danabot | 326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 00:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe
Size

1.1MB
MD5

de44d279f39623ad26d31fd91f4fbd5e
SHA1

72daf2a6b40945ca711adbcf06ab7b746e42b12b
SHA256

326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6
SHA512

18b481be9d9b8736cc090c2769faa0069203eab8739ac0b21d5da1061d2bbe45e20673996d7b3560d88b7257cd504c0d2557fb7256878ca93b5c057f4bccd15a
SSDEEP

24576:DFCh7F+NoOm2Halob3NE0GzWFw7GZOezzxUYpdrjPq1at3c:I1Uo2aYGzQwiZv1UYpd3qYC

Score

10^/10

danabot banker collection discovery persistence spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 1192 rundll32.exe
11 1192 rundll32.exe
43 1192 rundll32.exe
45 1192 rundll32.exe

flow	pid	process
10	1192	rundll32.exe
11	1192	rundll32.exe
43	1192	rundll32.exe
45	1192	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_browser.dll"	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\review_browser.dllԀ"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\review_browser\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 3 IoCs

Processes:

rundll32.exesvchost.exerundll32.exe

pid process

1192 rundll32.exe
3808 svchost.exe
3208 rundll32.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

pid	process
1192	rundll32.exe
3808	svchost.exe
3208	rundll32.exe

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	rundll32.exe

Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs

collection

Email Collection

T1114

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1192 set thread context of 804 1192 rundll32.exe rundll32.exe

description	pid	process	target process
PID 1192 set thread context of 804	1192	rundll32.exe	rundll32.exe

Drops file in Program Files directory 55 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\A12_Spinner_int_2x.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\delete.svg	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\dependentlibs.list	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\webcompat-reporter@mozilla.org.xpi	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DropboxStorage.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DropboxStorage.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\drvSOFT.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\ended_review_or_form.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_100_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\icudt40.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AGMGPUOptIn.ini	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\icudt40.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Updater.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\s_shared_multi_filetype.svg	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\ccloud.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\drvSOFT.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\delete.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ahclient.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\MCIMPP.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ended_review_or_form.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\en-US.pak	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner_int_2x.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.dll	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\fi.txt	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\FillSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\logsession.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\FillSign.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\logsession.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccloud.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\AdobeID.pdf	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\hr.txt	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\MCIMPP.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AddressBook.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\apple-touch-icon-72x72-precomposed.png	rundll32.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	rundll32.exe
File opened for modification	C:\Program Files\Mozilla Firefox\api-ms-win-core-processthreads-l1-1-1.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Updater.api	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

5068 1536 WerFault.exe 326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe

pid	pid_target	process	target process
5068	1536	WerFault.exe	326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe

Checks processor information in registry 2 TTPs 64 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exesvchost.exerundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	svchost.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	svchost.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	svchost.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0EE39B6D1587452D7B79921F6C7F79982DE6C25E\Blob = 0300000001000000140000000ee39b6d1587452d7b79921f6c7f79982de6c25e20000000010000007a02000030820276308201dfa00302010202080e26f6c71bad94ab300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c6f62616e20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230313232313031323232335a170d3234313232303031323232335a30613120301e06035504030c17446967694365727420476c6f62616e20526f6f7420473231193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100da6c941f7508f9559fa83a60cb838e07bd322af5f403450001fd9f271a14806d60f94aef46c126107e14c1222b3e7c9669675c3445dfb6544227fe9a4e56bfeeff78b088398178e3397d383a3059072568d6e183240cd6700907a8136990fadb7666e4d08fa10e5549c494307990d844dc741a935e6c9128758b08c6c8a499970203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c6f62616e20526f6f74204732300d06092a864886f70d01010b0500038181000114bd955725ccbb5b4a39aaa09dd25e1252033d4aaad46353e0d474a5650628f24708768bda7b5c82b2c08ac4c88c5e9459d0a2bf96755e4851d29c1ae87813fa28b344489f99d9749ac20a3e193974748c11d72d2c694d66b3eb65a7cb8bfdc3d99d1c376714782a439ca913e8c6ae428213850c8622a77b486341e2d16a34	rundll32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\0EE39B6D1587452D7B79921F6C7F79982DE6C25E	rundll32.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

svchost.exerundll32.exe

pid	process
3808	svchost.exe
3808	svchost.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
1192	rundll32.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe
3808	svchost.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 1192 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

rundll32.exerundll32.exe

pid process

804 rundll32.exe
1192 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1192	rundll32.exe

pid	process
804	rundll32.exe
1192	rundll32.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exerundll32.exesvchost.exe

description	pid	process	target process
PID 1536 wrote to memory of 1192	1536	326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe	rundll32.exe
PID 1536 wrote to memory of 1192	1536	326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe	rundll32.exe
PID 1536 wrote to memory of 1192	1536	326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe	rundll32.exe
PID 1192 wrote to memory of 804	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 804	1192	rundll32.exe	rundll32.exe
PID 1192 wrote to memory of 804	1192	rundll32.exe	rundll32.exe
PID 3808 wrote to memory of 3208	3808	svchost.exe	rundll32.exe
PID 3808 wrote to memory of 3208	3808	svchost.exe	rundll32.exe
PID 3808 wrote to memory of 3208	3808	svchost.exe	rundll32.exe
PID 1192 wrote to memory of 4580	1192	rundll32.exe	schtasks.exe
PID 1192 wrote to memory of 4580	1192	rundll32.exe	schtasks.exe
PID 1192 wrote to memory of 4580	1192	rundll32.exe	schtasks.exe
PID 1192 wrote to memory of 2896	1192	rundll32.exe	schtasks.exe
PID 1192 wrote to memory of 2896	1192	rundll32.exe	schtasks.exe
PID 1192 wrote to memory of 2896	1192	rundll32.exe	schtasks.exe

outlook_office_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

outlook_win_path 1 IoCs

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe
"C:\Users\Admin\AppData\Local\Temp\326d6357b1fee8ea0028235b173c0727072a6013c035e084790ef78679696bd6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1536

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
PID:1192

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:804

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:4580

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1536 -s 536
2⤵
- Program crash
PID:5068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 1536 -ip 1536
1⤵
PID:5108

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2544

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\review_browser.dll",T0oFRDE1
2⤵
- Loads dropped DLL
- Checks processor information in registry
PID:3208

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Install Root Certificate

T1130

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.dll
Filesize
797KB

MD5
0fe391a714d3ae57c7c0ab846583fd00

SHA1
be2ba66ecc2e27ef96b48a640aed0d801108161f

SHA256
cbafaf847186fde78c833922a72082d488e1fefdb195a30cbe8edd076eb77f56

SHA512
91db3ed1e0cf329ebd74372b85d0d6a26f2cad8867d9e04c458b006af5825cefc3de8e6e6375ebf1926ad84c5c920391f3419d2152722137f3c929315596d2b2

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\review_browser.dll
Filesize
797KB

MD5
0fe391a714d3ae57c7c0ab846583fd00

SHA1
be2ba66ecc2e27ef96b48a640aed0d801108161f

SHA256
cbafaf847186fde78c833922a72082d488e1fefdb195a30cbe8edd076eb77f56

SHA512
91db3ed1e0cf329ebd74372b85d0d6a26f2cad8867d9e04c458b006af5825cefc3de8e6e6375ebf1926ad84c5c920391f3419d2152722137f3c929315596d2b2

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\613a5533519f8bfc5ac94c405722cb67_957af1f1-6875-4c40-9804-a0dcc430f453
Filesize
1KB

MD5
a1fb2f5c2a9632f184b145477461bfa8

SHA1
5c81d4c0ba7a450a4d02a5842ae6ea68a857b850

SHA256
bad97e62a22b4fc4df405c0249fcd5b35ec211891426996ac9422b3b48f0431b

SHA512
480dc191e2926742b19b2b64591d554402ba17f625d81df25f5d70c27efb4cc99e56ca00a429d06733380819d23ee978a957d2adadfa1562749614816d492172

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.osmuxmui.msi.16.en-us.xml
Filesize
10KB

MD5
220ae72aa2505c9276da2056b7e34936

SHA1
6dfb0f4fd5c0d25062d3d1235fc20358560fdb89

SHA256
afc37ba57fac36ba151953b67619dbbb985f58122f4ebe07f15b312b5bdf004c

SHA512
cab8485458b9870015f037fc6c8279018bf212d36ba01181bdb90970473a4b5aaeb9708e36eb21c8e6c1301dbdca630b29c8b3a6fa82fa14fb04bc65d235debd

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\F46D4000-FD22-4DB4-AC8E-4E1DDDE828FE_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xml
Filesize
2KB

MD5
db0acdbf49f80d3f3b0fb65a71b39341

SHA1
12c6d86ba5f90a1e1d2b4b4ec3bd94fc9f1296ae

SHA256
f8a8635147117201638a6a4dfa8dcd5b4506cbee07f582001d2a92da434a231f

SHA512
3d4e7547c8186164aa3fb7f08a50e6b065d536ca5ec8bc216c9dfd34c98e7c58c64ebcb39077fbd46370bc42b504acf769c6b3c7387cb98ec209087d4d46d784

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
de3c17a9cd6ad202dd9dfe5016872d20

SHA1
578f0c4575f251eabbd72b60503db6d6901ef6e8

SHA256
6c0278860d1fa200474fd0a7d7ee0919649a86961139d8f857402d82340bd73b

SHA512
3256cc52637a2393c0e3a92cd5a5a841d41a88c4cc03ef1ce3b4325b96fd125bddbc4de90605273c53b9594dbf1ce098cb422b8d7825c4e328b20b415fba29f2

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
47c91b587fc2019ace1d124b298a0c89

SHA1
56f89598e4fe10c16e63b0bbf5b2b8e68c18a82c

SHA256
bcc92fc267eee1d862f811d25b77b9b4eb98aee278e37a8d5db24490ed3ce3d0

SHA512
ac25952fb69053a95bfd4e11a9d3b3e0d4267c1f704bac3f6d5325da341f5103c8df06738d7abc96c129f5feed54fc0317ac733b9c16f42197d072c6eceb6764

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe.xml
Filesize
7KB

MD5
cc4cc0e085cfafe9c540f7a6a4cad93e

SHA1
8982a1b3d8f3d8bc37b1c12f9a7f594723d03247

SHA256
fa0819943729b9c38d89e92fcbc31ba393b49baa524bfa4ee9f2f471f8fcf756

SHA512
b8f591ee4b5b241025a0d583efed50fb548a180599bc4dab2f7b978da4daf08ca917e539354e2510aaca35257854034de3e3f3a8242eaa71f5ec9c4b3dc289d5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe.xml
Filesize
830B

MD5
05cd2b53b1d4a6dfec2c8e5bea828b91

SHA1
717e71c2e42f0a993d6a110c3b6c37e5560837ec

SHA256
225e46e9c3381e4935dc7c245ce3e3fec92d1a777b2af82c3aae05802d7420c7

SHA512
a6d69ed210136c098d7ead5b22d2317476fa1ad1690b52f9b1c3620d7b0e52a5adc4f90e18cf971af48bab3a9d8afd50d0d4536ab73faa288687bedc11a5d1e2

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.gthr
Filesize
10KB

MD5
1cc89e36fb7d379cb763bbb66cc83b6e

SHA1
bb1bb13857b1de21e25205288048a5d1f40198ce

SHA256
e1a35f047df609333e5aef5eab41cde04457c55e7d9b761fc30b315243864122

SHA512
cb2da3c09f65b47aa6ccce46f032c2d0ffd879dd85229ecb7d59349d51b07430e34869b1ccb23be7fbe64f2022be7ac4ccd6223dbbcdbe1e8aabce2056ce5ca0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.ASM-WindowsDefault.json
Filesize
146KB

MD5
d054101b077a5d6ee42f48bbe0a98033

SHA1
e27de6db98d496419be668cdbb0d63693353a08a

SHA256
b44915e8ebc59eb07e1571de5dfe8e7ae87aca64b2aa64bd5aaf3ebfe06f72a8

SHA512
364a15229a7563af5657355b3ec6838f1367f89163fa43cf835756d5b3ae7df1fbd6b577d31f275b5030f00255c2a1958c6d88b43e84b283a602931c9af1921b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\review_browser.dll
Filesize
797KB

MD5
0fe391a714d3ae57c7c0ab846583fd00

SHA1
be2ba66ecc2e27ef96b48a640aed0d801108161f

SHA256
cbafaf847186fde78c833922a72082d488e1fefdb195a30cbe8edd076eb77f56

SHA512
91db3ed1e0cf329ebd74372b85d0d6a26f2cad8867d9e04c458b006af5825cefc3de8e6e6375ebf1926ad84c5c920391f3419d2152722137f3c929315596d2b2

Download Submit
memory/804-151-0x0000021716D50000-0x0000021716F7A000-memory.dmp

Filesize
2.2MB

Download
memory/804-147-0x00007FF7A8F26890-mapping.dmp

Download
memory/804-148-0x0000021718590000-0x00000217186D0000-memory.dmp

Filesize
1.2MB

Download
memory/804-149-0x0000021718590000-0x00000217186D0000-memory.dmp

Filesize
1.2MB

Download
memory/804-150-0x00000000008B0000-0x0000000000AC9000-memory.dmp

Filesize
2.1MB

Download
memory/1192-142-0x0000000004AB0000-0x0000000004BF0000-memory.dmp

Filesize
1.2MB

Download
memory/1192-139-0x0000000004E90000-0x00000000055B5000-memory.dmp

Filesize
7.1MB

Download
memory/1192-146-0x0000000004AB0000-0x0000000004BF0000-memory.dmp

Filesize
1.2MB

Download
memory/1192-145-0x0000000004B29000-0x0000000004B2B000-memory.dmp

Filesize
8KB

Download
memory/1192-144-0x0000000004AB0000-0x0000000004BF0000-memory.dmp

Filesize
1.2MB

Download
memory/1192-138-0x0000000004E90000-0x00000000055B5000-memory.dmp

Filesize
7.1MB

Download
memory/1192-143-0x0000000004AB0000-0x0000000004BF0000-memory.dmp

Filesize
1.2MB

Download
memory/1192-132-0x0000000000000000-mapping.dmp

Download
memory/1192-140-0x0000000004AB0000-0x0000000004BF0000-memory.dmp

Filesize
1.2MB

Download
memory/1192-141-0x0000000004AB0000-0x0000000004BF0000-memory.dmp

Filesize
1.2MB

Download
memory/1192-152-0x0000000004E90000-0x00000000055B5000-memory.dmp

Filesize
7.1MB

Download
memory/1536-137-0x0000000000400000-0x000000000053D000-memory.dmp

Filesize
1.2MB

Download
memory/1536-136-0x00000000022A0000-0x00000000023D0000-memory.dmp

Filesize
1.2MB

Download
memory/1536-135-0x0000000000805000-0x00000000008F4000-memory.dmp

Filesize
956KB

Download
memory/2896-171-0x0000000000000000-mapping.dmp

Download
memory/3208-164-0x0000000000000000-mapping.dmp

Download
memory/3208-168-0x0000000004830000-0x0000000004F55000-memory.dmp

Filesize
7.1MB

Download
memory/3208-169-0x0000000004830000-0x0000000004F55000-memory.dmp

Filesize
7.1MB

Download
memory/3208-173-0x0000000004830000-0x0000000004F55000-memory.dmp

Filesize
7.1MB

Download
memory/3808-156-0x0000000003C40000-0x0000000004365000-memory.dmp

Filesize
7.1MB

Download
memory/3808-167-0x0000000003C40000-0x0000000004365000-memory.dmp

Filesize
7.1MB

Download
memory/3808-172-0x0000000003C40000-0x0000000004365000-memory.dmp

Filesize
7.1MB

Download
memory/4580-170-0x0000000000000000-mapping.dmp

Download