Analysis
-
max time kernel
117s -
max time network
122s -
platform
windows10_x64 -
resource
win10 -
submitted
25-06-2020 10:53
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll
Resource
win7
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll
-
Size
758KB
-
MD5
6d0e6befc551c292aeaa921202969e8d
-
SHA1
4c47d52c7f4e3e7c98395bca40f7177f7a7671e8
-
SHA256
c93e7028a1fa69efc978b71587df57ad05d06b9e290c33329c5f3fa83e10e247
-
SHA512
c8333267a344d6d27b00db9c813ff397df829be4a1884bbeb613fd9f70c5ce44b7ed54fce6439a0ffab744a2ba59cb1947cfd40bc2f8e8e4e3051632d11c4aab
Malware Config
Extracted
Family
danabot
C2
45.11.183.43
185.101.92.195
185.101.92.201
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 10 IoCs
Processes:
rundll32.exeflow pid process 2 2280 rundll32.exe 3 2280 rundll32.exe 8 2280 rundll32.exe 9 2280 rundll32.exe 10 2280 rundll32.exe 11 2280 rundll32.exe 12 2280 rundll32.exe 13 2280 rundll32.exe 14 2280 rundll32.exe 15 2280 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3880 3496 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe 3880 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3880 WerFault.exe Token: SeBackupPrivilege 3880 WerFault.exe Token: SeDebugPrivilege 3880 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 792 wrote to memory of 3496 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 3496 792 rundll32.exe rundll32.exe PID 792 wrote to memory of 3496 792 rundll32.exe rundll32.exe PID 3496 wrote to memory of 2280 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 2280 3496 rundll32.exe rundll32.exe PID 3496 wrote to memory of 2280 3496 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Siggen9.44470.4073.18299.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3496 -s 7243⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2280-1-0x0000000000000000-mapping.dmp
-
memory/3496-0-0x0000000000000000-mapping.dmp
-
memory/3496-3-0x0000000000000000-mapping.dmp
-
memory/3496-4-0x0000000000000000-mapping.dmp
-
memory/3496-5-0x0000000000000000-mapping.dmp
-
memory/3496-6-0x0000000000000000-mapping.dmp
-
memory/3880-2-0x0000000004600000-0x0000000004601000-memory.dmpFilesize
4KB
-
memory/3880-7-0x0000000004F60000-0x0000000004F61000-memory.dmpFilesize
4KB