danabot | 96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2022 06:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe
Size

220KB
MD5

afdb8706762df1a5b0ea28c272931e08
SHA1

706712d5a9780aeca9a054bb0e1e5e6f5975aba7
SHA256

96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27
SHA512

b7a15b52e4cab219e31007dce7139a97265c9a706b66f815049a3d7a777d2ad1a34c6e83f0ddac02456f15a338dc7cd3408dddbe433fed928f3d6fabb92a205d
SSDEEP

3072:qpqFpLpqwt154VDl3sUuBFrK+wWOjO621wLV7b/lFikrNHCDml:fHLpqwWN27VKhWOi1whtF7Ca

Score

10^/10

danabot smokeloader backdoor banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/5028-136-0x00000000001F0000-0x00000000001F9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 3 IoCs

Processes:

rundll32.exe

flow pid process

48 1188 rundll32.exe
51 1188 rundll32.exe
64 1188 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 1 IoCs

Processes:

C54.exe

pid process

4276 C54.exe

flow	pid	process
48	1188	rundll32.exe
51	1188	rundll32.exe
64	1188	rundll32.exe

pid	process
4276	C54.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Comments.\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\Comments..dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Comments.\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

1188 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 1188 set thread context of 4524 1188 rundll32.exe rundll32.exe

pid	process
1188	rundll32.exe

description	pid	process	target process
PID 1188 set thread context of 4524	1188	rundll32.exe	rundll32.exe

Drops file in Program Files directory 36 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\nppdf32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\LogTransport2.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\nppdf32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AiodLite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\sqlite.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner_mini.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Home.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner_mini.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\main-cef-ui-theme.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\cryptocme.sig	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Home.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\stopwords.ENU	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Edit_R_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Comments..dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Edit_R_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef.css	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AdobeLinguistic.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\AiodLite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\main-cef-ui-theme.css	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\cryptocme.sig	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\sqlite.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\stopwords.ENU	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Spelling.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Spelling.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\arh.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\CollectSignatures.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\InAppSign.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeLinguistic.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1248 4276 WerFault.exe C54.exe

pid	pid_target	process	target process
1248	4276	WerFault.exe	C54.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser

Modifies registry class 30 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000095556c36100054656d7000003a0009000400efbe21550a58955572362e000000000000000000000000000000000000000000000000002e8e3d00540065006d007000000014000000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1
Set value (data)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3068

pid	process
3068

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe

pid	process
5028	96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe
5028	96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068
3068

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3068
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe

pid process

5028 96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe

pid	process
3068

Suspicious use of AdjustPrivilegeToken 18 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068
Token: SeShutdownPrivilege	3068
Token: SeCreatePagefilePrivilege	3068

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

4524 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3068
3068

pid	process
4524	rundll32.exe

pid	process
3068
3068

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

C54.exerundll32.exe

description	pid	process	target process
PID 3068 wrote to memory of 4276	3068		C54.exe
PID 3068 wrote to memory of 4276	3068		C54.exe
PID 3068 wrote to memory of 4276	3068		C54.exe
PID 4276 wrote to memory of 1188	4276	C54.exe	rundll32.exe
PID 4276 wrote to memory of 1188	4276	C54.exe	rundll32.exe
PID 4276 wrote to memory of 1188	4276	C54.exe	rundll32.exe
PID 1188 wrote to memory of 4524	1188	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 4524	1188	rundll32.exe	rundll32.exe
PID 1188 wrote to memory of 4524	1188	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe
"C:\Users\Admin\AppData\Local\Temp\96b638420a725c8f6f02e8e3195fd8ef5698c28ce6032cb55e377027c5095c27.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5028

C:\Users\Admin\AppData\Local\Temp\C54.exe
C:\Users\Admin\AppData\Local\Temp\C54.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4276

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14150
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:4524

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3912

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4276 -s 520
2⤵
- Program crash
PID:1248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4276 -ip 4276
1⤵
PID:3732

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3404

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:1804

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\comments..dll",k0RPZ29Z
2⤵
PID:64

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\Comments..dll
Filesize
797KB

MD5
5a2549b448e704347f156e20f6207c14

SHA1
8d7e61bf264aee3e9846c3b6b20980b3ec5c36fa

SHA256
9438ad4d7494199bdc3512c5d62c0b793305d60bbd8fa3006bffb4cbee38966f

SHA512
6a89f61e9c96a4d5dd00f822ec48eaaf71b2ab63f4717bca08006b8d00c818c36257dec3f0ec48e5870551b3f11c7c0675edcab0cd8811a5a3303302e787f33a

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\Comments..dll
Filesize
797KB

MD5
5a2549b448e704347f156e20f6207c14

SHA1
8d7e61bf264aee3e9846c3b6b20980b3ec5c36fa

SHA256
9438ad4d7494199bdc3512c5d62c0b793305d60bbd8fa3006bffb4cbee38966f

SHA512
6a89f61e9c96a4d5dd00f822ec48eaaf71b2ab63f4717bca08006b8d00c818c36257dec3f0ec48e5870551b3f11c7c0675edcab0cd8811a5a3303302e787f33a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.PowerPivot.PowerPivot.x-none.msi.16.x-none.xml
Filesize
30KB

MD5
98de295b21abe2451f86b82df3be269a

SHA1
1665a23d307748e8c1c0164ba7939275f9fb676c

SHA256
fd3507cd60edf41093c8fe843d1601e33db9cbe1cd36247cec587c265109bcfa

SHA512
230ae283c81771496dcae9ef84787379712106738ea82754b101af9047ae27cadb8b1f4aed00d146a699c22fd1c505c31068418a70d2b535c85c3017726d91cc

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\EventStore.db
Filesize
32KB

MD5
4e40dbba4bf3ea44a50ff74457aaf232

SHA1
1b79ebb121abfb9c431852f0f783dfd89ec19f01

SHA256
0580713efb76985a3b2157d6f0b08665f8084243caad401a1faf53900564f935

SHA512
0fbd8723391dfc132e24068c2c79094cc788cd9e996eac81f07f7c6c44904cc483eedb4a6ae116cdbff8d35b769179635a71ef1a95882a356ce73e56f10a2790

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
97cae131905c2798555ffc53c9199559

SHA1
eaf22d91d889d784f9f430fd7bc87317deba766a

SHA256
d54ab462b5f5d49eccbd74de1a14d659eeb8a7a17e6a4d24564df6f8deb1417e

SHA512
adfbd640124077d0df081715e23a1e1b5c3af01883ee5f0ccad689d5b8a24408937ae382c8c32336b21cb6462bb1d523a2f4b7ebae1e6c0da317b9b3d58a32e0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
97cae131905c2798555ffc53c9199559

SHA1
eaf22d91d889d784f9f430fd7bc87317deba766a

SHA256
d54ab462b5f5d49eccbd74de1a14d659eeb8a7a17e6a4d24564df6f8deb1417e

SHA512
adfbd640124077d0df081715e23a1e1b5c3af01883ee5f0ccad689d5b8a24408937ae382c8c32336b21cb6462bb1d523a2f4b7ebae1e6c0da317b9b3d58a32e0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe.xml
Filesize
9KB

MD5
996f11041df0526341cebbbd40a98390

SHA1
37f652515ef8c662840086d743f7f68d327cce52

SHA256
bb39de067132d2ccbb7a3c066743010f070a3c3856f42ccc892da0b40012771e

SHA512
6cafa4b3bd8c56d20859a4f8fb7109e3ca4c690d0746b13f9f2eaa19d88bfca469dc45d71fb91f5658f9cd300f285aafb9e212ebd7c1496aadb6046da4e56c03

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe.xml
Filesize
57KB

MD5
f99bb3ad5412bb6ac6a062dbfe3573ca

SHA1
2d9df718568e656340832029b100a5d5fd706c34

SHA256
3c43fe71e86b7ec70627b894241e3cdbe2be83a863f42c04e96ab58278222495

SHA512
e9110973f9cac453386804053db5ef68fa528a50d0c5f2dbe7e2d139ad0f5a49aaee1b0e81e60274525b05896ecbb542774a56fad57174e266d90d2bdbd91311

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftNotepad.xml
Filesize
957B

MD5
06f405331f1f99bd455f4afa7b8ee0cc

SHA1
815d8d81c01208aef4bc1a0048b2d4f4171b26f6

SHA256
b752d2c5a3c66c338fd6cd92224d5995be0eac8fd47092b8cd6ea2cc28a5e790

SHA512
a2a771f97346a5db7ee8e948cba2c9e223848e1c395eb335a6e3609739c125e0414e7a254f5ac81ca4a28b04cf4e631ee69edaaf24ef534b96c01c30f96c3a2c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftOffice2016Win32.xml
Filesize
64KB

MD5
fb54ecf5bbc8554d4218fce2b5863f04

SHA1
5a43e92271d69b66f97c12d977c10bc78991f76f

SHA256
bc964a0306fbeca377d20bafd127425c0700ee293a2c5caf9b28285f1b1d75e5

SHA512
c13e3d7c8801b9a865952708af0fe4272e2034be0ebc40e94f4bdccd13b3075ef8d2b5ec8af68d51fe11d87ce84183275d031390aa00e6cefd02407a03436a40

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftWordpad.xml
Filesize
1005B

MD5
576da3ac22d84c085a753ad324e5af0f

SHA1
1ce9245047e7da3eb4e81356434ca190fe4f924f

SHA256
214762acb145e4bbfabd685705707097bd5f5b8dc739c1c18b200d50c5c2f303

SHA512
dde20be02f91f438350752ff98bc6cd21dd9f2cb057fcc3f08d90ea889a69e0bb3e7f7a8fb554a7767d5a3ab74de3e8c090943730e5e197b07304221c2a8b9c0

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\OfficeIntegrator.ps1
Filesize
4KB

MD5
552d7c9707f6dedc9b275df20cfda14f

SHA1
6dfa65a6e2ab94e19deb7cac003674cc2bb4bcd7

SHA256
6e28d25e4b520aab2f2fd0983f62bae3cd8730cc07e003c1efd5cf635df474b2

SHA512
2fe977ef79afb53afd1ea5ba06453706c27c61f31125f9f5089eedad7211195bfcd3ea5c97e4a2a25bd82fa512cb16265e4e7c04fa54a06e3af6380e2a68d91c

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SmsInterceptStore.db
Filesize
192KB

MD5
5fa49c1c863990caa01994342272b2c9

SHA1
c52d1577b2907b462141e4ce74dc8563e52f00c8

SHA256
bd19746ccaba594171cffbd9c31e144d1c29746fbfe484f787aaed83e5723b93

SHA512
3e1b1ec930ede363e2517fa33cf892295f2836af9843ac0216295624720fccbef643728b1998ce314d63e5409c4df95832933baca9d0b048ed8979c4fc4e20d7

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\SystemIndex.1.Crwl
Filesize
1KB

MD5
a6c1043c3fa0c52648d52c2f7fc68d20

SHA1
1dcb91d73fe567eb3ddfb0c821e4d208f0d8a587

SHA256
5b378e85a5fff9ab2c62747a0ec157b16200ed1ffcafe6d09072e2823569da1c

SHA512
a4fd2d2f8d59b52dd684d7e289d0a4042808335a4b663ba107e0394df93484d14e61abfd5b177ba45df4c9fff98c2717748fdc0e98ad450d6316e0c890f7a2ea

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Windows.jfm
Filesize
16KB

MD5
085c6fc3fd0775066ec679c72960f8b5

SHA1
55a2aaaa15e8c1fbdcfa95abfa2285b41a87de5e

SHA256
c4ba846e8bb089d1e8bf0ef5977c2442d9c609e9de3530e91c3f3f03719ee6aa

SHA512
fa01ba189ac2b2e70387bffbcb05105ffec98b3eb1eeb30082d03d4034bf9fca1767f4f7966108423edbdce85ea4c1258dca8a1c6e9f0655eaa55c59dd5c67c1

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\stream.x64.en-us.man.dat
Filesize
622KB

MD5
18b7413b8d54bceff3c29565622d6e63

SHA1
cbf2e4bf2c3f65035d4060a9dcaefdc710f4e04e

SHA256
d21c0fb073320a1a17e0c9a7dc5a0346af74b6e002be4ae1a626e6f3ec0efa85

SHA512
ef0e765d41ce07b17289cbae6afe3ec90b53fc0b5f3491113988d443c00fe0dd189cd74013d3c9b36b56375958d5730afb257b99e5612cee4b3e106a1c45fd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54.exe
Filesize
1.1MB

MD5
5da677383072aa1b16364c5d580414f2

SHA1
4e9cc6e2e72453eac12712f5306595ba4d1f4e43

SHA256
58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

SHA512
ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\C54.exe
Filesize
1.1MB

MD5
5da677383072aa1b16364c5d580414f2

SHA1
4e9cc6e2e72453eac12712f5306595ba4d1f4e43

SHA256
58a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e

SHA512
ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\comments..dll
Filesize
797KB

MD5
5a2549b448e704347f156e20f6207c14

SHA1
8d7e61bf264aee3e9846c3b6b20980b3ec5c36fa

SHA256
9438ad4d7494199bdc3512c5d62c0b793305d60bbd8fa3006bffb4cbee38966f

SHA512
6a89f61e9c96a4d5dd00f822ec48eaaf71b2ab63f4717bca08006b8d00c818c36257dec3f0ec48e5870551b3f11c7c0675edcab0cd8811a5a3303302e787f33a

Download Submit
memory/64-183-0x0000000004360000-0x0000000004A85000-memory.dmp

Filesize
7.1MB

Download
memory/64-184-0x0000000004360000-0x0000000004A85000-memory.dmp

Filesize
7.1MB

Download
memory/64-180-0x0000000000000000-mapping.dmp

Download
memory/1188-153-0x0000000004D60000-0x0000000004EA0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-148-0x0000000004570000-0x0000000004C95000-memory.dmp

Filesize
7.1MB

Download
memory/1188-155-0x0000000004D60000-0x0000000004EA0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-162-0x0000000004570000-0x0000000004C95000-memory.dmp

Filesize
7.1MB

Download
memory/1188-154-0x0000000004D60000-0x0000000004EA0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-152-0x0000000004D60000-0x0000000004EA0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-151-0x0000000004D60000-0x0000000004EA0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-142-0x0000000000000000-mapping.dmp

Download
memory/1188-150-0x0000000004D60000-0x0000000004EA0000-memory.dmp

Filesize
1.2MB

Download
memory/1188-149-0x0000000004570000-0x0000000004C95000-memory.dmp

Filesize
7.1MB

Download
memory/1188-159-0x0000000004DD9000-0x0000000004DDB000-memory.dmp

Filesize
8KB

Download
memory/1804-166-0x00000000031B0000-0x00000000038D5000-memory.dmp

Filesize
7.1MB

Download
memory/1804-182-0x00000000031B0000-0x00000000038D5000-memory.dmp

Filesize
7.1MB

Download
memory/3912-185-0x0000000000000000-mapping.dmp

Download
memory/4276-146-0x00000000022E0000-0x0000000002410000-memory.dmp

Filesize
1.2MB

Download
memory/4276-147-0x0000000000400000-0x0000000000540000-memory.dmp

Filesize
1.2MB

Download
memory/4276-145-0x00000000006A6000-0x0000000000794000-memory.dmp

Filesize
952KB

Download
memory/4276-139-0x0000000000000000-mapping.dmp

Download
memory/4524-160-0x0000000000220000-0x0000000000439000-memory.dmp

Filesize
2.1MB

Download
memory/4524-161-0x00000212BF560000-0x00000212BF78A000-memory.dmp

Filesize
2.2MB

Download
memory/4524-158-0x00000212C0F30000-0x00000212C1070000-memory.dmp

Filesize
1.2MB

Download
memory/4524-157-0x00000212C0F30000-0x00000212C1070000-memory.dmp

Filesize
1.2MB

Download
memory/4524-156-0x00007FF7F4786890-mapping.dmp

Download
memory/5028-135-0x00000000005C2000-0x00000000005D2000-memory.dmp

Filesize
64KB

Download
memory/5028-138-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5028-137-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5028-136-0x00000000001F0000-0x00000000001F9000-memory.dmp

Filesize
36KB

Download