danabot | 9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef

Analysis

max time kernel
294s
max time network
263s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250217-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250217-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
05/03/2025, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
Size

8.9MB
MD5

e1438c21e6de91615a6a5e2a48f274fc
SHA1

b6f6c74f86a145460f03ac3a0520d3345fc7fcc1
SHA256

9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef
SHA512

9be5f304259a2bbc488cde3a9a5cf09b2019a14e32538d79e88e3d1785bce5a3dcfca6702d235d5ec87b4bdf043f3c6a41762ccc2ba6fed8ee63366c0f2e0879
SSDEEP

196608:9n520ZroZkRsj6N+gdC1fcmwz/MIpqPuJS8ErZ/0jCi:9n52eSFjG+aAfcRo4Kz8W0j

Score

10^/10

danabot banker discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

danabot

Attributes

embedded_hash
5059953BB045843A520147F73664DC78
type
loader

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Danabot family
danabot

Blocklisted process makes network request 5 IoCs

flow	pid	Process
22	4672	rundll32.exe
23	4672	rundll32.exe
36	4672	rundll32.exe
38	4672	rundll32.exe
41	4672	rundll32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\D:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe

Drops file in Windows directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSI9A1D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C51.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9C91.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{27B611CD-7B17-41F6-B60D-D59C81B6D3AC}	msiexec.exe
File opened for modification	C:\Windows\Installer\e5799bf.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9BD3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9D8C.tmp	msiexec.exe
File created	C:\Windows\Installer\e5799c3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA703.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA704.tmp	msiexec.exe
File created	C:\Windows\Installer\e5799bf.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
664	MSIA703.tmp
556	MSIA704.tmp

Loads dropped DLL 6 IoCs

pid	Process
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4672	rundll32.exe
4672	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs

persistence privilege_escalation

Installer Packages

T1546.016

Msiexec

T1218.007

pid	Process
4044	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIA704.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIA703.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 22 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1786400979-876203093-3022739302-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3200	msiexec.exe
3200	msiexec.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4044	msiexec.exe
Token: SeSecurityPrivilege	3200	msiexec.exe
Token: SeCreateTokenPrivilege	4044	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4044	msiexec.exe
Token: SeLockMemoryPrivilege	4044	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4044	msiexec.exe
Token: SeMachineAccountPrivilege	4044	msiexec.exe
Token: SeTcbPrivilege	4044	msiexec.exe
Token: SeSecurityPrivilege	4044	msiexec.exe
Token: SeTakeOwnershipPrivilege	4044	msiexec.exe
Token: SeLoadDriverPrivilege	4044	msiexec.exe
Token: SeSystemProfilePrivilege	4044	msiexec.exe
Token: SeSystemtimePrivilege	4044	msiexec.exe
Token: SeProfSingleProcessPrivilege	4044	msiexec.exe
Token: SeIncBasePriorityPrivilege	4044	msiexec.exe
Token: SeCreatePagefilePrivilege	4044	msiexec.exe
Token: SeCreatePermanentPrivilege	4044	msiexec.exe
Token: SeBackupPrivilege	4044	msiexec.exe
Token: SeRestorePrivilege	4044	msiexec.exe
Token: SeShutdownPrivilege	4044	msiexec.exe
Token: SeDebugPrivilege	4044	msiexec.exe
Token: SeAuditPrivilege	4044	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4044	msiexec.exe
Token: SeChangeNotifyPrivilege	4044	msiexec.exe
Token: SeRemoteShutdownPrivilege	4044	msiexec.exe
Token: SeUndockPrivilege	4044	msiexec.exe
Token: SeSyncAgentPrivilege	4044	msiexec.exe
Token: SeEnableDelegationPrivilege	4044	msiexec.exe
Token: SeManageVolumePrivilege	4044	msiexec.exe
Token: SeImpersonatePrivilege	4044	msiexec.exe
Token: SeCreateGlobalPrivilege	4044	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe
Token: SeRestorePrivilege	3200	msiexec.exe
Token: SeTakeOwnershipPrivilege	3200	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4044	msiexec.exe
4044	msiexec.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe
4844	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4740	3200	msiexec.exe	82
PID 3200 wrote to memory of 4740	3200	msiexec.exe	82
PID 3200 wrote to memory of 4740	3200	msiexec.exe	82
PID 3200 wrote to memory of 664	3200	msiexec.exe	86
PID 3200 wrote to memory of 664	3200	msiexec.exe	86
PID 3200 wrote to memory of 664	3200	msiexec.exe	86
PID 3200 wrote to memory of 556	3200	msiexec.exe	87
PID 3200 wrote to memory of 556	3200	msiexec.exe	87
PID 3200 wrote to memory of 556	3200	msiexec.exe	87
PID 3248 wrote to memory of 4672	3248	rundll32.exe	92
PID 3248 wrote to memory of 4672	3248	rundll32.exe	92
PID 3248 wrote to memory of 4672	3248	rundll32.exe	92
PID 4844 wrote to memory of 3416	4844	AcroRd32.exe	94
PID 4844 wrote to memory of 3416	4844	AcroRd32.exe	94
PID 4844 wrote to memory of 3416	4844	AcroRd32.exe	94
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 4448	3416	RdrCEF.exe	95
PID 3416 wrote to memory of 2128	3416	RdrCEF.exe	96
PID 3416 wrote to memory of 2128	3416	RdrCEF.exe	96
PID 3416 wrote to memory of 2128	3416	RdrCEF.exe	96
PID 3416 wrote to memory of 2128	3416	RdrCEF.exe	96
PID 3416 wrote to memory of 2128	3416	RdrCEF.exe	96
PID 3416 wrote to memory of 2128	3416	RdrCEF.exe	96

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\B6F6C74F86A145460F03AC3A0520D3345FC7FCC1.msi
1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4044

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 33A50D7D93BCA70248A84C05C472F8AD
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4740
- C:\Windows\Installer\MSIA703.tmp
  "C:\Windows\Installer\MSIA703.tmp" /DontWait "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:664
- C:\Windows\Installer\MSIA704.tmp
  "C:\Windows\Installer\MSIA704.tmp" /DontWait /HideWindow /dir "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\" C:\Windows\System32\rundll32.exe "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:556

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf"
1⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4844
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3416
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=B2AFE1B368F3476A91CEF004082FCC59 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=B2AFE1B368F3476A91CEF004082FCC59 --renderer-client-id=2 --mojo-platform-channel-handle=1756 --allow-no-sandbox-job /prefetch:1
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4448
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E7C68EFDB2B0A824DCEC49A7A7CF4B06 --mojo-platform-channel-handle=1764 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2128
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=717A2FCB2219565723C7E197130BD8DB --mojo-platform-channel-handle=2332 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4568
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FD0FC71E48E706AC675EDB02248A247F --mojo-platform-channel-handle=2024 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2300
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=4864B2D3C0935BE15EEF9E4304752D89 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1256

C:\Windows\System32\rundll32.exe
"C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent
1⤵
- Suspicious use of WriteProcessMemory
PID:3248
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\System32\rundll32.exe" "C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll",muirent
  2⤵
  - Blocklisted process makes network request
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:4672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Installer Packages

T1546.016

Privilege Escalation

Event Triggered Execution

T1546

Installer Packages

T1546.016

Defense Evasion

Modify Registry

T1112

System Binary Proxy Execution

T1218

Msiexec

T1218.007

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5799c2.rbs

Filesize
897KB

MD5
12d15194e2254744df3a95aebcb3355a

SHA1
35222d22648c8221fb23f46e4d2323849ea4e4a7

SHA256
81d9420d8a1bd9b38f27042d11168facaa9b9ea01f02b71cf28e80bb6e44a0bd

SHA512
5487b03d27182f2ad49ef2446f0658cf4f76bbf2825f414432780992a02e13160edea3da81c84d0b5832201a7b643b686c0789df2f13a1cc665f2a1c7069d240

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
c26ed30e7d5ab440480838636efc41db

SHA1
c66e0d00b56abebfb60d2fcc5cf85ad31a0d6591

SHA256
6a3c5c4a8e57f77ecc22078fbf603ecc31fb82d429bd87b7b4b9261447092aef

SHA512
96cdb78bca3e01d4513c31661987e5646e6a8ff24708918aa0d66dfa3ca5d98af4862c9f38c4f41f933c345d2d3adfb1d34d1430b33f45f916f41a9872a030df

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
e9f19ac7fe8b751a68d48763d5f9b1a5

SHA1
b8122bee3415d30210cd885f0ebb7560c9c9ff2a

SHA256
4579a3c321d2ef99545e631d018901bee3aaf1583ce18a704ba1ff00ab081d0d

SHA512
72dc850f4189e0febb77740ea3c26e01cecf3ddbb73c4383a270e77dc11d63711381baf52aec5ce0961119762792ef01c271db1fb1518de4d4ae27c672b3818b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wct1658.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\Launcher\TypeFasterPortable.ini

Filesize
203B

MD5
a3405b7d94dd1e19fe6a5aef21d93111

SHA1
5ba4ff637232dd35d88de1112ac302775cb2c2cd

SHA256
204e328badd4b673662bf7540e6eedcf4e17ef500381df36e25071fb9cf1d505

SHA512
dedcfb351326b0bd9abfc424e9c381e462282135a10720d263b8367b59782f1fd4645314cab210c14621ae61ab809a0af4d8a79171c75b0d90ba8698c9ab909a

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\appinfo.ini

Filesize
220B

MD5
660f341fa878ff15b5d6a4d2b6611f27

SHA1
a67647f6b19b3318c6bbe5ff17a5c12b5941d958

SHA256
34ae19c668c6e8bbde710952db333b7cf491238c4a517fe97d03c525866bdb9f

SHA512
60d26599197e014b498cf81670d7ac4386ff2419e54b85aaf63d78823cdcb9208afd68b6506cecbbc8be7f72eb31118ff30aabdedea16248ee778252cb43c79f

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\appinfo.ini

Filesize
240B

MD5
20800eefa5d2e262a658d6c13cdf1800

SHA1
a35af3a4955a5f65433a50f21445393526f290d0

SHA256
7e1aec44935782ccdceadf78fc4d58bf0c4823cec690e3854b012323de3be939

SHA512
857703cb33452cfa74492d6eb2e0c228ffee98b6eaa3854a707fd50a1cb560ba0591af89e0a6fe4c3901599cc6a01912e0ed4a73725f9d951351fe4a7ff49cbe

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\appinfo.ini

Filesize
493B

MD5
e8c6dd0514fc53159983b6df23bc2b47

SHA1
d099b68f015317112117f64e79a6c719daf55ea4

SHA256
3e0f10363d2ba2acdaad49ea7562a3d3dc820ac6fdf8b5aea18bf7a6d80df636

SHA512
74904356fb1c30482666ca8ebcf1301789d9d59a06c1d62e0b9959d71d419e103f04f158b10b50f576cbadf23e7b128fd2738452e75ad3a388d2b1c1db9c1f3c

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\pac_installer_log.ini

Filesize
327B

MD5
b2fd2f591942ac6c66d8890c32b1f245

SHA1
913fadbced56b78b7da7c1df4f0ead4f21338bff

SHA256
b504348c5b7d38fea062a4f770f401ea0bc29ac1462680c338932845e5fe62fc

SHA512
184409ee07715da83a19a0b913988c7da3cabccece700a94395cc5c268115c8d89ff41f954cadad3028238b6da8085a99f66f565465c253da36f4e33d48f22d7

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\App\AppInfo\pac_installer_log.ini

Filesize
551B

MD5
9afa4d76710c10fccd6769fa23b5b695

SHA1
b10f230a298e0cca3353ee3385f06a41194dca7d

SHA256
ff25900b37e613614d57aec89d8286291b6256bac56e90bbfcb5f1cd3d843807

SHA512
05cdfb9319eb4145f6c663d8383e50116bd98eb905855a8f90ce695c3a5cfb46dcd31b40c5b2794d64dbed4a308f1c67d659365980383d43774ac3c6583cc777

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\meitneriumatm.dll

Filesize
7.7MB

MD5
043dae1b817ae561da9d6654b6354696

SHA1
a9f62f9ca8faa6023c4ef755d3b1f5aed2914516

SHA256
9de78011f776d2f3c963c6c3f77bc7af98ac51b4dbd11350850a8416bf767c36

SHA512
b7b44df89e93de8f31a35a22ed7b2d292cbad83ef564281af8e50aedade2f3ed4560b1e2ee9d91a5f1b270c407eafbef0f983895f8ed6651428ec5fe7389198e

Download Submit
C:\Users\Admin\AppData\Roaming\TypeFasterPortable\reportsummary.pdf

Filesize
19B

MD5
138994255ba043be1c37715fd931b1f3

SHA1
a39ed185ae5c91a59f9ae7bddce84cdcccb766cf

SHA256
6df84c79758b9f79709bd9292563dbda3fc7c726180ec6d394dd4e54b4427beb

SHA512
b26f7ea2c106852044b3a014ea91555a50ba43d4305a61c796926718da78d7dce335e9bb9613f0275ede4c961cc49f9a38e4bd59cc1504ba28457b364e3ee0cc

Download Submit
C:\Windows\Installer\MSI9A1D.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSIA703.tmp

Filesize
418KB

MD5
dd31c60eedf38fe4704ac9293614afee

SHA1
48b7ad49bfcba2906834324548e731729ead34bc

SHA256
6e8b9a6e7497d88421fa446ec1c2312fcf61d7f340364c61bd02b0bb4684b94f

SHA512
66f4642b3c0a92c2fc8e7cc7d0a61e7132d5193b90b7d4b2554a4a7bfff0fd990b47157d1f2af05ed177dc7dc920984f56b81e114e17de389d20fa5e51fa19e9

Download Submit
C:\Windows\Installer\e5799bf.msi

Filesize
8.9MB

MD5
e1438c21e6de91615a6a5e2a48f274fc

SHA1
b6f6c74f86a145460f03ac3a0520d3345fc7fcc1

SHA256
9cbaec7eb2c14ecdc39095c2deae0c20cb42e9f28466307c44f5848de49a58ef

SHA512
9be5f304259a2bbc488cde3a9a5cf09b2019a14e32538d79e88e3d1785bce5a3dcfca6702d235d5ec87b4bdf043f3c6a41762ccc2ba6fed8ee63366c0f2e0879

Download Submit
memory/4672-580-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-583-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-567-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-579-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-581-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-566-0x00000000046A0000-0x00000000046A1000-memory.dmp

Filesize
4KB

Download
memory/4672-587-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-585-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-586-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-589-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-588-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-568-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-582-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-584-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-590-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-591-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-615-0x00000000028D0000-0x000000000309C000-memory.dmp

Filesize
7.8MB

Download
memory/4672-565-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-550-0x0000000003280000-0x0000000003281000-memory.dmp

Filesize
4KB

Download
memory/4672-539-0x00000000028D0000-0x000000000309C000-memory.dmp

Filesize
7.8MB

Download
memory/4672-711-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download
memory/4672-712-0x0000000003910000-0x000000000445B000-memory.dmp

Filesize
11.3MB

Download