danabot | 4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 07:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
Size

220KB
MD5

abc3cf0bf5610cad19bd66ce39fa1325
SHA1

9d1488117d24edde285ef607d5a54db2102b50dc
SHA256

4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded
SHA512

9d57c10787b7aba1f0ded0190abe251e3ad37b6a2e2d58a68760505f87bddc5e89c35554fb3cc677313200aba32d15001d457a6af87a109c84387439930d4562
SSDEEP

3072:XmRZiQnLwwDt15PZwXiw1tsfaWPLr4epcdxJAZV7b/yAHcNHCDml:2VLwwDVmXiw1ts7PI8creACa

Score

10^/10

danabot smokeloader backdoor banker persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/4596-133-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

39 676 rundll32.exe
43 676 rundll32.exe
61 676 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

CBC1.exehgvhgru

pid process

1124 CBC1.exe
3700 hgvhgru

flow	pid	process
39	676	rundll32.exe
43	676	rundll32.exe
61	676	rundll32.exe

pid	process
1124	CBC1.exe
3700	hgvhgru

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogTransport2\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\LogTransport2.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LogTransport2\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

676 rundll32.exe
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 676 set thread context of 3784 676 rundll32.exe rundll32.exe

pid	process
676	rundll32.exe

description	pid	process	target process
PID 676 set thread context of 3784	676	rundll32.exe	rundll32.exe

Drops file in Program Files directory 35 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\add_reviewer.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\comment.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\chrome_elf.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\add_reviewer.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Combine_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Redact_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ScCore.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\bl.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Redact_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\tesselate.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Combine_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\selection-actions2x.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Accessibility.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\download.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DataMatrix.pmp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\selection-actions2x.png	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ACE.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\DataMatrix.pmp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\cef_200_percent.pak	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ACE.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\comment.svg	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\chrome_elf.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ScCore.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Accessibility.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\download.svg	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\reviews_joined.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\bl.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\reviews_joined.gif	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3556 1124 WerFault.exe CBC1.exe

pid	pid_target	process	target process
3556	1124	WerFault.exe	CBC1.exe

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

hgvhgru4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgvhgru
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgvhgru
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	hgvhgru

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Set value (int)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000095556742100054656d7000003a0009000400efbe6b558a6c95556c422e000000000000000000000000000000000000000000000000003c9dd900540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

2420

pid	process
2420

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe

pid	process
4596	4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
4596	4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420
2420

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

2420
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exehgvhgru

pid process

4596 4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
3700 hgvhgru

pid	process
2420

Suspicious use of AdjustPrivilegeToken 16 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420
Token: SeShutdownPrivilege	2420
Token: SeCreatePagefilePrivilege	2420

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3784 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

2420
2420

pid	process
3784	rundll32.exe

pid	process
2420
2420

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

CBC1.exerundll32.exe

description	pid	process	target process
PID 2420 wrote to memory of 1124	2420		CBC1.exe
PID 2420 wrote to memory of 1124	2420		CBC1.exe
PID 2420 wrote to memory of 1124	2420		CBC1.exe
PID 1124 wrote to memory of 676	1124	CBC1.exe	rundll32.exe
PID 1124 wrote to memory of 676	1124	CBC1.exe	rundll32.exe
PID 1124 wrote to memory of 676	1124	CBC1.exe	rundll32.exe
PID 676 wrote to memory of 3784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 3784	676	rundll32.exe	rundll32.exe
PID 676 wrote to memory of 3784	676	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe
"C:\Users\Admin\AppData\Local\Temp\4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:4596

C:\Users\Admin\AppData\Local\Temp\CBC1.exe
C:\Users\Admin\AppData\Local\Temp\CBC1.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1124

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:676

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14124
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3784

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1124 -s 528
2⤵
- Program crash
PID:3556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 1124 -ip 1124
1⤵
PID:4228

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:844

C:\Users\Admin\AppData\Roaming\hgvhgru
C:\Users\Admin\AppData\Roaming\hgvhgru
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
PID:3700

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:2872

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\logtransport2.dll",OzkC
2⤵
PID:5008

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.dll
Filesize
797KB

MD5
ecedfa9d1e33abffa34f7d15533733c1

SHA1
0444d7a60d2c6d7aa9d0da38b9e8879410953dc9

SHA256
611723da54677ceabe857dacf80c5b4a54427890d1988bbe128162ecbb31d65b

SHA512
6e3b4e0b42e416c572b258bdcdbd09c0967a9273615c1478f007300c525d4cbd8c70182fa9cdd6cee9e79155fafed29c11b58a1f3c9f112f11471730fa6858ef

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.dll
Filesize
797KB

MD5
ecedfa9d1e33abffa34f7d15533733c1

SHA1
0444d7a60d2c6d7aa9d0da38b9e8879410953dc9

SHA256
611723da54677ceabe857dacf80c5b4a54427890d1988bbe128162ecbb31d65b

SHA512
6e3b4e0b42e416c572b258bdcdbd09c0967a9273615c1478f007300c525d4cbd8c70182fa9cdd6cee9e79155fafed29c11b58a1f3c9f112f11471730fa6858ef

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.officemuiset.msi.16.en-us.xml
Filesize
1KB

MD5
576aefa0d5cef530c59ff90625d60e25

SHA1
19be51d3942120e5474e0711592718da525eaa20

SHA256
f5b39bd24efbf27831061a34d1a78cea8f0073bfccade786129495f17cf2f112

SHA512
0d342bb21bb9651c0c36831718d9009af790bf808a9f38ec1788a06428d08d1299f4e215bd08e4912acc25d0f41ae95f3118019aa2811e89f35453b0ef8b32bf

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
287814b80587567eb7bc5a22eee8e94e

SHA1
0a56418d9969fe81ea54cedd0bdd56f50c5113b8

SHA256
53feda0c745933aaf527756add0ee609b5d93e7e495c66c8c94a165eff83cd88

SHA512
4231ed84a681b5a6f7f36150f6c3da93170306c1eef0c8d7efe8ea4da416d6522af1c159d1cfcbf4bdd6a0f0812837a518a1ba2693b737f96259bdd3e9a16f41

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
287814b80587567eb7bc5a22eee8e94e

SHA1
0a56418d9969fe81ea54cedd0bdd56f50c5113b8

SHA256
53feda0c745933aaf527756add0ee609b5d93e7e495c66c8c94a165eff83cd88

SHA512
4231ed84a681b5a6f7f36150f6c3da93170306c1eef0c8d7efe8ea4da416d6522af1c159d1cfcbf4bdd6a0f0812837a518a1ba2693b737f96259bdd3e9a16f41

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe.xml
Filesize
26KB

MD5
3973cc0067bf4b33098b7bf2d68db787

SHA1
88ddb50df1c24a7f658ba2050f94dea1e13ca8d4

SHA256
70d4896e97e5a6e63d081deb667a746d8153c30ef2556c15fac003e4ac3ea4e9

SHA512
87b72becab432f15accf9433b024b53efff165a9478937a4efd5ecf6841503b4c64eedbaae87ecba44f7803331950cd36f9e54c97c4ebf05d7a76062814bd080

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xml
Filesize
827B

MD5
ded8a0ae2ade3e3cab8bfbfea00b969f

SHA1
73752c78795a78ef3b742ad41737959e6f51ee42

SHA256
ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85

SHA512
3c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2013Office365Win64.xml
Filesize
10KB

MD5
46353bb25b4eb2e9d26a25744c716563

SHA1
a9a9c2a1260542b5246fd642425dcc2a29a098c1

SHA256
3fae1d780e8a63d73847dc38412952c238d0e3ca01a97caee718489a3d424893

SHA512
09027ff22d03712258dbd10d6fe2cafbefd90e974210b09d20008d8eb6b569915064c65a7403187b0d78e79c96838cc0bba49b089acc7c7ab790866359719197

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SmsInterceptStore.jfm
Filesize
16KB

MD5
8ad8eabf315217362a2392acce762345

SHA1
1a2dafdf90dd56fd53dc623b7cfa00f13f1d24e8

SHA256
9d6bac58cea0733dd170ce5aa77c11217f00bb395cf569f8a5f645ac2919445a

SHA512
6da2b3309f948e2244840ccc7301eafaf7e0db2426f8b6cc01027d821d89f6fc724fc1043ddfa645ea23991c64ea5a82d356baaddb43dd76a77be89955f01e77

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\edbres00002.jrs
Filesize
64KB

MD5
fcd6bcb56c1689fcef28b57c22475bad

SHA1
1adc95bebe9eea8c112d40cd04ab7a8d75c4f961

SHA256
de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31

SHA512
73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBC1.exe
Filesize
1.1MB

MD5
5da677383072aa1b16364c5d580414f2

SHA1
4e9cc6e2e72453eac12712f5306595ba4d1f4e43

SHA256
58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

SHA512
ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\CBC1.exe
Filesize
1.1MB

MD5
5da677383072aa1b16364c5d580414f2

SHA1
4e9cc6e2e72453eac12712f5306595ba4d1f4e43

SHA256
58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

SHA512
ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Roaming\hgvhgru
Filesize
220KB

MD5
abc3cf0bf5610cad19bd66ce39fa1325

SHA1
9d1488117d24edde285ef607d5a54db2102b50dc

SHA256
4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded

SHA512
9d57c10787b7aba1f0ded0190abe251e3ad37b6a2e2d58a68760505f87bddc5e89c35554fb3cc677313200aba32d15001d457a6af87a109c84387439930d4562

Download Submit
C:\Users\Admin\AppData\Roaming\hgvhgru
Filesize
220KB

MD5
abc3cf0bf5610cad19bd66ce39fa1325

SHA1
9d1488117d24edde285ef607d5a54db2102b50dc

SHA256
4b57baddf2270d63a05e86300645f4d83e62af33b8409d61c47493b488e52ded

SHA512
9d57c10787b7aba1f0ded0190abe251e3ad37b6a2e2d58a68760505f87bddc5e89c35554fb3cc677313200aba32d15001d457a6af87a109c84387439930d4562

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\logtransport2.dll
Filesize
797KB

MD5
ecedfa9d1e33abffa34f7d15533733c1

SHA1
0444d7a60d2c6d7aa9d0da38b9e8879410953dc9

SHA256
611723da54677ceabe857dacf80c5b4a54427890d1988bbe128162ecbb31d65b

SHA512
6e3b4e0b42e416c572b258bdcdbd09c0967a9273615c1478f007300c525d4cbd8c70182fa9cdd6cee9e79155fafed29c11b58a1f3c9f112f11471730fa6858ef

Download Submit
memory/676-149-0x0000000004780000-0x00000000048C0000-memory.dmp

Filesize
1.2MB

Download
memory/676-159-0x0000000004B40000-0x0000000005265000-memory.dmp

Filesize
7.1MB

Download
memory/676-151-0x0000000004780000-0x00000000048C0000-memory.dmp

Filesize
1.2MB

Download
memory/676-152-0x0000000004780000-0x00000000048C0000-memory.dmp

Filesize
1.2MB

Download
memory/676-153-0x0000000004780000-0x00000000048C0000-memory.dmp

Filesize
1.2MB

Download
memory/676-139-0x0000000000000000-mapping.dmp

Download
memory/676-146-0x0000000004B40000-0x0000000005265000-memory.dmp

Filesize
7.1MB

Download
memory/676-147-0x0000000004B40000-0x0000000005265000-memory.dmp

Filesize
7.1MB

Download
memory/676-150-0x0000000004780000-0x00000000048C0000-memory.dmp

Filesize
1.2MB

Download
memory/676-148-0x0000000004780000-0x00000000048C0000-memory.dmp

Filesize
1.2MB

Download
memory/1124-145-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1124-142-0x00000000007D3000-0x00000000008C1000-memory.dmp

Filesize
952KB

Download
memory/1124-144-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/1124-143-0x0000000002270000-0x00000000023A0000-memory.dmp

Filesize
1.2MB

Download
memory/1124-136-0x0000000000000000-mapping.dmp

Download
memory/2872-168-0x0000000003B60000-0x0000000004285000-memory.dmp

Filesize
7.1MB

Download
memory/2872-170-0x0000000003B60000-0x0000000004285000-memory.dmp

Filesize
7.1MB

Download
memory/3700-163-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3700-162-0x0000000000603000-0x0000000000614000-memory.dmp

Filesize
68KB

Download
memory/3700-164-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/3784-155-0x000001EA063F0000-0x000001EA06530000-memory.dmp

Filesize
1.2MB

Download
memory/3784-158-0x000001EA04A20000-0x000001EA04C4A000-memory.dmp

Filesize
2.2MB

Download
memory/3784-157-0x0000000000650000-0x0000000000869000-memory.dmp

Filesize
2.1MB

Download
memory/3784-156-0x000001EA063F0000-0x000001EA06530000-memory.dmp

Filesize
1.2MB

Download
memory/3784-154-0x00007FF650696890-mapping.dmp

Download
memory/4596-132-0x0000000000592000-0x00000000005A2000-memory.dmp

Filesize
64KB

Download
memory/4596-135-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4596-134-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/4596-133-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download
memory/5008-177-0x0000000000000000-mapping.dmp

Download
memory/5008-179-0x0000000004750000-0x0000000004E75000-memory.dmp

Filesize
7.1MB

Download