danabot | 889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065

Analysis

max time kernel
150s
max time network
124s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
21-12-2022 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe
Size

228KB
MD5

5cf89ba33d6c85ba6acd9cf7db505129
SHA1

a69559e30dbf0f651007bffc85bbb281a8d08082
SHA256

889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065
SHA512

122bb7892c2d841884b65a9b99f42604ada969c1c3e80eb6118d650e3c15bd7f80f0fff08dfb08359e7dd98c606d831fedd14f2998df706291b3fb7ed2ec6a15
SSDEEP

6144:LK+LdU/YZilCSl9cSEyBTQAeKrw1Wzz/:LK+xgPlCSl37BEAe5Mz

Score

10^/10

danabot smokeloader backdoor banker discovery spyware stealer trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot

Detects Smokeloader packer 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2748-141-0x00000000001D0000-0x00000000001D9000-memory.dmp	family_smokeloader

SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Blocklisted process makes network request 2 IoCs

Processes:

rundll32.exe

flow pid process

20 3476 rundll32.exe
23 3476 rundll32.exe
Downloads MZ/PE file
Executes dropped EXE 2 IoCs

Processes:

D9AB.exe2DA8.exe

pid process

4744 D9AB.exe
2616 2DA8.exe
Deletes itself 1 IoCs

Processes:

pid process

3048
Loads dropped DLL 3 IoCs

Processes:

rundll32.exe2DA8.exe

pid process

3476 rundll32.exe
2616 2DA8.exe
2616 2DA8.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses 2FA software files, possible credential harvesting 2 TTPs
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 3476 set thread context of 3912 3476 rundll32.exe rundll32.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

flow	pid	process
20	3476	rundll32.exe
23	3476	rundll32.exe

pid	process
4744	D9AB.exe
2616	2DA8.exe

pid	process
3048

pid	process
3476	rundll32.exe
2616	2DA8.exe
2616	2DA8.exe

description	pid	process	target process
PID 3476 set thread context of 3912	3476	rundll32.exe	rundll32.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe

description	ioc	process
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe2DA8.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2DA8.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2DA8.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2680 timeout.exe

pid	process
2680	timeout.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Modifies registry class 36 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f44471a0359723fa74489c55595fe6b30ee0000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\NodeSlot = "1"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 = 4e0031000000000095558a53100054656d7000003a0009000400efbe0c55538895558a532e0000000000000000000000000000000000000000000000000085fa5100540065006d007000000014000000	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\MRUListEx = 00000000ffffffff	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}"	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02
Set value (str)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Generic"
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 820074001c0043465346160031000000000000000000100041707044617461000000741a595e96dfd3488d671733bcee28bac5cdfadf9f6756418947c5c76bc0b67f400009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004100700070004400610074006100000042000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 = 50003100000000000000000010004c6f63616c003c0009000400efbe00000000000000002e00000000000000000000000000000000000000000000000000000000004c006f00630061006c00000014000000	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3844063266-715245855-4050956231-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 00000000ffffffff	rundll32.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

pid process

3048

pid	process
3048

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe

pid	process
2748	889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe
2748	889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048
3048

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid process

3048
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe

pid process

2748 889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe

pid	process
3048

Suspicious use of AdjustPrivilegeToken 24 IoCs

Processes:

description	pid	process
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048
Token: SeShutdownPrivilege	3048
Token: SeCreatePagefilePrivilege	3048

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3912 rundll32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

pid process

3048
3048

pid	process
3912	rundll32.exe

pid	process
3048
3048

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

D9AB.exerundll32.exe2DA8.execmd.exe

description	pid	process	target process
PID 3048 wrote to memory of 4744	3048		D9AB.exe
PID 3048 wrote to memory of 4744	3048		D9AB.exe
PID 3048 wrote to memory of 4744	3048		D9AB.exe
PID 4744 wrote to memory of 3476	4744	D9AB.exe	rundll32.exe
PID 4744 wrote to memory of 3476	4744	D9AB.exe	rundll32.exe
PID 4744 wrote to memory of 3476	4744	D9AB.exe	rundll32.exe
PID 3048 wrote to memory of 2616	3048		2DA8.exe
PID 3048 wrote to memory of 2616	3048		2DA8.exe
PID 3048 wrote to memory of 2616	3048		2DA8.exe
PID 3476 wrote to memory of 3912	3476	rundll32.exe	rundll32.exe
PID 3476 wrote to memory of 3912	3476	rundll32.exe	rundll32.exe
PID 3476 wrote to memory of 3912	3476	rundll32.exe	rundll32.exe
PID 2616 wrote to memory of 516	2616	2DA8.exe	cmd.exe
PID 2616 wrote to memory of 516	2616	2DA8.exe	cmd.exe
PID 2616 wrote to memory of 516	2616	2DA8.exe	cmd.exe
PID 516 wrote to memory of 2680	516	cmd.exe	timeout.exe
PID 516 wrote to memory of 2680	516	cmd.exe	timeout.exe
PID 516 wrote to memory of 2680	516	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe
"C:\Users\Admin\AppData\Local\Temp\889ceb40b0ce50e9364d722c0e92f3cdf6e93aa2d4b16e5e7bbd445df541b065.exe"
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2748

C:\Users\Admin\AppData\Local\Temp\D9AB.exe
C:\Users\Admin\AppData\Local\Temp\D9AB.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4744

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3476

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14132
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3912

C:\Users\Admin\AppData\Local\Temp\2DA8.exe
C:\Users\Admin\AppData\Local\Temp\2DA8.exe
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\2DA8.exe" & exit
2⤵
- Suspicious use of WriteProcessMemory
PID:516

C:\Windows\SysWOW64\timeout.exe
timeout /t 6
3⤵
- Delays execution with timeout.exe
PID:2680

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4700

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Peripheral Device Discovery

T1120

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2DA8.exe
Filesize
345KB

MD5
4bb4894b6642e0c45b78377021c13345

SHA1
5ccb0f727e41748fcdc624e9f9138d5bd6c2417a

SHA256
032f11472c3c4a71a697ed0a656f265ac31af952667da0d6b716c6a54ac66bae

SHA512
111da040c3690ebdc74bc86e14cbab7b0f23b26cacc863582874e95ea98aebcbaac776b850f03ad331fcdac7c5900cd7d6ab9222669bf478f047817f876b35ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\2DA8.exe
Filesize
345KB

MD5
4bb4894b6642e0c45b78377021c13345

SHA1
5ccb0f727e41748fcdc624e9f9138d5bd6c2417a

SHA256
032f11472c3c4a71a697ed0a656f265ac31af952667da0d6b716c6a54ac66bae

SHA512
111da040c3690ebdc74bc86e14cbab7b0f23b26cacc863582874e95ea98aebcbaac776b850f03ad331fcdac7c5900cd7d6ab9222669bf478f047817f876b35ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9AB.exe
Filesize
1.1MB

MD5
96e78dc64ec67e77e1738da9b733dc86

SHA1
b9dd381c4f1d359ecb73dacd187642db300ab90c

SHA256
ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167

SHA512
7533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9AB.exe
Filesize
1.1MB

MD5
96e78dc64ec67e77e1738da9b733dc86

SHA1
b9dd381c4f1d359ecb73dacd187642db300ab90c

SHA256
ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167

SHA512
7533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\ProgramData\mozglue.dll
Filesize
133KB

MD5
8f73c08a9660691143661bf7332c3c27

SHA1
37fa65dd737c50fda710fdbde89e51374d0c204a

SHA256
3fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd

SHA512
0042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89

Download Submit
\ProgramData\nss3.dll
Filesize
1.2MB

MD5
bfac4e3c5908856ba17d41edcd455a51

SHA1
8eec7e888767aa9e4cca8ff246eb2aacb9170428

SHA256
e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78

SHA512
2565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66

Download Submit
\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
memory/516-450-0x0000000000000000-mapping.dmp

Download
memory/2616-315-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2616-314-0x0000000000570000-0x00000000006BA000-memory.dmp

Filesize
1.3MB

Download
memory/2616-313-0x00000000006E1000-0x000000000070F000-memory.dmp

Filesize
184KB

Download
memory/2616-454-0x0000000000400000-0x000000000047F000-memory.dmp

Filesize
508KB

Download
memory/2616-453-0x00000000006E1000-0x000000000070F000-memory.dmp

Filesize
184KB

Download
memory/2616-283-0x0000000000000000-mapping.dmp

Download
memory/2680-458-0x0000000000000000-mapping.dmp

Download
memory/2748-126-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-150-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-129-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-130-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-131-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-132-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-133-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-134-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-135-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-136-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-137-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-138-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-139-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-142-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-140-0x00000000007D1000-0x00000000007E1000-memory.dmp

Filesize
64KB

Download
memory/2748-144-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-145-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-146-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-147-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-148-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-149-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-128-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-143-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2748-141-0x00000000001D0000-0x00000000001D9000-memory.dmp

Filesize
36KB

Download
memory/2748-151-0x0000000000400000-0x0000000000462000-memory.dmp

Filesize
392KB

Download
memory/2748-115-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-116-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-127-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-125-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-124-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-123-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-122-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-121-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-120-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-117-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-118-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/2748-119-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/3476-332-0x00000000082D0000-0x00000000089F5000-memory.dmp

Filesize
7.1MB

Download
memory/3476-391-0x00000000074B9000-0x00000000074BB000-memory.dmp

Filesize
8KB

Download
memory/3476-481-0x00000000082D0000-0x00000000089F5000-memory.dmp

Filesize
7.1MB

Download
memory/3476-200-0x0000000000000000-mapping.dmp

Download
memory/3912-386-0x00007FF726765FD0-mapping.dmp

Download
memory/3912-392-0x0000000000DD0000-0x0000000000FE9000-memory.dmp

Filesize
2.1MB

Download
memory/3912-393-0x0000010B010D0000-0x0000010B012FA000-memory.dmp

Filesize
2.2MB

Download
memory/4744-159-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-174-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-175-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-177-0x0000000000890000-0x000000000098B000-memory.dmp

Filesize
1004KB

Download
memory/4744-178-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-176-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-180-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-182-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-181-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4744-179-0x0000000002330000-0x0000000002460000-memory.dmp

Filesize
1.2MB

Download
memory/4744-183-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-184-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-185-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-186-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-187-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-188-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-173-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-172-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-171-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-170-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-169-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-168-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-167-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-166-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-165-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-164-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-163-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-160-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-158-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-155-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-157-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-156-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-154-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-152-0x0000000000000000-mapping.dmp

Download
memory/4744-189-0x0000000077100000-0x000000007728E000-memory.dmp

Filesize
1.6MB

Download
memory/4744-203-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download