Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2022 06:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    221KB

  • MD5

    b4cc7f9e1425c25f8a7c1a6b007cdb8a

  • SHA1

    ca8f66154f1c73766c3490c1bfa00eba01c78f35

  • SHA256

    93809ca37ec6d91dba9e24f470bc7f371d325a0d152ce5510c61de8e5e6af52c

  • SHA512

    748ed7b7d5d8e03d75c0f776f6b6ee1b0a5d89d527f4e9f065c51ece781a55ab531e48f25168ab7e0ef8a312493746cf59a51668616a866ad2ca8c05ad427a4e

  • SSDEEP

    3072:1DrFLZyBt15r7TVKFcyjWeAxHeWElsi7b/JONFXNHCDml:NZLZyBhTVYcwKeW0edCa

Score
10/10
danabotsmokeloaderbackdoorbankerdiscoverytrojan

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

    trojanbackdoorsmokeloader
  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 24 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 18 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:5028
  • C:\Users\Admin\AppData\Local\Temp\106B.exe
    C:\Users\Admin\AppData\Local\Temp\106B.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:936
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14150
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:888
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 528
      2⤵
      • Program crash
      PID:2440
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1444 -ip 1444
    1⤵
      PID:3732
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:2476
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\SysWOW64\svchost.exe -k LocalService
        1⤵
          PID:3392
          • C:\Windows\SysWOW64\rundll32.exe
            "C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobepdf417.dll",mzphNkhJ
            2⤵
              PID:2672

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.dll
            Filesize

            797KB

            MD5

            dd844585bcfc85e3845deefe7fa556ec

            SHA1

            bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

            SHA256

            091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

            SHA512

            f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

            Download Submit

          • C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.dll
            Filesize

            797KB

            MD5

            dd844585bcfc85e3845deefe7fa556ec

            SHA1

            bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

            SHA256

            091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

            SHA512

            f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch
            Filesize

            110B

            MD5

            37a1115747e63e1c0ead2c66301f22d3

            SHA1

            44339aa5b475ecc2669a69fa1850ffcbf6fc666e

            SHA256

            9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

            SHA512

            6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml
            Filesize

            1KB

            MD5

            c37e4631cac9c6fa2115119130d34fee

            SHA1

            664383d10910b76f9ab7bcb78a1e8893ca4d70f9

            SHA256

            cb1e437488402db0a3e03ca37dd6ef28d4fac99030caa31a17951d06ede7d4db

            SHA512

            d27d93122f2d372b4c0b5e8a7e51383a761e7cc94d78e9b64bbbc9ff847d72a6bc2b0e6ed948be194d02ad034b4cc6e0f0eb3448f0a3227374888f7e0725adaf

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.es-es.xml
            Filesize

            23KB

            MD5

            156b3ab70b2cce134d493104d047e6fa

            SHA1

            9907a741812bef8c5b55d0e73c9ac5c0d973c4be

            SHA256

            5fba15e64d0ff7075951a8e6bf758d81d4c14fa98e6b8604d5bbc43317da8c01

            SHA512

            f3b2157c6aaf1b9e450872057fd5ddaad36bd30be98a48c28c0617c7a638a378dc38cbdbfb9f4b66858b32dfa3e79d577f99fd488b73b6000d1d8887640e7cbd

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.wordmui.msi.16.en-us.xml
            Filesize

            77KB

            MD5

            50a33f3ee76c3f15703f82890efcc8c8

            SHA1

            b24e99bb702478edcbbda43f75457e5833abdc95

            SHA256

            77a2a4517a0c488c78bf9742e86de5af419d6c148346845d8b0f062d5f8a631a

            SHA512

            f14e224c1582476f09f969f1e29d5e2fa7855b22aa6b35682e264da0fc6cafdc1d62022dde5032206e1d973382604d9ccfa7495ebf90578a55c9c74bac1e606e

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiST0000.001
            Filesize

            64KB

            MD5

            fdd46407d537120755d80ee12a6db845

            SHA1

            e3198aacad3b7a732e4158beeaa7c86071eb87dc

            SHA256

            bdad7b26f4486b8d623dfab6f5fbed9a0447fb9849279ee08468c8179fda302f

            SHA512

            79f767cbf8d1a0edbf575f31f19803028c24ce12ac62a140e02bda768b53ec1324ae73d21b80e2f7faa591d907f8d7961f1dabe4122c94f1ebc73691ba5713c4

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\DesktopSettings2013.xml
            Filesize

            17KB

            MD5

            c6b6b07071e0f8ff39f5941a3169b20c

            SHA1

            d77fd2513ac3cb9b8595424d1f695fce21e33d96

            SHA256

            f8b710777d2c0105e74ee27ee6dfc8e43ca4ff7e14b4dba390eb72dad20705bd

            SHA512

            167ab504d6e4c91239f8239722aba17a7f6748fb3e8ee750b2d3f3fd677e6646a8149c8b956513cb2e90722196471865591215938cea8444fdf2e5cff180fdec

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            e9a3e5dee9ba70b8a139f8c9e880ccef

            SHA1

            a316a21bd3a1860c03e91c0fbbae2edaf038bd0a

            SHA256

            25f15d424a04032390b3daa16003610b9a96c9d03b4d77e55f460475a0c6e12e

            SHA512

            9e36b5034ed316b81865dc14c6be389365fc0845319b484f40b5599c990fda259328bc2100f477e6f11cbaf3ae5850c933273e5e5cee5c7783e825bfd11fbed5

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
            Filesize

            2.3MB

            MD5

            e9a3e5dee9ba70b8a139f8c9e880ccef

            SHA1

            a316a21bd3a1860c03e91c0fbbae2edaf038bd0a

            SHA256

            25f15d424a04032390b3daa16003610b9a96c9d03b4d77e55f460475a0c6e12e

            SHA512

            9e36b5034ed316b81865dc14c6be389365fc0845319b484f40b5599c990fda259328bc2100f477e6f11cbaf3ae5850c933273e5e5cee5c7783e825bfd11fbed5

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe.xml
            Filesize

            17KB

            MD5

            1b8d789d46feb22b7fa9b011ac51f00f

            SHA1

            742b5b78b5d63450b5b5bde48ae90330f988c57e

            SHA256

            7c46108992cf848638182bf80bf19965f5052deed8a958804b6bdf828c167dec

            SHA512

            c524cac4cc8993c4f3c5d458f639314e07736bcd834179d23e929697d1c7d55b3cd1375108c2fc34133a9df3e297c1ea633e2676af9bf8e073774b4534693cf0

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml
            Filesize

            15KB

            MD5

            c73eeb9dedd94a612969e003260e6341

            SHA1

            0451277183bad12e3179c12c0a14694fab52bc8d

            SHA256

            1ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355

            SHA512

            d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Pending.GRL
            Filesize

            14KB

            MD5

            fffde3df0d91311b7fe3f9bc8642a9ec

            SHA1

            50987906817aab51e2cc29fbce47ac5f0936a44e

            SHA256

            bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

            SHA512

            5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.Crwl
            Filesize

            1KB

            MD5

            a6c1043c3fa0c52648d52c2f7fc68d20

            SHA1

            1dcb91d73fe567eb3ddfb0c821e4d208f0d8a587

            SHA256

            5b378e85a5fff9ab2c62747a0ec157b16200ed1ffcafe6d09072e2823569da1c

            SHA512

            a4fd2d2f8d59b52dd684d7e289d0a4042808335a4b663ba107e0394df93484d14e61abfd5b177ba45df4c9fff98c2717748fdc0e98ad450d6316e0c890f7a2ea

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\background.png
            Filesize

            126KB

            MD5

            9adaf3a844ce0ce36bfed07fa2d7ef66

            SHA1

            3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

            SHA256

            d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

            SHA512

            e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.log
            Filesize

            64KB

            MD5

            a478d8d81ccd027e3da1b12cf7f019e6

            SHA1

            160e13490b21fa651c2762749269c4464360dd42

            SHA256

            f9ef1f809f35c0b47bd563a2a7f23a23b5e6f43f2eefa2a6360ddfcaa62bfec6

            SHA512

            b3c8227459e8883ddd998b21abdc4819820d0ef4a5af8e63c4cfa8c9df92bd2badd2970050fb7a824d779347b412c681c8bdd09d8333a0ef0d40e5a6535378da

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\s640.hash
            Filesize

            106B

            MD5

            bef40d5a19278ca19b56fbcdde7e26ef

            SHA1

            4f01d5b8de038e120c64bd7cc22cf150af1452fb

            SHA256

            7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

            SHA512

            5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

            Download Submit

          • C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\sync.ico
            Filesize

            48KB

            MD5

            d1c012ba7049a4525a89b26c846ce0d3

            SHA1

            769fccd1ed39b3b6ce1ec6e44f096107b4375c58

            SHA256

            fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc

            SHA512

            538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\106B.exe
            Filesize

            1.1MB

            MD5

            5da677383072aa1b16364c5d580414f2

            SHA1

            4e9cc6e2e72453eac12712f5306595ba4d1f4e43

            SHA256

            58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

            SHA512

            ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\106B.exe
            Filesize

            1.1MB

            MD5

            5da677383072aa1b16364c5d580414f2

            SHA1

            4e9cc6e2e72453eac12712f5306595ba4d1f4e43

            SHA256

            58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

            SHA512

            ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
            Filesize

            797KB

            MD5

            24925b25552a7d8f1d3292071e545920

            SHA1

            f786e1d40df30f6fed0301d60c823b655f2d6eac

            SHA256

            9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

            SHA512

            242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

            Download Submit

          • \??\c:\program files (x86)\windowspowershell\modules\adobepdf417.dll
            Filesize

            797KB

            MD5

            dd844585bcfc85e3845deefe7fa556ec

            SHA1

            bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

            SHA256

            091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

            SHA512

            f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

            Download Submit

          • memory/888-162-0x000001FE03630000-0x000001FE0385A000-memory.dmp

            Filesize

            2.2MB

            Download

          • memory/888-158-0x000001FE05000000-0x000001FE05140000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/888-159-0x000001FE05000000-0x000001FE05140000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/888-161-0x0000000000220000-0x0000000000439000-memory.dmp

            Filesize

            2.1MB

            Download

          • memory/936-152-0x0000000005B60000-0x0000000005CA0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/936-150-0x0000000005370000-0x0000000005A95000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/936-156-0x0000000005B60000-0x0000000005CA0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/936-163-0x0000000005370000-0x0000000005A95000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/936-155-0x0000000005B60000-0x0000000005CA0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/936-154-0x0000000005B60000-0x0000000005CA0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/936-153-0x0000000005B60000-0x0000000005CA0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/936-149-0x0000000005370000-0x0000000005A95000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/936-151-0x0000000005B60000-0x0000000005CA0000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/936-160-0x0000000005BD9000-0x0000000005BDB000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1444-148-0x0000000000400000-0x0000000000540000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1444-147-0x0000000002350000-0x0000000002480000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/1444-146-0x00000000008B9000-0x00000000009A7000-memory.dmp

            Filesize

            952KB

            Download

          • memory/2672-187-0x0000000004800000-0x0000000004F25000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/2672-186-0x0000000004800000-0x0000000004F25000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3392-185-0x00000000038A0000-0x0000000003FC5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/3392-167-0x00000000038A0000-0x0000000003FC5000-memory.dmp

            Filesize

            7.1MB

            Download

          • memory/5028-139-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/5028-136-0x00000000001F0000-0x00000000001F9000-memory.dmp

            Filesize

            36KB

            Download

          • memory/5028-137-0x0000000000400000-0x0000000000462000-memory.dmp

            Filesize

            392KB

            Download

          • memory/5028-138-0x0000000000503000-0x0000000000514000-memory.dmp

            Filesize

            68KB

            Download

          • memory/5028-135-0x0000000000503000-0x0000000000514000-memory.dmp

            Filesize

            68KB

            Download