Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
21-12-2022 07:46
General
-
Target
c381be74503802df85c2eeeee364af5b.exe
-
Size
215KB
-
MD5
c381be74503802df85c2eeeee364af5b
-
SHA1
c9758f326774a055ef4ea3d8a5ce2efff1f724c1
-
SHA256
af15f13244a94810f88fb859feffdcdd6793c1eb7298e71060f7181fc6f76e8b
-
SHA512
54d879d369edde5f8a11f533d9186cdd92f7c4510a47f210973af49a3502896ca0c20b6074bfc14bfa4eb01aa41ee1957f46aa58562d082c318cc7438118f274
-
SSDEEP
3072:A48kYLJGV5NnPEOpAc6cYc7istOV8A7b/PHrNyAC8skNHCDml:n8xLJkPEOpAhlc71tI8QHHrNCa
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 22 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\c381be74503802df85c2eeeee364af5b.exe"C:\Users\Admin\AppData\Local\Temp\c381be74503802df85c2eeeee364af5b.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1AFA.exeC:\Users\Admin\AppData\Local\Temp\1AFA.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141503⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4252 -s 5242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4252 -ip 42521⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\dva.dll",qGBIVkZaVQ==2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dllFilesize
797KB
MD52d32b785bb2bfd539a7b58030cf06359
SHA17510fdd85245d5e929db508b8aa0b2ddc2ddbc55
SHA25628bfe1f45ab50e597e7b33b500a9025fc3ed4ff1661e1c16d1652d21e9b09d91
SHA5124fb407c538ceaa5a22d85bf18dfe6156763735a7b8a2d494bb3178ef055c79f95c898c7ec251dc36d4f8095f2904d54b81f784a2d9266463ab054d99aee513f6
-
C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.dllFilesize
797KB
MD52d32b785bb2bfd539a7b58030cf06359
SHA17510fdd85245d5e929db508b8aa0b2ddc2ddbc55
SHA25628bfe1f45ab50e597e7b33b500a9025fc3ed4ff1661e1c16d1652d21e9b09d91
SHA5124fb407c538ceaa5a22d85bf18dfe6156763735a7b8a2d494bb3178ef055c79f95c898c7ec251dc36d4f8095f2904d54b81f784a2d9266463ab054d99aee513f6
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\E2A4F912-2574-4A75-9BB0-0D023378592B_10.0.19041.1023_neutral_neutral_cw5n1h2txyewy.xmlFilesize
2KB
MD51f8001c5a3ab09524c8185d2657e471c
SHA12297cd6ba695d3fa72f2a70a7db95f2e241116ab
SHA256c8c2ac11232a448dd5d78c34752f56b8f5b8e18fe79b3176fdd88759d5b703d5
SHA512d038b9b97a96b267684ba1a7d2458ddf63d3fd3ea8c58a213b5085196da9c7001fe1dbadfc75d2364befc09c9618c133b331ed487fcb043b6a923f3951be0b37
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5d762abf27c18585adabdbd5627a65b37
SHA1c7f67d8e9d59c906c6e1b00cf831cf2159911c70
SHA256375d4b173f5db502c641d8e5b977f675861482b223962e42c542d8298631becb
SHA51294f78b61742a3288fbd70114f5a6295b4b780edde372267628ca34b59b63e0bdf3a7e7ce12cd8c6add041a293baf396f73e2532c52864ff26f77bae2a149092b
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5d762abf27c18585adabdbd5627a65b37
SHA1c7f67d8e9d59c906c6e1b00cf831cf2159911c70
SHA256375d4b173f5db502c641d8e5b977f675861482b223962e42c542d8298631becb
SHA51294f78b61742a3288fbd70114f5a6295b4b780edde372267628ca34b59b63e0bdf3a7e7ce12cd8c6add041a293baf396f73e2532c52864ff26f77bae2a149092b
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MasterDescriptor.en-us.xmlFilesize
28KB
MD54bee7862d96900a7b0f20d709ffe5af2
SHA159f4073ff756ee74e83e5d9448e7d6da69f3bf08
SHA256526cb82e083378ccc1a5465f3250f40f9e74bdbc65c58ab9210fc8a88b273e63
SHA512ee0f19e4aa0006b4da4b16522eea9774c09b07d6fae3529992df7f5f47ee1fa49a6ec5b77370be594762ec63f1f6aee4be139e44f2f369f5590777cf95d9be31
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\overlay.pngFilesize
28KB
MD51f93b502e78190a2f496c2d9558e069d
SHA16ae6249493d36682270c0d5e3eb3c472fdd2766e
SHA2565c5b0de42d55486ed61dd3a6e96ab09f467bb38ae39fced97adc51ba07426c0e
SHA512cf07724c203a82c9f202d53f63ea00ab0df2f97484bd3b9abe1a001f2e531f505ddd4ff8f2d5a2769dd9d2d60e9c1d03dd3ab5143542688f944cfd35c6f1cdf3
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\resource.xmlFilesize
1KB
MD5ba3f2a2801ae546e498881e8ec22a17c
SHA1ab57705933a28c4f9e552f5a435ab8a7709fedc8
SHA256af7a12135db48bf260cd6d7ce831810ef98ca05847c4b23086bc2e616e8b08f4
SHA5123ae1c6d4bba1720b080c315e58c8b44685defd65031314a48c1de749e4cd13a42ccf5f0de4202019c94b0ecbd1ab9e6dbdfd39d5b6434909796f490246b6e302
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\wlidsvcconfig.xmlFilesize
13KB
MD5b25d86e30d3770714c3904aa4c651cc2
SHA1fd4b2fefa8b9d2ca240bf9cf5902ce305129ac7b
SHA256d6ae75fe474569eff75aadf872ad771d07f27d0fe1539f7ad4b824e2cc12295a
SHA512c115c1c7ca68acab142994b88aebfed73092f1e421ce305ac9763c7e6e43f087c8deecd0471265bfecdde9486d1a29e0a59098a9141896093b224369494cbf5a
-
C:\Users\Admin\AppData\Local\Temp\1AFA.exeFilesize
1.1MB
MD55da677383072aa1b16364c5d580414f2
SHA14e9cc6e2e72453eac12712f5306595ba4d1f4e43
SHA25658a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e
SHA512ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76
-
C:\Users\Admin\AppData\Local\Temp\1AFA.exeFilesize
1.1MB
MD55da677383072aa1b16364c5d580414f2
SHA14e9cc6e2e72453eac12712f5306595ba4d1f4e43
SHA25658a00d29777fea23590c05479d84bdc35fe11c71a630cff6a7de868e6464248e
SHA512ba70922a2352e3443fc24d695e9fafe1f63a495fffcc060c3ce320c544aa2228ec101a7970ab4c3580339b3e3815a88dce7a017e84416b1f86bdf75ce4482b76
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\dva.dllFilesize
797KB
MD52d32b785bb2bfd539a7b58030cf06359
SHA17510fdd85245d5e929db508b8aa0b2ddc2ddbc55
SHA25628bfe1f45ab50e597e7b33b500a9025fc3ed4ff1661e1c16d1652d21e9b09d91
SHA5124fb407c538ceaa5a22d85bf18dfe6156763735a7b8a2d494bb3178ef055c79f95c898c7ec251dc36d4f8095f2904d54b81f784a2d9266463ab054d99aee513f6
-
memory/1252-170-0x0000000005100000-0x0000000005240000-memory.dmpFilesize
1.2MB
-
memory/1252-172-0x0000000005100000-0x0000000005240000-memory.dmpFilesize
1.2MB
-
memory/1252-180-0x0000000005179000-0x000000000517B000-memory.dmpFilesize
8KB
-
memory/1252-176-0x0000000005100000-0x0000000005240000-memory.dmpFilesize
1.2MB
-
memory/1252-175-0x0000000005100000-0x0000000005240000-memory.dmpFilesize
1.2MB
-
memory/1252-174-0x0000000005100000-0x0000000005240000-memory.dmpFilesize
1.2MB
-
memory/1252-173-0x0000000005179000-0x000000000517B000-memory.dmpFilesize
8KB
-
memory/1252-183-0x0000000004910000-0x0000000005035000-memory.dmpFilesize
7.1MB
-
memory/1252-162-0x0000000000000000-mapping.dmp
-
memory/1252-171-0x0000000005100000-0x0000000005240000-memory.dmpFilesize
1.2MB
-
memory/1252-168-0x0000000004910000-0x0000000005035000-memory.dmpFilesize
7.1MB
-
memory/1252-169-0x0000000004910000-0x0000000005035000-memory.dmpFilesize
7.1MB
-
memory/1724-198-0x0000000003F00000-0x0000000004625000-memory.dmpFilesize
7.1MB
-
memory/1724-199-0x0000000003F00000-0x0000000004625000-memory.dmpFilesize
7.1MB
-
memory/1724-197-0x0000000003F00000-0x0000000004625000-memory.dmpFilesize
7.1MB
-
memory/1724-194-0x0000000000000000-mapping.dmp
-
memory/2948-149-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-141-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-136-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-137-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-166-0x0000000007480000-0x0000000007490000-memory.dmpFilesize
64KB
-
memory/2948-167-0x0000000007480000-0x0000000007490000-memory.dmpFilesize
64KB
-
memory/2948-138-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-139-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-155-0x0000000007480000-0x0000000007490000-memory.dmpFilesize
64KB
-
memory/2948-154-0x0000000007480000-0x0000000007490000-memory.dmpFilesize
64KB
-
memory/2948-153-0x0000000002AF0000-0x0000000002B00000-memory.dmpFilesize
64KB
-
memory/2948-152-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-151-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-150-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-140-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-142-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-143-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-144-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-145-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-146-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-148-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/2948-147-0x0000000002AD0000-0x0000000002AE0000-memory.dmpFilesize
64KB
-
memory/3688-187-0x00000000036A0000-0x0000000003DC5000-memory.dmpFilesize
7.1MB
-
memory/3688-196-0x00000000036A0000-0x0000000003DC5000-memory.dmpFilesize
7.1MB
-
memory/4252-156-0x0000000000000000-mapping.dmp
-
memory/4252-159-0x00000000007F2000-0x00000000008E0000-memory.dmpFilesize
952KB
-
memory/4252-161-0x0000000000400000-0x0000000000540000-memory.dmpFilesize
1.2MB
-
memory/4252-165-0x0000000000400000-0x0000000000540000-memory.dmpFilesize
1.2MB
-
memory/4252-160-0x00000000022D0000-0x0000000002400000-memory.dmpFilesize
1.2MB
-
memory/4684-181-0x00000000009D0000-0x0000000000BE9000-memory.dmpFilesize
2.1MB
-
memory/4684-179-0x0000016598660000-0x00000165987A0000-memory.dmpFilesize
1.2MB
-
memory/4684-177-0x00007FF7D7186890-mapping.dmp
-
memory/4684-178-0x0000016598660000-0x00000165987A0000-memory.dmpFilesize
1.2MB
-
memory/4684-182-0x0000016596E20000-0x000001659704A000-memory.dmpFilesize
2.2MB
-
memory/4852-132-0x0000000000512000-0x0000000000522000-memory.dmpFilesize
64KB
-
memory/4852-135-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4852-134-0x0000000000400000-0x000000000045F000-memory.dmpFilesize
380KB
-
memory/4852-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
