe81688611b45f649e4e4e2c0543eaaf473f5285

SHA512
bae2b99779cc2ec27a7fcf132ba66bb698c78b01048630fa22116fda906389be66458523efb9634976455b4063f3002ee781eabdf4abfb78ee295ae74927b228

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftEdgeDevToolsClient_1000.19041.1023.0_neutral_neutral_8wekyb3d8bbwe.xml

Filesize
1KB

MD5
cf0330a44354655f192bc5f1976564e5

SHA1
d993f0dbfdb68552bbf3381d07fb2b26b79e16aa

SHA256
9727e4d3cf3fcc5dcc364cd990f41a4be98d227b0ce975fa97cef0ef8eaa5b78

SHA512
36aeacbb9b0d6ed2a51d23376ab6e583c258c128bf3de0069523441dda98a68a65592792ebd883a7ea8f21768da91c9826a4551cf9e02c01480110941b6e401a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\UserDeploymentConfiguration.xml

Filesize
614B

MD5
54cec4437128f703c259efb3dc734386

SHA1
9b15ebe33a771a7e12cd966fd8b583da06914015

SHA256
d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4

SHA512
c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml

Filesize
1KB

MD5
1d3eb6efb2054c0f8c6dfcc90af00e4e

SHA1
452b9ea9cfbf42179a4e344e38ebad3a7179ead7

SHA256
8fe6157bec03efbc921905d0df8f6f9f4432323f1244fc380ea404d5d0e2c95e

SHA512
a0aefd1bf5bc0b275fbba3af7d06c672d82f3c7b40046f3f11515c6f3467f704d668985816f31f97a64e16c8c1112d78ea1f277e9001a3ef4d65df626544fcaf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\utc.tracing.json

Filesize
41B

MD5
15d46171ae3e6edc8839a02bbdb326a3

SHA1
c618c841e768a2a2cec2d35184951011fa58cec5

SHA256
65961d7a83a876885a76d0afba18b9d4e516f784faea0fa8aa3cd800adec26ac

SHA512
9cecf542993b5469093e1227a3a414afde89e8d0111f4855cc9b99b13ff2628bf27cdd0d444aa29c5874a81c0954bdfc9fb730c072857a51875b46f0a68790a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2A9.exe

Filesize
1.1MB

MD5
0632c99ab43231f1f8b7c7f6bc8e30d8

SHA1
ea284fc244536dd7f1ef4990879a554cd1375671

SHA256
b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1

SHA512
56dc4e12f80d175901acf8be0d3fa9512ce581774caaa6593a49b1369219022ebfa098e1ba47930f7619174f7afa4b0155bcac4d83162841b40899458cd1c643

Download Submit
C:\Users\Admin\AppData\Local\Temp\C2A9.exe

Filesize
1.1MB

MD5
0632c99ab43231f1f8b7c7f6bc8e30d8

SHA1
ea284fc244536dd7f1ef4990879a554cd1375671

SHA256
b3a1633cf2b87e4084d7c61a92a36c8c5fca4c926a7eed0916653712618033b1

SHA512
56dc4e12f80d175901acf8be0d3fa9512ce581774caaa6593a49b1369219022ebfa098e1ba47930f7619174f7afa4b0155bcac4d83162841b40899458cd1c643

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\s_filetype_xd.dll

Filesize
797KB

MD5
29a13ea3665aa4a8794adc0c86579314

SHA1
0e9a38d0cddab5b8a826e8f995aa3040d6994d84

SHA256
51f3dd999bcd73125680094aa480798125ab2206651fdec26d80d9251d595264

SHA512
6edc10377cd60905072d35c1164a6c1dbbd76b093cc3c58762cbd5cddc6857d2646761a2132d5cbb9e5c4ac16e828da90ed24ae1bc049e8be0d489f5079adf98

Download Submit
memory/836-178-0x0000000000000000-mapping.dmp

Download
memory/1336-164-0x00000000031B0000-0x00000000038D5000-memory.dmp

Filesize
7.1MB

Download
memory/1336-163-0x00000000031B0000-0x00000000038D5000-memory.dmp

Filesize
7.1MB

Download
memory/2240-132-0x0000000000648000-0x000000000065E000-memory.dmp

Filesize
88KB

Download
memory/2240-135-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2240-134-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2240-133-0x00000000005F0000-0x00000000005F9000-memory.dmp

Filesize
36KB

Download
memory/2476-143-0x0000000002350000-0x0000000002480000-memory.dmp

Filesize
1.2MB

Download
memory/2476-144-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2476-136-0x0000000000000000-mapping.dmp

Download
memory/2476-141-0x00000000020CD000-0x00000000021BB000-memory.dmp

Filesize
952KB

Download
memory/3392-158-0x000001E608C80000-0x000001E608EAA000-memory.dmp

Filesize
2.2MB

Download
memory/3392-156-0x000001E60A4C0000-0x000001E60A600000-memory.dmp

Filesize
1.2MB

Download
memory/3392-155-0x000001E60A4C0000-0x000001E60A600000-memory.dmp

Filesize
1.2MB

Download
memory/3392-154-0x00007FF742D76890-mapping.dmp

Download
memory/3392-157-0x00000000007F0000-0x0000000000A09000-memory.dmp

Filesize
2.1MB

Download
memory/3592-177-0x00000000049E0000-0x0000000005105000-memory.dmp

Filesize
7.1MB

Download
memory/3592-176-0x00000000049E0000-0x0000000005105000-memory.dmp

Filesize
7.1MB

Download
memory/3592-174-0x0000000000000000-mapping.dmp

Download
memory/4448-150-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4448-148-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4448-147-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4448-146-0x0000000005EC0000-0x00000000065E5000-memory.dmp

Filesize
7.1MB

Download
memory/4448-145-0x0000000005EC0000-0x00000000065E5000-memory.dmp

Filesize
7.1MB

Download
memory/4448-149-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4448-151-0x0000000004C89000-0x0000000004C8B000-memory.dmp

Filesize
8KB

Download
memory/4448-139-0x0000000000000000-mapping.dmp

Download
memory/4448-152-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4448-153-0x0000000004C10000-0x0000000004D50000-memory.dmp

Filesize
1.2MB

Download
memory/4448-159-0x0000000005EC0000-0x00000000065E5000-memory.dmp

Filesize
7.1MB

Download