Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
21-12-2022 03:08
General
-
Target
05edc8d9f36c5f1d93dc7bd7919b1db3c1b8a20921904ab31f443b59582c3c4b.exe
-
Size
220KB
-
MD5
a6d507b8992534fc63131c7b5118b44a
-
SHA1
94b80fca4ff1065e73da21f5e66ec7ffd7597b80
-
SHA256
05edc8d9f36c5f1d93dc7bd7919b1db3c1b8a20921904ab31f443b59582c3c4b
-
SHA512
817bebe22dc0b21679d96556553ff6f85bc9b1b78cd3a907bde7cad0732bc8ec485428ac8a5d8aa49fc5779c6eead380e9bf43092c8d780b5c57d3be2a976d7b
-
SSDEEP
3072:nY9FpLpqw115pJSQvh5TdW/9jbeN1IQV7b/yAug2oNHCDml:qHLpqwdvp64FjbCa
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 37 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 14 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05edc8d9f36c5f1d93dc7bd7919b1db3c1b8a20921904ab31f443b59582c3c4b.exe"C:\Users\Admin\AppData\Local\Temp\05edc8d9f36c5f1d93dc7bd7919b1db3c1b8a20921904ab31f443b59582c3c4b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\DB03.exeC:\Users\Admin\AppData\Local\Temp\DB03.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141443⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 724 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 724 -ip 7241⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Users\Admin\AppData\Roaming\ficbhbsC:\Users\Admin\AppData\Roaming\ficbhbs1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\aic_file_icons_retina_thumb_highContrast_bow.dllFilesize
797KB
MD5c2461609355f98f485b4d1a152193908
SHA14cb4e8a50d7d667404362be7acc503ffed03feec
SHA256952ae313561ce8589d1268999ff89bffbbd946901d9ae1869eeb58624c038a27
SHA512d1218d3b71a03acb108689602ad1ce3f961b2352cb404f5eb3d704587cc33fb033a023a2d64999552e236fc8d2ef80cbda2011116181234d73d86c178eca257d
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
1.2MB
MD530a8557d3b8544d542a04d266989917d
SHA199d869f29a5bbe47b880c2924b2e8aeb0fa2da13
SHA256a321413684106f176f80e5bcb7e6b2a1dcf89831f785bfac13882b2cbb458076
SHA5124d9e8160fb07b10491cf145ec5641c181659717bc93d9b519bbfb2ad0cf877f1c51ed578c09181cab291d269b4800e21b05c83e272ad1c007a49e0ff797be28e
-
C:\Users\Admin\AppData\Local\Temp\DB03.exeFilesize
1.1MB
MD57e9ce657b646e0ecff706bf6680061f0
SHA18f576b573c55ba4b3a36b495e9ab0361270b0fd7
SHA256f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9
SHA512360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d
-
C:\Users\Admin\AppData\Local\Temp\DB03.exeFilesize
1.1MB
MD57e9ce657b646e0ecff706bf6680061f0
SHA18f576b573c55ba4b3a36b495e9ab0361270b0fd7
SHA256f657d6f8f072dcf10f48e03b3b813cb9ab9c4b975dec12e9db8da868d3e50ab9
SHA512360890279533d6ad72f3640c31d7b7b69e5189ea65ca802e6855d6f874005838282b1caf0dde21ebcacc185d8db3229cf3c7fd4414a30660176ad4a6d352361d
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Roaming\ficbhbsFilesize
220KB
MD5a6d507b8992534fc63131c7b5118b44a
SHA194b80fca4ff1065e73da21f5e66ec7ffd7597b80
SHA25605edc8d9f36c5f1d93dc7bd7919b1db3c1b8a20921904ab31f443b59582c3c4b
SHA512817bebe22dc0b21679d96556553ff6f85bc9b1b78cd3a907bde7cad0732bc8ec485428ac8a5d8aa49fc5779c6eead380e9bf43092c8d780b5c57d3be2a976d7b
-
C:\Users\Admin\AppData\Roaming\ficbhbsFilesize
220KB
MD5a6d507b8992534fc63131c7b5118b44a
SHA194b80fca4ff1065e73da21f5e66ec7ffd7597b80
SHA25605edc8d9f36c5f1d93dc7bd7919b1db3c1b8a20921904ab31f443b59582c3c4b
SHA512817bebe22dc0b21679d96556553ff6f85bc9b1b78cd3a907bde7cad0732bc8ec485428ac8a5d8aa49fc5779c6eead380e9bf43092c8d780b5c57d3be2a976d7b
-
\??\c:\program files (x86)\windowspowershell\modules\aic_file_icons_retina_thumb_highcontrast_bow.dllFilesize
797KB
MD5c2461609355f98f485b4d1a152193908
SHA14cb4e8a50d7d667404362be7acc503ffed03feec
SHA256952ae313561ce8589d1268999ff89bffbbd946901d9ae1869eeb58624c038a27
SHA512d1218d3b71a03acb108689602ad1ce3f961b2352cb404f5eb3d704587cc33fb033a023a2d64999552e236fc8d2ef80cbda2011116181234d73d86c178eca257d
-
memory/724-139-0x0000000000805000-0x00000000008F4000-memory.dmpFilesize
956KB
-
memory/724-142-0x0000000000400000-0x0000000000540000-memory.dmpFilesize
1.2MB
-
memory/724-141-0x00000000023A0000-0x00000000024D0000-memory.dmpFilesize
1.2MB
-
memory/724-136-0x0000000000000000-mapping.dmp
-
memory/2220-134-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/2220-133-0x0000000000470000-0x0000000000479000-memory.dmpFilesize
36KB
-
memory/2220-135-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/2220-132-0x00000000004A2000-0x00000000004B2000-memory.dmpFilesize
64KB
-
memory/2556-164-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/2556-163-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/2556-162-0x0000000000773000-0x0000000000784000-memory.dmpFilesize
68KB
-
memory/2672-150-0x0000000005070000-0x00000000051B0000-memory.dmpFilesize
1.2MB
-
memory/2672-159-0x0000000004780000-0x0000000004EA5000-memory.dmpFilesize
7.1MB
-
memory/2672-140-0x0000000000000000-mapping.dmp
-
memory/2672-145-0x0000000004780000-0x0000000004EA5000-memory.dmpFilesize
7.1MB
-
memory/2672-154-0x00000000050E9000-0x00000000050EB000-memory.dmpFilesize
8KB
-
memory/2672-146-0x0000000004780000-0x0000000004EA5000-memory.dmpFilesize
7.1MB
-
memory/2672-147-0x0000000005070000-0x00000000051B0000-memory.dmpFilesize
1.2MB
-
memory/2672-148-0x0000000005070000-0x00000000051B0000-memory.dmpFilesize
1.2MB
-
memory/2672-152-0x0000000005070000-0x00000000051B0000-memory.dmpFilesize
1.2MB
-
memory/2672-151-0x0000000005070000-0x00000000051B0000-memory.dmpFilesize
1.2MB
-
memory/2672-149-0x0000000005070000-0x00000000051B0000-memory.dmpFilesize
1.2MB
-
memory/4220-153-0x00007FF6A40C6890-mapping.dmp
-
memory/4220-158-0x00000203E9AD0000-0x00000203E9CFA000-memory.dmpFilesize
2.2MB
-
memory/4220-157-0x0000000000820000-0x0000000000A39000-memory.dmpFilesize
2.1MB
-
memory/4220-156-0x00000203EB4A0000-0x00000203EB5E0000-memory.dmpFilesize
1.2MB
-
memory/4220-155-0x00000203EB4A0000-0x00000203EB5E0000-memory.dmpFilesize
1.2MB