danabot | c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe
Size

1.1MB
MD5

c8beb87469647c6fb577d2bfec8e0fcd
SHA1

dcbbd759d34cb4d23c53d67943c47a250ee32767
SHA256

c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6
SHA512

678bbc9fcaa886d4babf499303afdbdf737d0e98d830bc404bcd74255742595229fa99c757f2b6c90b729b3fe260faecd2928405aaa641d774fda96fd80870fd
SSDEEP

24576:LHgPGgWkOORvmOxwUf84+OcMv2as3fcRrkQ+eBNLIrez3:LHgPGgWkOOPxBb+eP4Erk0o63

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

16 2084 rundll32.exe
18 2084 rundll32.exe
85 2084 rundll32.exe
94 2084 rundll32.exe

flow	pid	process
16	2084	rundll32.exe
18	2084	rundll32.exe
85	2084	rundll32.exe
94	2084	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\base_uri\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\base_uri.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\base_uri\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

2084 rundll32.exe
1972 svchost.exe
428 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
2084	rundll32.exe
1972	svchost.exe
428	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2084 set thread context of 3044 2084 rundll32.exe rundll32.exe

description	pid	process	target process
PID 2084 set thread context of 3044	2084	rundll32.exe	rundll32.exe

Drops file in Program Files directory 46 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_bow.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\AppCenter_R.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AppCenter_R.aapp	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\freebl3.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\download.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fur.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ca.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Review_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\acrobat_parcel_generic_32.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\32BitMAPIBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_filetype_xd.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_filetype_xd.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.pdf	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\core_icons.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_bow.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\acrobat_parcel_generic_32.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\base_uri.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\core_icons.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_2x.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\aic_file_icons_retina_thumb_highContrast_wob.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-environment-l1-1-0.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3480 4736 WerFault.exe c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe

pid	pid_target	process	target process
3480	4736	WerFault.exe	c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe

Checks processor information in registry 2 TTPs 62 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ABE0DEC1755A5879048EB0082FE128257D4AFF42\Blob = 030000000100000014000000abe0dec1755a5879048eb0082fe128257d4aff4220000000010000006e0200003082026a308201d3a0030201020208678ec69410dfe40a300d06092a864886f70d01010b0500305a3122302006035504030c1942616c74626d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b3009060355040613024945301e170d3230313232303130323733365a170d3234313231393130323733365a305a3122302006035504030c1942616c74626d6f7265204379626572547275737420526f6f7431133011060355040b0c0a4379626572547275737431123010060355040a0c0942616c74696d6f7265310b300906035504061302494530819f300d06092a864886f70d010101050003818d0030818902818100c66957580d5ff1c04a3ad4910c7aa2191447cc52c9e2c9304b2020266a9c5d8264c9d5077bc46f2115e95e2158c3b93c8f3bd2a051d89214cdcc782ccaa78e7dbff0d503c304809b7f7720da4d7fc224065e7a429db3c59c60ac75c32bdd8d21519f26719bbddcae9ac233f34adaa79b3b944b277d41f5b262fe738e07b6b3d70203010001a3393037300f0603551d130101ff040530030101ff30240603551d11041d301b821942616c74626d6f7265204379626572547275737420526f6f74300d06092a864886f70d01010b050003818100918d1999cbdb1e1aca313cff0db4bb9758cd20ed3740f061e8a77b24d69fd923407fa55f89160f766d03b51dbb637c9e49b8b53d6efca0e64d5634f93ef9fa8ea1e1ad3ce3c5dc2ab00fdad9715df0053e89316da69e48971d3e167a3506c03c424f40d90430ec21b7820ccdb3c22a853b9d5c8110d6f74a493691c340d69708	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\ABE0DEC1755A5879048EB0082FE128257D4AFF42	rundll32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

svchost.exerundll32.exe

pid	process
1972	svchost.exe
1972	svchost.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
2084	rundll32.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe
1972	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2084 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3044 rundll32.exe
2084 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2084	rundll32.exe

pid	process
3044	rundll32.exe
2084	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exerundll32.exesvchost.exe

description	pid	process	target process
PID 4736 wrote to memory of 2084	4736	c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe	rundll32.exe
PID 4736 wrote to memory of 2084	4736	c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe	rundll32.exe
PID 4736 wrote to memory of 2084	4736	c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe	rundll32.exe
PID 2084 wrote to memory of 3044	2084	rundll32.exe	rundll32.exe
PID 2084 wrote to memory of 3044	2084	rundll32.exe	rundll32.exe
PID 2084 wrote to memory of 3044	2084	rundll32.exe	rundll32.exe
PID 1972 wrote to memory of 428	1972	svchost.exe	rundll32.exe
PID 1972 wrote to memory of 428	1972	svchost.exe	rundll32.exe
PID 1972 wrote to memory of 428	1972	svchost.exe	rundll32.exe
PID 2084 wrote to memory of 404	2084	rundll32.exe	schtasks.exe
PID 2084 wrote to memory of 404	2084	rundll32.exe	schtasks.exe
PID 2084 wrote to memory of 404	2084	rundll32.exe	schtasks.exe
PID 2084 wrote to memory of 4188	2084	rundll32.exe	schtasks.exe
PID 2084 wrote to memory of 4188	2084	rundll32.exe	schtasks.exe
PID 2084 wrote to memory of 4188	2084	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe
"C:\Users\Admin\AppData\Local\Temp\c0ada9e11f5005b3b81f34b522c43ef087fb77e1444bfe902bcaf6dfad22e8c6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4736

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:2084

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14144
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3044

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:404

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4188

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4736 -s 536
2⤵
- Program crash
PID:3480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4736 -ip 4736
1⤵
PID:2732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4196

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\base_uri.dll",aR1MZw==
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\base_uri.dll

Filesize
797KB

MD5
a3d5ff8e4d4fd759fc0729cb42eb905a

SHA1
631694146d5c0b0c0de8644c048f3291dc092075

SHA256
7839c148a7d0dd6790f4fe136de351e8bf151e124f4f2aed0f41cfc0ccf7e01d

SHA512
573ec9de874bab42565ce0bd2956c03ad3219e4d26de8cf47ce15741089bbe17623457dfcbf9ff89f5213dfc9ecb47f3e56135386c47afe1bce6cc27e496baf4

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\base_uri.dll

Filesize
797KB

MD5
a3d5ff8e4d4fd759fc0729cb42eb905a

SHA1
631694146d5c0b0c0de8644c048f3291dc092075

SHA256
7839c148a7d0dd6790f4fe136de351e8bf151e124f4f2aed0f41cfc0ccf7e01d

SHA512
573ec9de874bab42565ce0bd2956c03ad3219e4d26de8cf47ce15741089bbe17623457dfcbf9ff89f5213dfc9ecb47f3e56135386c47afe1bce6cc27e496baf4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\154E23D0-C644-4E6F-8CE6-5069272F999F.vsch

Filesize
158B

MD5
dd8778eda0b96d5d71716fbb50300293

SHA1
17b3a49fe039ef5c930801c3a77922b30a61ee69

SHA256
61e06f4deff92e80d1605cb17a0c83604ac6cdb72fb3d4b1e3d0eb7e7bbbf4a0

SHA512
4efee799ddfb3d98a6b402aebed2ec79cfbd1cab200bfad1f95af432b91ce11e0404cd1cdf9f5a46324757c135928cb0ce42197c3021ae506ac6dd047127491b

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\AirSpace.Etw.man

Filesize
412KB

MD5
39e5270caae15015c8203fec413669c7

SHA1
f44f5617f2bc496fb497a1e8ad13997ccecf0f6d

SHA256
2e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1

SHA512
9bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.fr-fr.xml

Filesize
23KB

MD5
37cde9afb1540513bd564d71867021e0

SHA1
e319abb6093025dccc55618fb407c1182ccdafe7

SHA256
516aa640a48752bcadbd46e4f53c0560a1cb379d5366b1c9bb4d0706d1bd040f

SHA512
6746350447a6a0424c90571c7cc3442d34af0cb16fa1459bb76b25423f165f474073f1d359462cb805ac376a9d069236d6b7a796332c27253a4807f691292881

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Word.Word.x-none.msi.16.x-none.xml

Filesize
93KB

MD5
2e8a1f4e2c4678c174e9f328fc9c0846

SHA1
39a7038d855f22e339bd26e578d02804ed7ec3b4

SHA256
846687ca03420046249f3525dc02ee08099671d8a3f48f42046febff9eedc877

SHA512
21cc574180abb4068293e44eb42820f57d4fc238a7677443997afa289a15c85f6c51311875a2c10edfe974dc56f484da0fe5dfeb2c0a4ca34ab977e1b0c2dd75

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.wordmui.msi.16.en-us.xml

Filesize
77KB

MD5
50a33f3ee76c3f15703f82890efcc8c8

SHA1
b24e99bb702478edcbbda43f75457e5833abdc95

SHA256
77a2a4517a0c488c78bf9742e86de5af419d6c148346845d8b0f062d5f8a631a

SHA512
f14e224c1582476f09f969f1e29d5e2fa7855b22aa6b35682e264da0fc6cafdc1d62022dde5032206e1d973382604d9ccfa7495ebf90578a55c9c74bac1e606e

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiST0000.001

Filesize
64KB

MD5
2a1801484fed207d6469068f57a62214

SHA1
c12999e2fa101c6b6bb3a5f0e66f4e0c5b938d4e

SHA256
30c7988571781563e5e697f564b616750e354bcd69e9bf7a39e3854e4b7bec28

SHA512
a7e12254278e83710077d5cb3b8162cd74c4211147a6823afa8aa3c67cc3041e066b34e63bcf0cae9087177543c52871e67bac373db1b8ab3d5058ba9f3f41b4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\DeploymentConfiguration.xml

Filesize
614B

MD5
54cec4437128f703c259efb3dc734386

SHA1
9b15ebe33a771a7e12cd966fd8b583da06914015

SHA256
d44d8ffc6e0261e32c4b5c77573a0daa0b4066d4e160c2cd5b5728199f63dfb4

SHA512
c1793acc8f6dc9997fd0261d501ffed200f3c039c9b77e554a031262925878b56727bd84cf5fbeeccb481c1d4511f37e940a8f8436054c8f08adb8e5f46773ea

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
ed78514b810335cc28f2302a4f9f978d

SHA1
dc623a01f915a278bcdd635f02f8370de6b85ebd

SHA256
7126b218ff8516878162fc7a8a2e7679dd5a4cc4bdd83738e6982ce101abad1e

SHA512
255b89b7b0cd5605c83caff11e0536966c22fc793629dc9b4710bbe85b3f93ebfc4dcc69f03ae4e3d76a49e3b6ed76aa833ee136479a0d3576582c0a68c4cc78

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
ed78514b810335cc28f2302a4f9f978d

SHA1
dc623a01f915a278bcdd635f02f8370de6b85ebd

SHA256
7126b218ff8516878162fc7a8a2e7679dd5a4cc4bdd83738e6982ce101abad1e

SHA512
255b89b7b0cd5605c83caff11e0536966c22fc793629dc9b4710bbe85b3f93ebfc4dcc69f03ae4e3d76a49e3b6ed76aa833ee136479a0d3576582c0a68c4cc78

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe.xml

Filesize
839B

MD5
2f6bc19cc3de731b8eaec46910edaf83

SHA1
61fd41f1fd1e4c6d7178a204c8ab68add839a199

SHA256
6893a54cc402ac94a278294c20918a5a6d15f8bf11995a8b2388dbe9fce5b966

SHA512
841a7777d1cf45ae391a101a44a25407023dd66e539e303057f0bfd01db8b37f56f9047eeccb920a5cdaa3ce44779d1703235a2db510594f70bbd2eff441b15a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe.xml

Filesize
839B

MD5
5ddffd275e173019cb301fe2c96a2f3f

SHA1
0303cebf14f4304d93733426aee485e4bf7efe29

SHA256
d1e768a7bb7a5851697a2a5bec63670c9d90b72d1f77169ef231c265b9cb8272

SHA512
e92f31f56dc2f5dfa0963978239303d2c5755b5bfa363910f18e5168703d3ddfc506ad522915b90f9d489997a66a3db780762e750a658ac7835b75d8d299684a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftNotepad.xml

Filesize
957B

MD5
06f405331f1f99bd455f4afa7b8ee0cc

SHA1
815d8d81c01208aef4bc1a0048b2d4f4171b26f6

SHA256
b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790

SHA512
a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_Office Feature Updates Logon.xml

Filesize
3KB

MD5
9663230fbff7b7ea27acf7cb5b2eb224

SHA1
c9061dc5a74944235155461a761456af38ec7de5

SHA256
189d7c143926ab4402258ecf47d9b4a6a2b55aa7564b853ddd81bbfcd2113bdb

SHA512
b96f74946a99d9cca64f7727dd0664fafd16a6a1242af773b36c5f531c071dbf1b91ff873962be2cd160bdcc128b3aaa5715a38f997e5cfa1b78863ab146493d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\ThemeSettings2013.xml

Filesize
2KB

MD5
986d31966b8370330842dc0cd8eac1f1

SHA1
3e96a8f449cc3930a0cec85f2e24190452b058eb

SHA256
56e478dcefd0863a8af9edb7d4f8bc746d077e5f5df637bad19e66cbbbe20cb0

SHA512
7ed19b3eeeb35882795a3d4a20193b9a60e905ea855704afdc5ea7e3b27c3d954061ba04eff5ed9f7cf44aff7c9b4f443c74cfd6088027fb830ad49c59eceefd

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\abcpy.ini

Filesize
608B

MD5
818d3a4899c5596d8d8da00a87e6d8bb

SHA1
4e0e04f5ca5d81661702877852fd9d059722762f

SHA256
9986830f6e44d24b86936851c2c0cd961ecdddbed3b34e8f6a64693f36e9429d

SHA512
1cd1c882adcee3d89bdc2b07ccf8d4913149565085d42e0f67a4c08b4c4d504b51c9ae44a11de906a1aed202391eb2b3461f63268158b6879cae9a18d56da239

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\pictures.ico

Filesize
81KB

MD5
8e3fed079e101c5dcb906371c2b546a3

SHA1
7fbf444c9361684228f643984f1333c271e86bf2

SHA256
b0203f1dc9e443dc5081b0f882934241645a5de4cc4b1e47b3460d17446a87d4

SHA512
898c825d9f20f3d20cb389328561ff70bd0c762dcc1369bd0bb633130aee9dcf60b433da66c3a37dd1d46a70614abd955a323589917ed85e0ec5698cdd0268c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\base_uri.dll

Filesize
797KB

MD5
a3d5ff8e4d4fd759fc0729cb42eb905a

SHA1
631694146d5c0b0c0de8644c048f3291dc092075

SHA256
7839c148a7d0dd6790f4fe136de351e8bf151e124f4f2aed0f41cfc0ccf7e01d

SHA512
573ec9de874bab42565ce0bd2956c03ad3219e4d26de8cf47ce15741089bbe17623457dfcbf9ff89f5213dfc9ecb47f3e56135386c47afe1bce6cc27e496baf4

Download Submit
memory/404-179-0x0000000000000000-mapping.dmp

Download
memory/428-173-0x0000000000000000-mapping.dmp

Download
memory/428-176-0x0000000004910000-0x0000000005035000-memory.dmp

Filesize
7.1MB

Download
memory/428-178-0x0000000004910000-0x0000000005035000-memory.dmp

Filesize
7.1MB

Download
memory/428-177-0x0000000004910000-0x0000000005035000-memory.dmp

Filesize
7.1MB

Download
memory/1972-157-0x0000000003700000-0x0000000003E25000-memory.dmp

Filesize
7.1MB

Download
memory/1972-181-0x0000000003700000-0x0000000003E25000-memory.dmp

Filesize
7.1MB

Download
memory/1972-174-0x0000000003700000-0x0000000003E25000-memory.dmp

Filesize
7.1MB

Download
memory/2084-144-0x0000000004AA0000-0x0000000004BE0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-146-0x0000000004AA0000-0x0000000004BE0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-135-0x0000000000000000-mapping.dmp

Download
memory/2084-145-0x0000000004AA0000-0x0000000004BE0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-150-0x0000000004B19000-0x0000000004B1B000-memory.dmp

Filesize
8KB

Download
memory/2084-143-0x0000000004AA0000-0x0000000004BE0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-141-0x0000000004AA0000-0x0000000004BE0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-142-0x0000000004AA0000-0x0000000004BE0000-memory.dmp

Filesize
1.2MB

Download
memory/2084-140-0x00000000042B0000-0x00000000049D5000-memory.dmp

Filesize
7.1MB

Download
memory/2084-139-0x00000000042B0000-0x00000000049D5000-memory.dmp

Filesize
7.1MB

Download
memory/2084-153-0x00000000042B0000-0x00000000049D5000-memory.dmp

Filesize
7.1MB

Download
memory/3044-149-0x0000023E7ECA0000-0x0000023E7EDE0000-memory.dmp

Filesize
1.2MB

Download
memory/3044-147-0x00007FF608CD6890-mapping.dmp

Download
memory/3044-148-0x0000023E7ECA0000-0x0000023E7EDE0000-memory.dmp

Filesize
1.2MB

Download
memory/3044-151-0x0000000000F90000-0x00000000011A9000-memory.dmp

Filesize
2.1MB

Download
memory/3044-152-0x0000023E7D2D0000-0x0000023E7D4FA000-memory.dmp

Filesize
2.2MB

Download
memory/4188-180-0x0000000000000000-mapping.dmp

Download
memory/4736-133-0x00000000023B0000-0x00000000024E0000-memory.dmp

Filesize
1.2MB

Download
memory/4736-134-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4736-138-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4736-132-0x00000000022B2000-0x00000000023A1000-memory.dmp

Filesize
956KB

Download