Analysis
-
max time kernel
120s -
max time network
148s -
platform
windows10_x64 -
resource
win10 -
submitted
24-06-2020 14:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe
Resource
win7
General
-
Target
SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe
-
Size
2.6MB
-
MD5
fd03fccdce84ae08518761609f524f78
-
SHA1
0a288baeca49b834de50cb1f5b02a967818b8248
-
SHA256
57d5d3c20111dcdb68165ce1b0189bd2f4256584642266f9f1f4ed000096e976
-
SHA512
d91b646c6bab1add593ada5be488b58f37e21bb54969ec5c38227a92a3f37b5f2ce93de923cc9bb93a79758a435c4315c17ed2f67f5534eb82cd05a36b696950
Malware Config
Extracted
danabot
92.204.160.126
193.34.166.26
93.115.22.159
93.115.22.165
185.227.138.52
Signatures
-
Danabot x86 payload 4 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\SECURI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\SECURI~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\SECURI~1.DLL family_danabot -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3956 created 3932 3956 WerFault.exe SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe -
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 4 3608 rundll32.exe 7 3608 rundll32.exe 13 3608 rundll32.exe 17 3608 rundll32.exe 18 3608 rundll32.exe 19 3608 rundll32.exe 20 3608 rundll32.exe 21 3608 rundll32.exe 22 3608 rundll32.exe 23 3608 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exerundll32.exepid process 3872 regsvr32.exe 3872 regsvr32.exe 3608 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3956 3932 WerFault.exe SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe 3956 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3956 WerFault.exe Token: SeBackupPrivilege 3956 WerFault.exe Token: SeDebugPrivilege 3956 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exeregsvr32.exedescription pid process target process PID 3932 wrote to memory of 3872 3932 SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe regsvr32.exe PID 3932 wrote to memory of 3872 3932 SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe regsvr32.exe PID 3932 wrote to memory of 3872 3932 SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe regsvr32.exe PID 3872 wrote to memory of 3608 3872 regsvr32.exe rundll32.exe PID 3872 wrote to memory of 3608 3872 regsvr32.exe rundll32.exe PID 3872 wrote to memory of 3608 3872 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.fd03fccdce84ae08.12016.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@39322⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3872 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3608 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3932 -s 4202⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3956
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ba5bcacdd2930de8898da02eb76bd9d1
SHA12d6cdd794b651a92753113b58139957635efea7c
SHA256a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78
SHA512b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ba5bcacdd2930de8898da02eb76bd9d1
SHA12d6cdd794b651a92753113b58139957635efea7c
SHA256a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78
SHA512b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ba5bcacdd2930de8898da02eb76bd9d1
SHA12d6cdd794b651a92753113b58139957635efea7c
SHA256a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78
SHA512b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ba5bcacdd2930de8898da02eb76bd9d1
SHA12d6cdd794b651a92753113b58139957635efea7c
SHA256a59a10879e0a2db88c6ea80f31a85962b7e4e89b6e2c4d4cac459b1580422b78
SHA512b46fb1ee60d7c22bd943462fcd5107645189b509dc564f4e1a0b6b5f04ef7a42aeaad117f217f4f3096baa09beb953eb65a7588a9ba432a3632d3fe35edf8a27
-
memory/3608-9-0x0000000000000000-mapping.dmp
-
memory/3872-2-0x0000000000000000-mapping.dmp
-
memory/3932-1-0x0000000005530000-0x0000000005531000-memory.dmpFilesize
4KB
-
memory/3956-6-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/3956-7-0x00000000044A0000-0x00000000044A1000-memory.dmpFilesize
4KB
-
memory/3956-11-0x00000000049E0000-0x00000000049E1000-memory.dmpFilesize
4KB