Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
21-12-2022 09:36
General
-
Target
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe
-
Size
227KB
-
MD5
ba49871be66ed67378d5713ceaa111ff
-
SHA1
f6a515b0f4d5bc1ff2ec837ec07ba55b197a25a7
-
SHA256
554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019
-
SHA512
c648e9c19008fd2d891ba7b8dcd193aeb13248270c61827e32688feba6eacf25cbf64f9b0c60a1f6d47c5896e968f45e62e8c87fcec1371b351d62444d3d7af4
-
SSDEEP
3072:+iZk7XLUO3915sUasekKzJcQ2wKozVfdRN1L1TzJ9Ds6nhWzgKr/so:jkjLUO3da6KFy9QVVRXBTBWzz/
Malware Config
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Sets DLL path for service in the registry 2 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 4 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Program Files directory 12 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 29 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 30 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe"C:\Users\Admin\AppData\Local\Temp\554639aab520bcc75ff6fddcb571bf16479e6581467fce95a1f202bf7ec62019.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\C74C.exeC:\Users\Admin\AppData\Local\Temp\C74C.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 141243⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2380 -s 5282⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2380 -ip 23801⤵
-
C:\Users\Admin\AppData\Local\Temp\33E2.exeC:\Users\Admin\AppData\Local\Temp\33E2.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c timeout /t 6 & del /f /q "C:\Users\Admin\AppData\Local\Temp\33E2.exe" & exit2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout /t 63⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2408 -s 20322⤵
- Program crash
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 2408 -ip 24081⤵
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\server_ok.dll",Mwso2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dllFilesize
797KB
MD58b83c0ae55ba64e7888b8637bb0b6068
SHA13116c06a6fd0edceb26b3d0de5edbc2902ae610f
SHA2565e9fd7bd536efcab88d2459f3682c29362ce470ff29b51b06ec53002b3fc5011
SHA512c2b92bf5f3110267fad236d10781069b58d64876b30fc5c181bd2b3b4b52ee98ea778ce5f8b16c681e711bc0a33fe0c9d045278ee5cb10cabbba60f4f0140d31
-
C:\Program Files (x86)\WindowsPowerShell\Modules\server_ok.dllFilesize
797KB
MD58b83c0ae55ba64e7888b8637bb0b6068
SHA13116c06a6fd0edceb26b3d0de5edbc2902ae610f
SHA2565e9fd7bd536efcab88d2459f3682c29362ce470ff29b51b06ec53002b3fc5011
SHA512c2b92bf5f3110267fad236d10781069b58d64876b30fc5c181bd2b3b4b52ee98ea778ce5f8b16c681e711bc0a33fe0c9d045278ee5cb10cabbba60f4f0140d31
-
C:\ProgramData\mozglue.dllFilesize
133KB
MD58f73c08a9660691143661bf7332c3c27
SHA137fa65dd737c50fda710fdbde89e51374d0c204a
SHA2563fe6b1c54b8cf28f571e0c5d6636b4069a8ab00b4f11dd842cfec00691d0c9cd
SHA5120042ecf9b3571bb5eba2de893e8b2371df18f7c5a589f52ee66e4bfbaa15a5b8b7cc6a155792aaa8988528c27196896d5e82e1751c998bacea0d92395f66ad89
-
C:\ProgramData\nss3.dllFilesize
1.2MB
MD5bfac4e3c5908856ba17d41edcd455a51
SHA18eec7e888767aa9e4cca8ff246eb2aacb9170428
SHA256e2935b5b28550d47dc971f456d6961f20d1633b4892998750140e0eaa9ae9d78
SHA5122565bab776c4d732ffb1f9b415992a4c65b81bcd644a9a1df1333a269e322925fc1df4f76913463296efd7c88ef194c3056de2f1ca1357d7b5fe5ff0da877a66
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\C2RManifest.PowerView.PowerView.x-none.msi.16.x-none.xmlFilesize
14KB
MD5cc78ff3a9bbf1967185797f3eac2090a
SHA180204fdfac8110dddc7e5c59ada69feef33a0614
SHA2567afbc0905a69b223e8098f1a9b34fcf454ba79535873933df9c12dc8660174c3
SHA5125ecf695a9be7c5521d1429fe696cb7d1d4d361b43f819b77e76828d5314e444ad61bd3c66f1cd7b7fea9c6138808a1194bc556cd5195658132121444d5a3636d
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmpFilesize
2.3MB
MD5523e3db688b33482435830ac1980a3cd
SHA1addec7b5761b5b11e316278a302caff9cb627b4a
SHA256c6928328f88e88b7a5a2199d1cde6c2582d36805245bcb3a874a7aa6b3131596
SHA512a21168dde28ccc11cac179be5b36e527b2d3cb0d3569e09228fe9d7ab065c88f054540248b1c92aba2e4d78ca788534d9c229d56669b9001e5d342a00edcd612
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe.xmlFilesize
827B
MD5ded8a0ae2ade3e3cab8bfbfea00b969f
SHA173752c78795a78ef3b742ad41737959e6f51ee42
SHA256ffc4b3afeec6909f2b6e167d903c624448bb8b5e3540142a0a762953dc758c85
SHA5123c687dd555e18bfc59bc544bcaae9f27d7eae55aae62c8f6517e263052f72d1679b097cc02faa6514a3a03619b23910ba78af3b3955cf3fe79d2c1f7e8aca72a
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\MicrosoftLync2013Win64.xmlFilesize
2KB
MD5e3a68bbd204d36868c6f5570e4576675
SHA1bc5c44144e8e962c62f7febabdb3d0ba20a8162a
SHA25611031974100f363daebe2d5c9e4bf67418d662c73e0341eb71e10b91a33280ac
SHA5127c435d9f0e05469979ac3ce3153ad96ac1b01c9946b3df7230b384cc3ed1a2766dfbad0eb00fa1f2105d0fc0e5a87cbc1eb2c6c700c1041ebe4488a6d16c2f02
-
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft_Office_Office Feature Updates.xmlFilesize
6KB
MD5b293170595e747ad85d1fb7f2ee06eea
SHA10d09a9c16ba3a694aab8fe232a35b719201c0955
SHA25657dede2ef5f1d9538d211229bd5551c88c3c2df627782a7eb6ae98f8051f2535
SHA5120fd0a57941c8e394598e88183c258ee70f54e3c80b32610cf626df18f55d95fd9149ea6e1d055c317236e8b3f0980cf70314392f94e77144ad3fd9519142f12b
-
C:\Users\Admin\AppData\Local\Temp\33E2.exeFilesize
345KB
MD54bb4894b6642e0c45b78377021c13345
SHA15ccb0f727e41748fcdc624e9f9138d5bd6c2417a
SHA256032f11472c3c4a71a697ed0a656f265ac31af952667da0d6b716c6a54ac66bae
SHA512111da040c3690ebdc74bc86e14cbab7b0f23b26cacc863582874e95ea98aebcbaac776b850f03ad331fcdac7c5900cd7d6ab9222669bf478f047817f876b35ef
-
C:\Users\Admin\AppData\Local\Temp\33E2.exeFilesize
345KB
MD54bb4894b6642e0c45b78377021c13345
SHA15ccb0f727e41748fcdc624e9f9138d5bd6c2417a
SHA256032f11472c3c4a71a697ed0a656f265ac31af952667da0d6b716c6a54ac66bae
SHA512111da040c3690ebdc74bc86e14cbab7b0f23b26cacc863582874e95ea98aebcbaac776b850f03ad331fcdac7c5900cd7d6ab9222669bf478f047817f876b35ef
-
C:\Users\Admin\AppData\Local\Temp\C74C.exeFilesize
1.1MB
MD596e78dc64ec67e77e1738da9b733dc86
SHA1b9dd381c4f1d359ecb73dacd187642db300ab90c
SHA256ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167
SHA5127533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7
-
C:\Users\Admin\AppData\Local\Temp\C74C.exeFilesize
1.1MB
MD596e78dc64ec67e77e1738da9b733dc86
SHA1b9dd381c4f1d359ecb73dacd187642db300ab90c
SHA256ff48a20d7f33ff96546a5b6e060f6bb570b4e398d77991d720d60ddf4f30f167
SHA5127533b4fa266e003905638176710aec4203d9f5808505ef4d619eddd4570b2d6b58b99933d976903b60d0b7d23b485778962782f8d84a387316e416dcd62fcaf7
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmpFilesize
797KB
MD524925b25552a7d8f1d3292071e545920
SHA1f786e1d40df30f6fed0301d60c823b655f2d6eac
SHA2569931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b
SHA512242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26
-
\??\c:\program files (x86)\windowspowershell\modules\server_ok.dllFilesize
797KB
MD58b83c0ae55ba64e7888b8637bb0b6068
SHA13116c06a6fd0edceb26b3d0de5edbc2902ae610f
SHA2565e9fd7bd536efcab88d2459f3682c29362ce470ff29b51b06ec53002b3fc5011
SHA512c2b92bf5f3110267fad236d10781069b58d64876b30fc5c181bd2b3b4b52ee98ea778ce5f8b16c681e711bc0a33fe0c9d045278ee5cb10cabbba60f4f0140d31
-
memory/380-204-0x0000000000000000-mapping.dmp
-
memory/720-135-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/720-134-0x0000000000400000-0x0000000000462000-memory.dmpFilesize
392KB
-
memory/720-133-0x00000000001F0000-0x00000000001F9000-memory.dmpFilesize
36KB
-
memory/720-132-0x0000000000792000-0x00000000007A2000-memory.dmpFilesize
64KB
-
memory/1396-205-0x0000000000000000-mapping.dmp
-
memory/2012-188-0x0000000000000000-mapping.dmp
-
memory/2264-187-0x0000000000000000-mapping.dmp
-
memory/2380-144-0x0000000000400000-0x000000000053E000-memory.dmpFilesize
1.2MB
-
memory/2380-143-0x00000000022A0000-0x00000000023D0000-memory.dmpFilesize
1.2MB
-
memory/2380-142-0x00000000007CF000-0x00000000008BD000-memory.dmpFilesize
952KB
-
memory/2380-136-0x0000000000000000-mapping.dmp
-
memory/2408-160-0x0000000000000000-mapping.dmp
-
memory/2408-189-0x0000000000583000-0x00000000005B1000-memory.dmpFilesize
184KB
-
memory/2408-190-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2408-163-0x0000000000583000-0x00000000005B1000-memory.dmpFilesize
184KB
-
memory/2408-164-0x0000000002090000-0x00000000020E3000-memory.dmpFilesize
332KB
-
memory/2408-165-0x0000000000400000-0x000000000047F000-memory.dmpFilesize
508KB
-
memory/2408-166-0x0000000060900000-0x0000000060992000-memory.dmpFilesize
584KB
-
memory/3388-148-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-146-0x0000000004E20000-0x0000000005545000-memory.dmpFilesize
7.1MB
-
memory/3388-149-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-154-0x00000000057A9000-0x00000000057AB000-memory.dmpFilesize
8KB
-
memory/3388-145-0x0000000004E20000-0x0000000005545000-memory.dmpFilesize
7.1MB
-
memory/3388-139-0x0000000000000000-mapping.dmp
-
memory/3388-159-0x0000000004E20000-0x0000000005545000-memory.dmpFilesize
7.1MB
-
memory/3388-152-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-151-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-147-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/3388-150-0x0000000005730000-0x0000000005870000-memory.dmpFilesize
1.2MB
-
memory/4040-153-0x00007FF7D6BA6890-mapping.dmp
-
memory/4040-155-0x000002241F8A0000-0x000002241F9E0000-memory.dmpFilesize
1.2MB
-
memory/4040-156-0x000002241F8A0000-0x000002241F9E0000-memory.dmpFilesize
1.2MB
-
memory/4040-157-0x0000000000C20000-0x0000000000E39000-memory.dmpFilesize
2.1MB
-
memory/4040-158-0x000002241DEB0000-0x000002241E0DA000-memory.dmpFilesize
2.2MB
-
memory/4748-199-0x0000000000000000-mapping.dmp
-
memory/4748-201-0x0000000004BD0000-0x00000000052F5000-memory.dmpFilesize
7.1MB
-
memory/4748-203-0x0000000004BD0000-0x00000000052F5000-memory.dmpFilesize
7.1MB
-
memory/5024-194-0x0000000003AC0000-0x00000000041E5000-memory.dmpFilesize
7.1MB
-
memory/5024-202-0x0000000003AC0000-0x00000000041E5000-memory.dmpFilesize
7.1MB