danabot | 93809ca37ec6d91dba9e24f470bc7f371d325a0d152ce5510c61de8e5e6af52c

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

221KB
MD5

b4cc7f9e1425c25f8a7c1a6b007cdb8a
SHA1

ca8f66154f1c73766c3490c1bfa00eba01c78f35
SHA256

93809ca37ec6d91dba9e24f470bc7f371d325a0d152ce5510c61de8e5e6af52c
SHA512

748ed7b7d5d8e03d75c0f776f6b6ee1b0a5d89d527f4e9f065c51ece781a55ab531e48f25168ab7e0ef8a312493746cf59a51668616a866ad2ca8c05ad427a4e
SSDEEP

3072:1DrFLZyBt15r7TVKFcyjWeAxHeWElsi7b/JONFXNHCDml:NZLZyBhTVYcwKeW0edCa

Score

10^/10

danabot smokeloader backdoor banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5028-136-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

52 936 rundll32.exe
53 936 rundll32.exe
66 936 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

106B.exe

pid process

1444 106B.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

936 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 936 set thread context of 888 936 rundll32.exe rundll32.exe

flow	pid	process
52	936	rundll32.exe
53	936	rundll32.exe
66	936	rundll32.exe

pid	process
1444	106B.exe

pid	process
936	rundll32.exe

description	pid	process	target process
PID 936 set thread context of 888	936	rundll32.exe	rundll32.exe

Drops file in Program Files directory 42 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_base.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-mac.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\duplicate.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\JP2KLib.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Measure.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\pmd.cer	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\forms_distributed.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-win8.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-mac.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\export.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\duplicate.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\pmd.cer	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\rss.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Acrofx32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_super.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\rss.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\review_email.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-high-contrast.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\BIB.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Measure.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_base.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\share.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\QuickTime.mpp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\review_email.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-high-contrast.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Acrofx32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-win8.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\tl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\forms_distributed.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\Flash.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\QuickTime.mpp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\JP2KLib.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CPDF_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\BIB.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2440 1444 WerFault.exe 106B.exe

pid	pid_target	process	target process
2440	1444	WerFault.exe	106B.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

file.exe

description	ioc	process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	file.exe

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e003100000000009555f630100054656d7000003a0009000400efbe21550a589555fb302e00000000000000000000000000000000000000000000000000ce0ebb00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3068

pid	process
3068

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

file.exe

pid	process
5028	file.exe
5028	file.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

file.exe

pid process

5028 file.exe

pid	process
3068

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

888 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3068
3068

pid	process
888	rundll32.exe

pid	process
3068
3068

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

106B.exerundll32.exe

description	pid	process	target process
PID 3068 wrote to memory of 1444	3068		106B.exe
PID 3068 wrote to memory of 1444	3068		106B.exe
PID 3068 wrote to memory of 1444	3068		106B.exe
PID 1444 wrote to memory of 936	1444	106B.exe	rundll32.exe
PID 1444 wrote to memory of 936	1444	106B.exe	rundll32.exe
PID 1444 wrote to memory of 936	1444	106B.exe	rundll32.exe
PID 936 wrote to memory of 888	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 888	936	rundll32.exe	rundll32.exe
PID 936 wrote to memory of 888	936	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5028

C:\Users\Admin\AppData\Local\Temp\106B.exe
C:\Users\Admin\AppData\Local\Temp\106B.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:936

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14150
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1444 -s 528
2⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1444 -ip 1444
1⤵
PID:3732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2476

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:3392

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\adobepdf417.dll",mzphNkhJ
2⤵
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.dll
Filesize
797KB

MD5
dd844585bcfc85e3845deefe7fa556ec

SHA1
bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

SHA256
091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

SHA512
f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\AdobePDF417.dll
Filesize
797KB

MD5
dd844585bcfc85e3845deefe7fa556ec

SHA1
bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

SHA256
091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

SHA512
f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\2F1A6504-0641-44CF-8BB5-3612D865F2E5.vsch
Filesize
110B

MD5
37a1115747e63e1c0ead2c66301f22d3

SHA1
44339aa5b475ecc2669a69fa1850ffcbf6fc666e

SHA256
9496889b2cbda0bcb85b8ef91dc323107702c214ee37a7c1057b8fc9c8874589

SHA512
6ecc4b9f1d08bccc3f1ae111391e83b8a1ae3788f532ae3afac5ed91823891aaf6a56385e3856910730d312d5374c779bdab7760d82a685ee99c077a3180357d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.OSM.OSM.x-none.msi.16.x-none.xml
Filesize
1KB

MD5
c37e4631cac9c6fa2115119130d34fee

SHA1
664383d10910b76f9ab7bcb78a1e8893ca4d70f9

SHA256
cb1e437488402db0a3e03ca37dd6ef28d4fac99030caa31a17951d06ede7d4db

SHA512
d27d93122f2d372b4c0b5e8a7e51383a761e7cc94d78e9b64bbbc9ff847d72a6bc2b0e6ed948be194d02ad034b4cc6e0f0eb3448f0a3227374888f7e0725adaf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.Proof.Culture.msi.16.es-es.xml
Filesize
23KB

MD5
156b3ab70b2cce134d493104d047e6fa

SHA1
9907a741812bef8c5b55d0e73c9ac5c0d973c4be

SHA256
5fba15e64d0ff7075951a8e6bf758d81d4c14fa98e6b8604d5bbc43317da8c01

SHA512
f3b2157c6aaf1b9e450872057fd5ddaad36bd30be98a48c28c0617c7a638a378dc38cbdbfb9f4b66858b32dfa3e79d577f99fd488b73b6000d1d8887640e7cbd

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.wordmui.msi.16.en-us.xml
Filesize
77KB

MD5
50a33f3ee76c3f15703f82890efcc8c8

SHA1
b24e99bb702478edcbbda43f75457e5833abdc95

SHA256
77a2a4517a0c488c78bf9742e86de5af419d6c148346845d8b0f062d5f8a631a

SHA512
f14e224c1582476f09f969f1e29d5e2fa7855b22aa6b35682e264da0fc6cafdc1d62022dde5032206e1d973382604d9ccfa7495ebf90578a55c9c74bac1e606e

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiST0000.001
Filesize
64KB

MD5
fdd46407d537120755d80ee12a6db845

SHA1
e3198aacad3b7a732e4158beeaa7c86071eb87dc

SHA256
bdad7b26f4486b8d623dfab6f5fbed9a0447fb9849279ee08468c8179fda302f

SHA512
79f767cbf8d1a0edbf575f31f19803028c24ce12ac62a140e02bda768b53ec1324ae73d21b80e2f7faa591d907f8d7961f1dabe4122c94f1ebc73691ba5713c4

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\DesktopSettings2013.xml
Filesize
17KB

MD5
c6b6b07071e0f8ff39f5941a3169b20c

SHA1
d77fd2513ac3cb9b8595424d1f695fce21e33d96

SHA256
f8b710777d2c0105e74ee27ee6dfc8e43ca4ff7e14b4dba390eb72dad20705bd

SHA512
167ab504d6e4c91239f8239722aba17a7f6748fb3e8ee750b2d3f3fd677e6646a8149c8b956513cb2e90722196471865591215938cea8444fdf2e5cff180fdec

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
e9a3e5dee9ba70b8a139f8c9e880ccef

SHA1
a316a21bd3a1860c03e91c0fbbae2edaf038bd0a

SHA256
25f15d424a04032390b3daa16003610b9a96c9d03b4d77e55f460475a0c6e12e

SHA512
9e36b5034ed316b81865dc14c6be389365fc0845319b484f40b5599c990fda259328bc2100f477e6f11cbaf3ae5850c933273e5e5cee5c7783e825bfd11fbed5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
e9a3e5dee9ba70b8a139f8c9e880ccef

SHA1
a316a21bd3a1860c03e91c0fbbae2edaf038bd0a

SHA256
25f15d424a04032390b3daa16003610b9a96c9d03b4d77e55f460475a0c6e12e

SHA512
9e36b5034ed316b81865dc14c6be389365fc0845319b484f40b5599c990fda259328bc2100f477e6f11cbaf3ae5850c933273e5e5cee5c7783e825bfd11fbed5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe.xml
Filesize
17KB

MD5
1b8d789d46feb22b7fa9b011ac51f00f

SHA1
742b5b78b5d63450b5b5bde48ae90330f988c57e

SHA256
7c46108992cf848638182bf80bf19965f5052deed8a958804b6bdf828c167dec

SHA512
c524cac4cc8993c4f3c5d458f639314e07736bcd834179d23e929697d1c7d55b3cd1375108c2fc34133a9df3e297c1ea633e2676af9bf8e073774b4534693cf0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
15KB

MD5
c73eeb9dedd94a612969e003260e6341

SHA1
0451277183bad12e3179c12c0a14694fab52bc8d

SHA256
1ee54a9294af6727770aff79f2c901cd40ca23dfb4803788042aada54146e355

SHA512
d78542d9c74efeac1d925d9d05c691c5543d04e6b671a5ef160f0fafc3b4444d327cf37206d78f43b607f817b6545cb9673b85d713b8c59d0c97103aee55245a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Pending.GRL
Filesize
14KB

MD5
fffde3df0d91311b7fe3f9bc8642a9ec

SHA1
50987906817aab51e2cc29fbce47ac5f0936a44e

SHA256
bda9df3591bf7f67d4b31d23cffdcf927da6f00ae1b393f07aea69ba1c4344bc

SHA512
5e0766c25f54b03ca0325966ba059cbfb9cdb0aeae567106583fdff944d67522516acabb9b261e2fd434c1a5af5c5453a09c9dc494008253b0553a993c01d3d3

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.Crwl
Filesize
1KB

MD5
a6c1043c3fa0c52648d52c2f7fc68d20

SHA1
1dcb91d73fe567eb3ddfb0c821e4d208f0d8a587

SHA256
5b378e85a5fff9ab2c62747a0ec157b16200ed1ffcafe6d09072e2823569da1c

SHA512
a4fd2d2f8d59b52dd684d7e289d0a4042808335a4b663ba107e0394df93484d14e61abfd5b177ba45df4c9fff98c2717748fdc0e98ad450d6316e0c890f7a2ea

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\background.png
Filesize
126KB

MD5
9adaf3a844ce0ce36bfed07fa2d7ef66

SHA1
3a804355d5062a6d2ed9653d66e9e4aebaf90bc0

SHA256
d3e8d47e8c1622ec10adef672ca7a8992748c4f0a4e75f877462e7e661069698

SHA512
e6988737153a0996b14e6baa45e8010ff46714fe7679d05a2676cc18e1c653e99227e7507cdae4f2b6a99b3c31478630e7e1ae13d0f7c12525406d8cf9867ca5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edb.log
Filesize
64KB

MD5
a478d8d81ccd027e3da1b12cf7f019e6

SHA1
160e13490b21fa651c2762749269c4464360dd42

SHA256
f9ef1f809f35c0b47bd563a2a7f23a23b5e6f43f2eefa2a6360ddfcaa62bfec6

SHA512
b3c8227459e8883ddd998b21abdc4819820d0ef4a5af8e63c4cfa8c9df92bd2badd2970050fb7a824d779347b412c681c8bdd09d8333a0ef0d40e5a6535378da

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\s640.hash
Filesize
106B

MD5
bef40d5a19278ca19b56fbcdde7e26ef

SHA1
4f01d5b8de038e120c64bd7cc22cf150af1452fb

SHA256
7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

SHA512
5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\sync.ico
Filesize
48KB

MD5
d1c012ba7049a4525a89b26c846ce0d3

SHA1
769fccd1ed39b3b6ce1ec6e44f096107b4375c58

SHA256
fce3d2b3ca14bbb41fcb8956ef80af38976f4c32787cc1ac3cc1e465ce0453cc

SHA512
538b3c161e3192d3cb8b78f0fb5f863ae84d04a9f236a876e5002a90189cb4b5beea496aefb444de2dd9ea45d1f530359b38d6a45f3260d1d14924bd31918dc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\106B.exe
Filesize
1.1MB

MD5
5da677383072aa1b16364c5d580414f2

SHA1
4e9cc6e2e72453eac12712f5306595ba4d1f4e43

SHA256
58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

SHA512
ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\106B.exe
Filesize
1.1MB

MD5
5da677383072aa1b16364c5d580414f2

SHA1
4e9cc6e2e72453eac12712f5306595ba4d1f4e43

SHA256
58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

SHA512
ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\adobepdf417.dll
Filesize
797KB

MD5
dd844585bcfc85e3845deefe7fa556ec

SHA1
bd4bcfe880d5bfc24246b0f57ad13e62f1e29385

SHA256
091bed85ce0342d79db327bc91d1decf803aa5e202a1588333a0a6635b22bd68

SHA512
f4e89386555129fc9f429d8b104af244cc561eeb43233de1d6800cd204940a3916716437e18bb1f93525c3e7ac38968022b803c777f441cffed08ef9e49d8dfe

Download Submit
memory/888-162-0x000001FE03630000-0x000001FE0385A000-memory.dmp

Filesize
2.2MB

Download
memory/888-158-0x000001FE05000000-0x000001FE05140000-memory.dmp

Filesize
1.2MB

Download
memory/888-159-0x000001FE05000000-0x000001FE05140000-memory.dmp

Filesize
1.2MB

Download
memory/888-161-0x0000000000220000-0x0000000000439000-memory.dmp

Filesize
2.1MB

Download
memory/888-157-0x00007FF7F4786890-mapping.dmp

Download
memory/936-152-0x0000000005B60000-0x0000000005CA0000-memory.dmp

Filesize
1.2MB

Download
memory/936-150-0x0000000005370000-0x0000000005A95000-memory.dmp

Filesize
7.1MB

Download
memory/936-143-0x0000000000000000-mapping.dmp

Download
memory/936-156-0x0000000005B60000-0x0000000005CA0000-memory.dmp

Filesize
1.2MB

Download
memory/936-163-0x0000000005370000-0x0000000005A95000-memory.dmp

Filesize
7.1MB

Download
memory/936-155-0x0000000005B60000-0x0000000005CA0000-memory.dmp

Filesize
1.2MB

Download
memory/936-154-0x0000000005B60000-0x0000000005CA0000-memory.dmp

Filesize
1.2MB

Download
memory/936-153-0x0000000005B60000-0x0000000005CA0000-memory.dmp

Filesize
1.2MB

Download
memory/936-149-0x0000000005370000-0x0000000005A95000-memory.dmp

Filesize
7.1MB

Download
memory/936-151-0x0000000005B60000-0x0000000005CA0000-memory.dmp

Filesize
1.2MB

Download
memory/936-160-0x0000000005BD9000-0x0000000005BDB000-memory.dmp

Filesize
8KB

Download
memory/1444-148-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1444-147-0x0000000002350000-0x0000000002480000-memory.dmp

Filesize
1.2MB

Download
memory/1444-146-0x00000000008B9000-0x00000000009A7000-memory.dmp

Filesize
952KB

Download
memory/1444-140-0x0000000000000000-mapping.dmp

Download
memory/2672-187-0x0000000004800000-0x0000000004F25000-memory.dmp

Filesize
7.1MB

Download
memory/2672-183-0x0000000000000000-mapping.dmp

Download
memory/2672-186-0x0000000004800000-0x0000000004F25000-memory.dmp

Filesize
7.1MB

Download
memory/3392-185-0x00000000038A0000-0x0000000003FC5000-memory.dmp

Filesize
7.1MB

Download
memory/3392-167-0x00000000038A0000-0x0000000003FC5000-memory.dmp

Filesize
7.1MB

Download
memory/5028-139-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5028-136-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/5028-137-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/5028-138-0x0000000000503000-0x0000000000514000-memory.dmp

Filesize
68KB

Download
memory/5028-135-0x0000000000503000-0x0000000000514000-memory.dmp

Filesize
68KB

Download