danabot | eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
Size

218KB
MD5

fc5b8196fdcab0454747420f33347e53
SHA1

e6c81c9d28dfefaec07c60485776ca8299dbb83c
SHA256

eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1
SHA512

feee13743922d97a685db172f93aa300fcb1e1a44c814d51c46461a65c4aae57dce0c6288e227ba99003200c37ab32e70c3f5aa79ef4898d97199f2bd26553ac
SSDEEP

3072:VloBonOLHf6CgHR6XqjhnBmK09E7Cin0Ah7b/6jpFBTnNHCDml:VaB4OL/1Z0Wi7CinV5oDCa

Score

10^/10

danabot smokeloader systembc backdoor banker persistence trojan

Malware Config

Extracted

Family

systembc

109.205.214.18:443

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4256-133-0x0000000002190000-0x0000000002199000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
SystemBC
SystemBC is a proxy and remote administration tool first seen in 2019.
trojan systembc
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

41 1336 rundll32.exe
68 1336 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 4 IoCs

Processes:

EBBC.exeaiftufr36EF.exelplvcjp.exe

pid process

540 EBBC.exe
348 aiftufr
4352 36EF.exe
2864 lplvcjp.exe

flow	pid	process
41	1336	rundll32.exe
68	1336	rundll32.exe

pid	process
540	EBBC.exe
348	aiftufr
4352	36EF.exe
2864	lplvcjp.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cloud_icon\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\cloud_icon.dll\u3100"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cloud_icon\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\cloud_icon.dll㐀"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\cloud_icon\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1336 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1336 set thread context of 436 1336 rundll32.exe rundll32.exe

pid	process
1336	rundll32.exe

description	pid	process	target process
PID 1336 set thread context of 436	1336	rundll32.exe	rundll32.exe

Drops file in Program Files directory 15 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\email_initiator.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\open_original_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Protect_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_same_reviewers.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_same_reviewers.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base_non_fips.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base_non_fips.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\email_initiator.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Protect_R_RHP.aapp	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

36EF.exe

description ioc process

File created C:\Windows\Tasks\lplvcjp.job 36EF.exe
File opened for modification C:\Windows\Tasks\lplvcjp.job 36EF.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

1812 540 WerFault.exe EBBC.exe
1228 4352 WerFault.exe 36EF.exe

description	ioc	process
File created	C:\Windows\Tasks\lplvcjp.job	36EF.exe
File opened for modification	C:\Windows\Tasks\lplvcjp.job	36EF.exe

pid	pid_target	process	target process
1812	540	WerFault.exe	EBBC.exe
1228	4352	WerFault.exe	36EF.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

aiftufreb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aiftufr
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aiftufr
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	aiftufr
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (int)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Set value (str)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009455ca5b100054656d7000003a0009000400efbe6b55586c9455cb5b2e00000000000000000000000000000000000000000000000000a6a84100540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Key created	\REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2688

pid	process
2688

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe

pid	process
4256	eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
4256	eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688
2688

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2688
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exeaiftufr

pid process

4256 eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
348 aiftufr

pid	process
2688

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688
Token: SeShutdownPrivilege	2688
Token: SeCreatePagefilePrivilege	2688

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

436 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2688
2688

pid	process
436	rundll32.exe

pid	process
2688
2688

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

EBBC.exerundll32.exe

description	pid	process	target process
PID 2688 wrote to memory of 540	2688		EBBC.exe
PID 2688 wrote to memory of 540	2688		EBBC.exe
PID 2688 wrote to memory of 540	2688		EBBC.exe
PID 540 wrote to memory of 1336	540	EBBC.exe	rundll32.exe
PID 540 wrote to memory of 1336	540	EBBC.exe	rundll32.exe
PID 540 wrote to memory of 1336	540	EBBC.exe	rundll32.exe
PID 2688 wrote to memory of 4352	2688		36EF.exe
PID 2688 wrote to memory of 4352	2688		36EF.exe
PID 2688 wrote to memory of 4352	2688		36EF.exe
PID 1336 wrote to memory of 436	1336	rundll32.exe	rundll32.exe
PID 1336 wrote to memory of 436	1336	rundll32.exe	rundll32.exe
PID 1336 wrote to memory of 436	1336	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe
"C:\Users\Admin\AppData\Local\Temp\eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4256

C:\Users\Admin\AppData\Local\Temp\EBBC.exe
C:\Users\Admin\AppData\Local\Temp\EBBC.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:540

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1336

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14130
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 540 -s 528
2⤵
- Program crash
PID:1812

C:\Users\Admin\AppData\Roaming\aiftufr
C:\Users\Admin\AppData\Roaming\aiftufr
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:348

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 540 -ip 540
1⤵
PID:1460

C:\Users\Admin\AppData\Local\Temp\36EF.exe
C:\Users\Admin\AppData\Local\Temp\36EF.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4352 -s 936
2⤵
- Program crash
PID:1228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3536

C:\ProgramData\lbkgh\lplvcjp.exe
C:\ProgramData\lbkgh\lplvcjp.exe start
1⤵
- Executes dropped EXE
PID:2864

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 4352 -ip 4352
1⤵
PID:2452

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4264

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\cloud_icon.dll
Filesize
797KB

MD5
54682c94534aa2e96f722b9ddef35e3e

SHA1
acbff89414f6aa0ba0262975aa87f65bcb5a7daa

SHA256
b01d0c4a28c3228e4b4da3718f3f0331272ec524ef416318384c0d471a7bb0cb

SHA512
5c6ac31495e3c845c0dd85e7adca719b001b1bca1972d4f79543a7bfb670acf2322a8e29cb39d319ab7bf3a28ded8284586d83e24b6d0cfee9328222ee17063f

Download Submit
C:\ProgramData\lbkgh\lplvcjp.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\lbkgh\lplvcjp.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
2607fa53e4728c7ae699264e8960516b

SHA1
f0bb3e1fe314b07cab3ae1bfb08bb364adce503f

SHA256
8aad8820dfc322d2a82c7caf670bd77ad0c7dfb898013d10fece74abe2e7ba4c

SHA512
8feb60cf7da05fc34364007bd7a1c141289588b0df3d6481df73178bf5d4d3056323dcc88c1bdf952f321092c20a4796708026f55b5c4a8b380a8dfcc8a7245f

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\NetworkPrinters.xml
Filesize
2KB

MD5
774c9f44e6ff0b1798e092ed1df9a1fc

SHA1
a40a3292a55cb4f6f101a04f247f83196bf54716

SHA256
ef22a638f62476efac099497b1251bef64f115fa4752ad20467614571cf5ae5f

SHA512
529e66cd53361e631b7bfabff0063ac37a39e7adb0f2890db461a55de6430059015d6f6ca1cf447da759edd463b32c2007e6411d6d84a999a7d998f574fe2748

Download Submit
C:\Users\Admin\AppData\Local\Temp\36EF.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\36EF.exe
Filesize
218KB

MD5
cdc67700f25eaed1417264c4bdec03d3

SHA1
56639e9414e6ee8394d940d62778475ddf071290

SHA256
fdd4cca0516be799c954e96be26b2d04e42ea0bac1edb00604412914bae2f100

SHA512
a2b38a1d4d0cb57532f3feb2efa1fb345c03df9114dfb2dcc93286e19b96eb5e182bd79d070a0e4fccf1980f47effc9b511dbb0074bba69bee80098317e08038

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBBC.exe
Filesize
1.1MB

MD5
8aca94b8974200ffdef8a6faabb97bc5

SHA1
4bb870909d3fabe80a49239cdc00d5227c7c77bc

SHA256
176ea74cc4a870001215dc5c7ae050634850482ff89936c728a0931677d35fa5

SHA512
fc9c533f47bc157059bdc9743f90ffec057f7d37d401c7ac21b4edf96366e5d15a18b0da0f103d5f22689410b3fbc9178397d8be37127e665ae390a0ee2694a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\EBBC.exe
Filesize
1.1MB

MD5
8aca94b8974200ffdef8a6faabb97bc5

SHA1
4bb870909d3fabe80a49239cdc00d5227c7c77bc

SHA256
176ea74cc4a870001215dc5c7ae050634850482ff89936c728a0931677d35fa5

SHA512
fc9c533f47bc157059bdc9743f90ffec057f7d37d401c7ac21b4edf96366e5d15a18b0da0f103d5f22689410b3fbc9178397d8be37127e665ae390a0ee2694a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\aiftufr
Filesize
218KB

MD5
fc5b8196fdcab0454747420f33347e53

SHA1
e6c81c9d28dfefaec07c60485776ca8299dbb83c

SHA256
eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1

SHA512
feee13743922d97a685db172f93aa300fcb1e1a44c814d51c46461a65c4aae57dce0c6288e227ba99003200c37ab32e70c3f5aa79ef4898d97199f2bd26553ac

Download Submit
C:\Users\Admin\AppData\Roaming\aiftufr
Filesize
218KB

MD5
fc5b8196fdcab0454747420f33347e53

SHA1
e6c81c9d28dfefaec07c60485776ca8299dbb83c

SHA256
eb16954ee6ac8bfe1c53ee6a44d7738c302ae2ee6f3d50a34f9baaf4ff92d2c1

SHA512
feee13743922d97a685db172f93aa300fcb1e1a44c814d51c46461a65c4aae57dce0c6288e227ba99003200c37ab32e70c3f5aa79ef4898d97199f2bd26553ac

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\cloud_icon.dll
Filesize
797KB

MD5
54682c94534aa2e96f722b9ddef35e3e

SHA1
acbff89414f6aa0ba0262975aa87f65bcb5a7daa

SHA256
b01d0c4a28c3228e4b4da3718f3f0331272ec524ef416318384c0d471a7bb0cb

SHA512
5c6ac31495e3c845c0dd85e7adca719b001b1bca1972d4f79543a7bfb670acf2322a8e29cb39d319ab7bf3a28ded8284586d83e24b6d0cfee9328222ee17063f

Download Submit
memory/348-149-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/348-147-0x00000000004A8000-0x00000000004B8000-memory.dmp

Filesize
64KB

Download
memory/348-148-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/436-168-0x00000000006E0000-0x00000000008F9000-memory.dmp

Filesize
2.1MB

Download
memory/436-169-0x000001DE74980000-0x000001DE74BAA000-memory.dmp

Filesize
2.2MB

Download
memory/436-167-0x000001DE76360000-0x000001DE764A0000-memory.dmp

Filesize
1.2MB

Download
memory/436-166-0x000001DE76360000-0x000001DE764A0000-memory.dmp

Filesize
1.2MB

Download
memory/436-165-0x00007FF7F6866890-mapping.dmp

Download
memory/540-136-0x0000000000000000-mapping.dmp

Download
memory/540-146-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/540-145-0x00000000022E0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/540-144-0x00000000021ED000-0x00000000022DC000-memory.dmp

Filesize
956KB

Download
memory/1336-141-0x0000000000000000-mapping.dmp

Download
memory/1336-150-0x0000000005BF0000-0x0000000006315000-memory.dmp

Filesize
7.1MB

Download
memory/1336-160-0x0000000004940000-0x0000000004A80000-memory.dmp

Filesize
1.2MB

Download
memory/1336-161-0x0000000004940000-0x0000000004A80000-memory.dmp

Filesize
1.2MB

Download
memory/1336-163-0x00000000049B9000-0x00000000049BB000-memory.dmp

Filesize
8KB

Download
memory/1336-162-0x0000000004940000-0x0000000004A80000-memory.dmp

Filesize
1.2MB

Download
memory/1336-164-0x0000000004940000-0x0000000004A80000-memory.dmp

Filesize
1.2MB

Download
memory/1336-152-0x0000000004940000-0x0000000004A80000-memory.dmp

Filesize
1.2MB

Download
memory/1336-153-0x0000000004940000-0x0000000004A80000-memory.dmp

Filesize
1.2MB

Download
memory/1336-151-0x0000000005BF0000-0x0000000006315000-memory.dmp

Filesize
7.1MB

Download
memory/1336-170-0x0000000005BF0000-0x0000000006315000-memory.dmp

Filesize
7.1MB

Download
memory/2864-174-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/2864-173-0x0000000000642000-0x0000000000653000-memory.dmp

Filesize
68KB

Download
memory/4256-132-0x00000000006F8000-0x0000000000709000-memory.dmp

Filesize
68KB

Download
memory/4256-135-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4256-134-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4256-133-0x0000000002190000-0x0000000002199000-memory.dmp

Filesize
36KB

Download
memory/4264-180-0x0000000003E10000-0x0000000004535000-memory.dmp

Filesize
7.1MB

Download
memory/4352-159-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4352-158-0x00000000004D0000-0x00000000004D9000-memory.dmp

Filesize
36KB

Download
memory/4352-157-0x0000000000579000-0x000000000058A000-memory.dmp

Filesize
68KB

Download
memory/4352-175-0x0000000000579000-0x000000000058A000-memory.dmp

Filesize
68KB

Download
memory/4352-176-0x0000000000400000-0x000000000045F000-memory.dmp

Filesize
380KB

Download
memory/4352-154-0x0000000000000000-mapping.dmp

Download