danabot | 57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb

Analysis

max time kernel
149s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 23:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe
Size

1.1MB
MD5

cefdeeedeae94644485f2f7b17479059
SHA1

98875840acd3da6fd699b3b8b96aa3cfa1796580
SHA256

57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb
SHA512

f52f8484a03dcf4d57e6f43ce46effa301ae5ab580000cd03a6d6587678c1c3a6b6ed9e289d915e342e506aa9ea46e66eec039a0db2f82d53d020bf33bb8f6c4
SSDEEP

12288:PSnF2P2yBuTM2Hc0jRlXzSw29b7E3uhpmHuibF6Uado5tmA8Kr84go6Iw85UCR4B:3P1cMCJjnf2R7HpswkFr8vh6R4nepu

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 1360 rundll32.exe
11 1360 rundll32.exe
41 1360 rundll32.exe
43 1360 rundll32.exe

flow	pid	process
10	1360	rundll32.exe
11	1360	rundll32.exe
41	1360	rundll32.exe
43	1360	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DirectInk\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\DirectInk.dll␀"	rundll32.exe

Sets service image path in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DirectInk\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\DirectInk\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService\uff00"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1360 rundll32.exe
3012 svchost.exe
4784 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1360	rundll32.exe
3012	svchost.exe
4784	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1360 set thread context of 3664 1360 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1360 set thread context of 3664	1360	rundll32.exe	rundll32.exe

Drops file in Program Files directory 49 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Close.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-114x114-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\InAppSign.aapp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\32BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-utility-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons_retina.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-114x114-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tr.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\AdobePDF417.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_agreement_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\base_uris.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icucnv40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_agreement_filetype.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PDFPrevHndlr.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\base_uris.js	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons_retina.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tr.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-runtime-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\application.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_Full.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\Close.png	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2164 4732 WerFault.exe 57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe

pid	pid_target	process	target process
2164	4732	WerFault.exe	57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F30B84338561702A9D7278F959A89E07BA89C6C\Blob = 0300000001000000140000008f30b84338561702a9d7278f959a89e07ba89c6c20000000010000006a02000030820266308201cfa00302010202084f54a6192c1be733300d06092a864886f70d01010b050030503132303006035504030c294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f61697479310d300b060355040a0c044d534654310b3009060355040613025553301e170d3230313232313030323232365a170d3234313232303030323232365a30503132303006035504030c294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f61697479310d300b060355040a0c044d534654310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100ba359af0bbad8d5fdbbafcb9b29ee95f10452d38fd84cad9e477ecc0b2ae4d3bfaec285f8c6c93398c08fe52ba6366eddaa4520ffca658c8e51417b88500bd1262513bcffab345e5793dee3334134f6461e942df794073a6bf7aaecd0a85f90a6b5d2a4684ec14e21f8a4e2c00f4e155e83e8cdfb5eeffc3cae49de3f30cc7250203010001a3493047300f0603551d130101ff040530030101ff30340603551d11042d302b82294d6963726f736f66742041757468656e7469636f646528746d2920526f6f7420417574686f61697479300d06092a864886f70d01010b0500038181007f85579461a482d6fff7eed496b5d2e8f23cefdc9775ba7bd72928c9a2457620f97052820b6471b4c7cb7f388373d6eed0327bb530ddf79f66bfc3f261446a4facf26258ea60e29fa66223904e6ec450163e88e89a1f33324e370f1bd8c289e4dbe2307e2f4f8131f1a074153bb66e8d52c84b34be67e90a91f011bdc50791fa	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\8F30B84338561702A9D7278F959A89E07BA89C6C	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3012	svchost.exe
3012	svchost.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
1360	rundll32.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe
3012	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1360 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3664 rundll32.exe
1360 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1360	rundll32.exe

pid	process
3664	rundll32.exe
1360	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4732 wrote to memory of 1360	4732	57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe	rundll32.exe
PID 4732 wrote to memory of 1360	4732	57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe	rundll32.exe
PID 4732 wrote to memory of 1360	4732	57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe	rundll32.exe
PID 1360 wrote to memory of 3664	1360	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 3664	1360	rundll32.exe	rundll32.exe
PID 1360 wrote to memory of 3664	1360	rundll32.exe	rundll32.exe
PID 3012 wrote to memory of 4784	3012	svchost.exe	rundll32.exe
PID 3012 wrote to memory of 4784	3012	svchost.exe	rundll32.exe
PID 3012 wrote to memory of 4784	3012	svchost.exe	rundll32.exe
PID 1360 wrote to memory of 4060	1360	rundll32.exe	schtasks.exe
PID 1360 wrote to memory of 4060	1360	rundll32.exe	schtasks.exe
PID 1360 wrote to memory of 4060	1360	rundll32.exe	schtasks.exe
PID 1360 wrote to memory of 4024	1360	rundll32.exe	schtasks.exe
PID 1360 wrote to memory of 4024	1360	rundll32.exe	schtasks.exe
PID 1360 wrote to memory of 4024	1360	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe
"C:\Users\Admin\AppData\Local\Temp\57462a03024056258e2b9979d50efb16e30ecdab9e9cda9bc7e7e62fd6a694bb.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1360

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3664

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4060

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4732 -s 528
2⤵
- Program crash
PID:2164

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4732 -ip 4732
1⤵
PID:4472

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3860

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3012

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\directink.dll",giZc
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:4784

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll
Filesize
797KB

MD5
e5c25ce5c9b37a2d840d27f1e294829c

SHA1
d55e237cdcd2f4c0f86c840faa9514391eff6796

SHA256
9d48417d46f7dd3961fc28224f2fc52464621344d5639ebcf8dcc3ceac1cbe24

SHA512
7d9ea3c7b9faa6d57d6db56cd55f80b656449ef3e52b182a3086f56bd72431c97a4a784b8276d740ffb2dcd92fd0f2a38b431f70cd2e2c5fde78977dd66f5641

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\DirectInk.dll
Filesize
797KB

MD5
e5c25ce5c9b37a2d840d27f1e294829c

SHA1
d55e237cdcd2f4c0f86c840faa9514391eff6796

SHA256
9d48417d46f7dd3961fc28224f2fc52464621344d5639ebcf8dcc3ceac1cbe24

SHA512
7d9ea3c7b9faa6d57d6db56cd55f80b656449ef3e52b182a3086f56bd72431c97a4a784b8276d740ffb2dcd92fd0f2a38b431f70cd2e2c5fde78977dd66f5641

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\3CCD5499-87A8-4B10-A215-608888DD3B55.vsch
Filesize
262B

MD5
0c19329f1a0959d6e069dd77dc32e7fc

SHA1
8216c5d18000ff6c11f0b562a85d650b3e07da7c

SHA256
ca469f2580e20b3d1077355a1e0e673be724ac15ab15e859b7bc3bcf60854120

SHA512
fbbe1626c32f7b77c77fa1e0e5f0c22562d3bdc15a4290cf300625efa782c31d9ac461ea2b6552dbc42f16137bfc226d98ee2f002a353245eae6afca873e912d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml
Filesize
23KB

MD5
37cde9afb1540513bd564d71867021e0

SHA1
e319abb6093025dccc55618fb407c1182ccdafe7

SHA256
516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f

SHA512
6746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
b8b91e8b07a3803223ce8ccccd4b7958

SHA1
0624c974f0fd5630bef3878dd42b731e43927512

SHA256
2073241342b5a94ccf0666f2819d534183ec0919da7ae673ea87e2d01f60ee02

SHA512
308887acf189d7dc41c01d1653283251c887dca61f47a836cc059eb17109f20f9d242cf5a53d17535d429068d285d22a80b144fa56688455302f005005cb6a82

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
468f3e3927fb0051e7b32e3316d7b7a0

SHA1
60cc01f69e7f501c2a22929ca77ab6bf1469ea78

SHA256
cbd5cc0064422eadb99fce60c3479c98e95c62e895417d37c99bd8ad23d6ee22

SHA512
acabff9f108b3d04c37c09712da3c60a71f054853cf459cd4efd226a88c874d5422501fb1d0060a5d85f40c2c6b23be9161259f03bc0f7f7eb6a499e5fe8bff9

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe.xml
Filesize
22KB

MD5
e0deca52ec488a29758550b78fa3b719

SHA1
188ae9939a0875f11a611ee7d8604c7a348bc0d2

SHA256
9337e81fdc5c57705e3c587ce9bf99bc176e127acd2539eb6a18c3a6c2b87816

SHA512
ce84157a418fa8b2d5b576da37796b323b8d2a5e8af6e9651c23ecfb1a32dc0f65872d2919f148c5deaed4acd5b4336767fd949fd98ab2aafbf36abaeca863f3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.BioEnrollment_10.0.19041.1023_neutral__cw5n1h2txyewy.xml
Filesize
3KB

MD5
3e0786e68ac00141fd51790c561c60ef

SHA1
96f2bdc8310d74e466bd8ef0931baaa2f276de03

SHA256
1545f3cf4b4c17d52c387e560dcb777e1748757c1dbb18788080d9dac64a82a6

SHA512
cdcecba2775b627e9e6fce205166e2f0f9af9550ed838689c586c707c29d6d7e7a5daa03814b0c95f5da3b8b2d2366b77e5011a8cad8fac448feaa96679353f2

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe.xml
Filesize
5KB

MD5
1944801cae061223e36fcce6aed6bfba

SHA1
b465c53f3e6ae74fac368f36cbfc5842ce085e14

SHA256
b903a7f4408a27d0b7a7c6316d04952508d67058216dffeca4293c9352727959

SHA512
82b0e3b1105a5d802839c3ea78b4e2dd800b819ee678d016b2f47203ceb27a638d195909ec1d0efbf46edbf910409d7ab4a05146fc902ef335b36bf14339498f

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
855B

MD5
dae188e1f4d8d97d8d65164eb0dda551

SHA1
78b54e226446825c56d15a19a3ed4b587a8842a2

SHA256
5bae5febdf75a2fe0b73791d603c7c9ac5de0d00dffc909b5dbc86bcd6dd15f2

SHA512
941d94c42572abcb937258e99a5d1b520c9f85ce741e81e81e7a299287ae9e8fb763fdc70b661a812c780f4b6997b84c8147791ac56f1510a87966c68ab23b22

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftInternetExplorer2013Backup.xml
Filesize
2KB

MD5
16fa6bd16573d544916a2cb3335a1f13

SHA1
479c5b9375b5b351d7dc217deb159fe92da03f75

SHA256
37e639679abd36b5b59324eea7aa1d602ff9c287e5c07dfd335ee1a85b68fc50

SHA512
9a871284356b2217fc8dbd568c6731def7781cac4550e77824f5c683b29313cd46e444760413ec730e8f70669ff08b62ab9b73c8099115a71eb84d7d728e2873

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2016CAWin64.xml
Filesize
1KB

MD5
4b6a6960b925c7bd5b83d8a4196e24e4

SHA1
f1bb8a50ffb8cce0804db90d2e3ecdbbbe3f460b

SHA256
5f45e2be37f33052a97235462325f5ae32d3713bdaa6eeeea49e92f0e9fc6ed0

SHA512
21f420212c86df357ad83079876d969bab0d089ac506d3dcfb1cfcb134f118a741491454e79538bf5c8d4d2b2ab1fc14d07d0cc3f263874396bd9546bf3b71b1

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftWordpad.xml
Filesize
1005B

MD5
576da3ac22d84c085a753ad324e5af0f

SHA1
1ce9245047e7da3eb4e81356434ca190fe4f924f

SHA256
214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303

SHA512
dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SettingsLocationTemplate.xsd
Filesize
9KB

MD5
f35965aa615dd128c2b95cfe925145c3

SHA1
57346050388048feb8034d5011b105018483b4a0

SHA256
ea9674d42081557b34958b2f7085f8d3865e71660d8f36258fa1c088d90d2398

SHA512
82767fdf269f813b5d39bb44c481f01678f9eab332ecc42f11d5a4f00a1970a6dd1875d30a98042113d37b04e501414b33e18abf2ab2a7995e5e773489f9cd82

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\s640.hash
Filesize
106B

MD5
bef40d5a19278ca19b56fbcdde7e26ef

SHA1
4f01d5b8de038e120c64bd7cc22cf150af1452fb

SHA256
7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

SHA512
5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\scan_.ico
Filesize
59KB

MD5
a161b3f9fd62c3931fbd79512810cffa

SHA1
a63f1d8945b983356b66819b3aa5b0bd409995e4

SHA256
d3ba9eecc5e87b384242385078846cff82051194887ce2d7343bb7b60e7a26d7

SHA512
f07776d386a39b20e3721b7450248e458ecd6f477197028aa42e2ab6a2731a002170a5415fb02fadac40b1b97acee3b5064ff76606ba2bcc14f7e7b674524299

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\directink.dll
Filesize
797KB

MD5
e5c25ce5c9b37a2d840d27f1e294829c

SHA1
d55e237cdcd2f4c0f86c840faa9514391eff6796

SHA256
9d48417d46f7dd3961fc28224f2fc52464621344d5639ebcf8dcc3ceac1cbe24

SHA512
7d9ea3c7b9faa6d57d6db56cd55f80b656449ef3e52b182a3086f56bd72431c97a4a784b8276d740ffb2dcd92fd0f2a38b431f70cd2e2c5fde78977dd66f5641

Download Submit
memory/1360-138-0x00000000048C0000-0x0000000004FE5000-memory.dmp

Filesize
7.1MB

Download
memory/1360-140-0x00000000050B0000-0x00000000051F0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-152-0x00000000048C0000-0x0000000004FE5000-memory.dmp

Filesize
7.1MB

Download
memory/1360-142-0x00000000050B0000-0x00000000051F0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-141-0x00000000050B0000-0x00000000051F0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-145-0x00000000050B0000-0x00000000051F0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-149-0x0000000005129000-0x000000000512B000-memory.dmp

Filesize
8KB

Download
memory/1360-132-0x0000000000000000-mapping.dmp

Download
memory/1360-144-0x00000000050B0000-0x00000000051F0000-memory.dmp

Filesize
1.2MB

Download
memory/1360-139-0x00000000048C0000-0x0000000004FE5000-memory.dmp

Filesize
7.1MB

Download
memory/1360-143-0x00000000050B0000-0x00000000051F0000-memory.dmp

Filesize
1.2MB

Download
memory/3012-157-0x00000000036F0000-0x0000000003E15000-memory.dmp

Filesize
7.1MB

Download
memory/3012-156-0x00000000036F0000-0x0000000003E15000-memory.dmp

Filesize
7.1MB

Download
memory/3012-178-0x00000000036F0000-0x0000000003E15000-memory.dmp

Filesize
7.1MB

Download
memory/3664-146-0x00007FF7AE4F6890-mapping.dmp

Download
memory/3664-147-0x0000029EE3AB0000-0x0000029EE3BF0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-148-0x0000029EE3AB0000-0x0000029EE3BF0000-memory.dmp

Filesize
1.2MB

Download
memory/3664-150-0x0000000000D50000-0x0000000000F69000-memory.dmp

Filesize
2.1MB

Download
memory/3664-151-0x0000029EE20E0000-0x0000029EE230A000-memory.dmp

Filesize
2.2MB

Download
memory/4024-177-0x0000000000000000-mapping.dmp

Download
memory/4060-176-0x0000000000000000-mapping.dmp

Download
memory/4732-133-0x00000000006C3000-0x00000000007B2000-memory.dmp

Filesize
956KB

Download
memory/4732-137-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4732-134-0x0000000002340000-0x0000000002470000-memory.dmp

Filesize
1.2MB

Download
memory/4784-173-0x0000000004100000-0x0000000004825000-memory.dmp

Filesize
7.1MB

Download
memory/4784-174-0x0000000004100000-0x0000000004825000-memory.dmp

Filesize
7.1MB

Download
memory/4784-175-0x0000000004100000-0x0000000004825000-memory.dmp

Filesize
7.1MB

Download
memory/4784-170-0x0000000000000000-mapping.dmp

Download