danabot | 8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 16:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe
Size

1.1MB
MD5

12cf7e08bf3ecec0cc45459b775e00bd
SHA1

f6a63e2e17ed8d9a60f9a3d318352b0e42f282e0
SHA256

8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef
SHA512

acabde9905211dd4a1c196d9a0c35a7c47e67ba414ea5229107c4ce61d59539e825031b85dbe78bfc24dca273fb441ca6d281f83e71d8f9731445c102bdebebb
SSDEEP

24576:2EXxRxcKiLLWJ7whEzpabIU46BFu/KafnBTGJhD1UsDfq7me:2c5gLs7Dzpa8kafBa9tLqT

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

9 4568 rundll32.exe
10 4568 rundll32.exe
36 4568 rundll32.exe
38 4568 rundll32.exe

flow	pid	process
9	4568	rundll32.exe
10	4568	rundll32.exe
36	4568	rundll32.exe
38	4568	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_RHP.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Edit_R_RHP..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Edit_R_RHP.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

4568 rundll32.exe
3476 svchost.exe
3044 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
4568	rundll32.exe
3476	svchost.exe
3044	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 4568 set thread context of 3548 4568 rundll32.exe rundll32.exe

description	pid	process	target process
PID 4568 set thread context of 3548	4568	rundll32.exe	rundll32.exe

Drops file in Program Files directory 46 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\weblink.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroTextExtractor.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fr.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\open_original_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FullTrustNotifier.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fa.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\eu.txt	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Stamp.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\[email protected]	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\et.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\weblink.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.cfg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\manifest.json	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-file-l2-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\crashreporter-override.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP..dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\open_original_form.gif	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-stdio-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Stamp.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\LightTheme.acrotheme	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_browser.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\autoconfig.js	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\create_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\natives_blob.bin	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-crt-heap-l1-1-0.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4836 1960 WerFault.exe 8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe

pid	pid_target	process	target process
4836	1960	WerFault.exe	8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exerundll32.exerundll32.exe

description	ioc	process
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\13E509E07B08A794897D4BEE817742A6592AAE5B	rundll32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\13E509E07B08A794897D4BEE817742A6592AAE5B\Blob = 03000000010000001400000013e509e07b08a794897d4bee817742a6592aae5b2000000001000000230200003082021f30820188a00302010202086c9b34e263e91433300d06092a864886f70d01010b0500302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746520417574686f72696479301e170d3230313232303137313231355a170d3234313231393137313231355a302f312d302b06035504030c244d6963726f736f667420526f6f7420436572746966696361746520417574686f7269647930819f300d06092a864886f70d010101050003818d0030818902818100d9b16015e7d41bff32c84f135a834945ff7baba9dd9849f205bd274bef81425fd1aa02f57745241050d98bc34f1ee8cd8f93e6cc4c708250e5f1f021064cffda4479531c8d875621a13d1c51f1bf21b7111bb5f0bcb539824dea0d24729bc6100ace442ffa64e6558f9d34a4d1610369bca5843b9b0ed72761f2c444ca5300010203010001a3443042300f0603551d130101ff040530030101ff302f0603551d110428302682244d6963726f736f667420526f6f7420436572746966696361746520417574686f72696479300d06092a864886f70d01010b050003818100b9184c243212afa916ad425833cc040129a09e93a8488859a911fa5095e4424a6746c7f4ab17f7ae74a41b20f4c09bd6aa6f12075743f6208480ded5522f421e61230994523f82885892a64563602b21ed73a9aac069840fa07134446eeda38c68add44ef262a7f1eb79f91d6f516b70bc58a188a04a3f9c3f2c9e7714d77d95	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3476	svchost.exe
3476	svchost.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
4568	rundll32.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe
3476	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 4568 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

3548 rundll32.exe
4568 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	4568	rundll32.exe

pid	process
3548	rundll32.exe
4568	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exerundll32.exesvchost.exe

description	pid	process	target process
PID 1960 wrote to memory of 4568	1960	8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe	rundll32.exe
PID 1960 wrote to memory of 4568	1960	8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe	rundll32.exe
PID 1960 wrote to memory of 4568	1960	8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe	rundll32.exe
PID 4568 wrote to memory of 3548	4568	rundll32.exe	rundll32.exe
PID 4568 wrote to memory of 3548	4568	rundll32.exe	rundll32.exe
PID 4568 wrote to memory of 3548	4568	rundll32.exe	rundll32.exe
PID 3476 wrote to memory of 3044	3476	svchost.exe	rundll32.exe
PID 3476 wrote to memory of 3044	3476	svchost.exe	rundll32.exe
PID 3476 wrote to memory of 3044	3476	svchost.exe	rundll32.exe
PID 4568 wrote to memory of 1324	4568	rundll32.exe	schtasks.exe
PID 4568 wrote to memory of 1324	4568	rundll32.exe	schtasks.exe
PID 4568 wrote to memory of 1324	4568	rundll32.exe	schtasks.exe
PID 4568 wrote to memory of 1996	4568	rundll32.exe	schtasks.exe
PID 4568 wrote to memory of 1996	4568	rundll32.exe	schtasks.exe
PID 4568 wrote to memory of 1996	4568	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe
"C:\Users\Admin\AppData\Local\Temp\8142eb4d1fe2acef70117987a801088bc9a9f2efc41908b86f1cc6c74848efef.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:4568

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14100
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3548

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1324

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 528
2⤵
- Program crash
PID:4836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1960 -ip 1960
1⤵
PID:4928

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4312

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\edit_r_rhp..dll",bSxBOU1Z
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3044

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP..dll

Filesize
797KB

MD5
76ad0c5a4d4370506df7fbe6fc770b7f

SHA1
359ed24d4b9550c146e6c5795abff1c27b34c31b

SHA256
7791033237bd6e802dc94c53ea5a81aa0628e7c37a50a63bec8aea8ea6551381

SHA512
544bb7a6aef5361d28a0dfb526b7ac8b51297469014a39febd8c5372db42fbae696804a02d9580c392b254d54eed247abc77cce7062e6bbff0e89553793fa95c

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP..dll

Filesize
797KB

MD5
76ad0c5a4d4370506df7fbe6fc770b7f

SHA1
359ed24d4b9550c146e6c5795abff1c27b34c31b

SHA256
7791033237bd6e802dc94c53ea5a81aa0628e7c37a50a63bec8aea8ea6551381

SHA512
544bb7a6aef5361d28a0dfb526b7ac8b51297469014a39febd8c5372db42fbae696804a02d9580c392b254d54eed247abc77cce7062e6bbff0e89553793fa95c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.osmmui.msi.16.en-us.xml

Filesize
10KB

MD5
3ef69b2c0f15e6b97fca1141bc9beb9a

SHA1
421916704e31978eb77421161bb170003a83c1a2

SHA256
f3e25cf6f3fdd2017b76701290ba9599384dd2084111545f6da078502cae29cc

SHA512
cec4a92eb852d731571a4e1098f195b2f3d84a5fde17c5e6ba5d3e7464f2352fe25cb67b051078f0742696b0aa862960e0203c2231df1552534c06539149427d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiPT0000.000

Filesize
240B

MD5
7fea1d74e91f1d30a5b383cd110d0ea1

SHA1
110c6f99976e06ac0fe791fd7ab8971a15fa6a53

SHA256
f7bcbd8bf4753a93b5ca9b01595216054a8fed6cc0730727d3502b95a0e1c0c4

SHA512
57ec92c15b3423e602b5983a3dc0883eb69909e479ea87c1f605cb9caf33679f28ae479baaca71dae47006ca459e67c567a2a06cf68d9ec4e8afe00e325c6b3f

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
d783aa5cf653cfd48fa995554d5bda61

SHA1
067511b187b30981096dcaed694b6ca04c8bf649

SHA256
11d75abb88ac5d66fe92b59b01653cde7b41510d20bc1eab2c20166dd628dbf4

SHA512
85cc8d6f355ee1f9cc0d123c09ba6f7481255c254162250e84a9268e8dcb72ae7deb327872726c53e58c887c6b480cf6975d64bee9620a2d09783a1c74318179

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
16KB

MD5
4194b927b32c56bb3a5ed72c164c917e

SHA1
ec60c6bb8b2d0181408c65b3456b7b3b92cca134

SHA256
86d065b6d87309122e9fce9b960f5d56a45dfcdd83122a4225ed9fd3136320d8

SHA512
c94baa6f849bb048e572667e19268754efc58bce6673373db9817c729b36acbfd0bb30975a441f2a5cd16e00be97db412dd82f1669c1701004a1e27307f75c1d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe.xml

Filesize
27KB

MD5
539930de67b99bab23fe2c67000eeddb

SHA1
6b0e5ece46ecb0b019ec71caa44facf122647059

SHA256
2f578443ca2045e8432f4a39bcd367ae343405e8daf368dff91e9198fa1a658c

SHA512
ddddcd7011ad0fb53fc816056a6df2045a7956158c009d8a708eafd0b2eaeccc55a847c96894ee04542315cec373165efc0e331da6316ceb9e5768f8861946ce

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOutlook2013CAWin64.xml

Filesize
1KB

MD5
880227fa1e5c41f3a7ea11e13f156de7

SHA1
042b7a68c2b3c588522edd750209bb4576638991

SHA256
c7f9df2f4c59a9f856761c82d28874f752cad8bdca8102bff4ff41c514f0b9fc

SHA512
caa06d82bb2e828e4e08fcca96c4b789b31611864b827ae9468e9dfbadbe10a48ae366d3d96bf92567f41d0c6792986363a0dfa6564332296fe1c111ffef4f30

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\StorageHealthModel.dat

Filesize
542KB

MD5
1ffbb6bf6ac240feb3fada4eedbe5310

SHA1
3f8ef6d47bda2b464024e8d09577591fab2685d7

SHA256
c09e4425d87b888993f114755887611f68d351961e429628b952b9b62b49ef5a

SHA512
18c37c2c207664a231144dced3f8a4b97c3787da1174c08f357d9d6e80ae5cd68bcaf2c89062371b40ac9d235a882053bb80d46c28ff7f4e85c2ab25dc5a7081

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Windows.jfm

Filesize
16KB

MD5
aaa19712ec102084062e9f0d4c6cb5af

SHA1
2cfc6c1abd08dfe0510fc03b7e47fec3ce070e08

SHA256
6d4b27dc730b2bdf9897663a9b0ddf8bb07612c0612369a970cef045ab23fc07

SHA512
338a77010a1b061a535c564559f88e969f15795505b7eaaa94d0018815e55e5e8a899095ea269e2148013247052d499d49146ba13b297fab6017678d52d853e3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\folder.ico

Filesize
52KB

MD5
bbf9dbdc079c0cd95f78d728aa3912d4

SHA1
051f76cc8c6520768bac9559bb329abeebd70d7c

SHA256
bef53904908769ceeb60f8e0976c3194e73534f00f4afb65497c2091121b98b2

SHA512
af110c52c983f1cf55b3db7d375e03c8c9308e3cf9ee1c154c2b25cb3f8299f0c0ba87b47445f09f98659eb536184c245887a341733c11af713e9ecc15288b5d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xml

Filesize
1KB

MD5
74371c7c6436c5599c4533dcc895760f

SHA1
8d37bece96e25ab522809539395d138d38dd6114

SHA256
c636384cf084f5df312cd9d33fccaa58058a3b2c6481e90cf9c71616c004d938

SHA512
689c7d02f15728f3823667fa4b2754b1bda40f35c5baaf250f6aa17638950f9e9135eb273d4108967253a728edb3418d09e636ca0f0599343375c4b56cfd0afe

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\tasks.xml

Filesize
11KB

MD5
6ab160b8998020e6d4373c003e9879d4

SHA1
efa87d3fb95a73a892ed88b08651c44fe03c150f

SHA256
faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516

SHA512
c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\edit_r_rhp..dll

Filesize
797KB

MD5
76ad0c5a4d4370506df7fbe6fc770b7f

SHA1
359ed24d4b9550c146e6c5795abff1c27b34c31b

SHA256
7791033237bd6e802dc94c53ea5a81aa0628e7c37a50a63bec8aea8ea6551381

SHA512
544bb7a6aef5361d28a0dfb526b7ac8b51297469014a39febd8c5372db42fbae696804a02d9580c392b254d54eed247abc77cce7062e6bbff0e89553793fa95c

Download Submit
memory/1324-173-0x0000000000000000-mapping.dmp

Download
memory/1960-132-0x0000000002384000-0x0000000002473000-memory.dmp

Filesize
956KB

Download
memory/1960-135-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1960-138-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/1960-133-0x0000000002480000-0x00000000025B0000-memory.dmp

Filesize
1.2MB

Download
memory/1996-174-0x0000000000000000-mapping.dmp

Download
memory/3044-176-0x0000000004780000-0x0000000004EA5000-memory.dmp

Filesize
7.1MB

Download
memory/3044-168-0x0000000000000000-mapping.dmp

Download
memory/3044-172-0x0000000004780000-0x0000000004EA5000-memory.dmp

Filesize
7.1MB

Download
memory/3044-171-0x0000000004780000-0x0000000004EA5000-memory.dmp

Filesize
7.1MB

Download
memory/3476-175-0x00000000037E0000-0x0000000003F05000-memory.dmp

Filesize
7.1MB

Download
memory/3476-157-0x00000000037E0000-0x0000000003F05000-memory.dmp

Filesize
7.1MB

Download
memory/3476-170-0x00000000037E0000-0x0000000003F05000-memory.dmp

Filesize
7.1MB

Download
memory/3548-152-0x00000260A1240000-0x00000260A146A000-memory.dmp

Filesize
2.2MB

Download
memory/3548-148-0x00000260A2C10000-0x00000260A2D50000-memory.dmp

Filesize
1.2MB

Download
memory/3548-147-0x00007FF6512E6890-mapping.dmp

Download
memory/3548-151-0x0000000000F90000-0x00000000011A9000-memory.dmp

Filesize
2.1MB

Download
memory/3548-149-0x00000260A2C10000-0x00000260A2D50000-memory.dmp

Filesize
1.2MB

Download
memory/4568-142-0x0000000004F30000-0x0000000005070000-memory.dmp

Filesize
1.2MB

Download
memory/4568-139-0x0000000004700000-0x0000000004E25000-memory.dmp

Filesize
7.1MB

Download
memory/4568-140-0x0000000004700000-0x0000000004E25000-memory.dmp

Filesize
7.1MB

Download
memory/4568-134-0x0000000000000000-mapping.dmp

Download
memory/4568-141-0x0000000004F30000-0x0000000005070000-memory.dmp

Filesize
1.2MB

Download
memory/4568-143-0x0000000004F30000-0x0000000005070000-memory.dmp

Filesize
1.2MB

Download
memory/4568-144-0x0000000004F30000-0x0000000005070000-memory.dmp

Filesize
1.2MB

Download
memory/4568-146-0x0000000004F30000-0x0000000005070000-memory.dmp

Filesize
1.2MB

Download
memory/4568-145-0x0000000004F30000-0x0000000005070000-memory.dmp

Filesize
1.2MB

Download
memory/4568-153-0x0000000004700000-0x0000000004E25000-memory.dmp

Filesize
7.1MB

Download
memory/4568-150-0x0000000004FA9000-0x0000000004FAB000-memory.dmp

Filesize
8KB

Download