Analysis
-
max time kernel
141s -
max time network
156s -
platform
windows7_x64 -
resource
win7 -
submitted
29-06-2020 10:28
Static task
static1
Behavioral task
behavioral1
Sample
9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe
Resource
win7
General
-
Target
9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe
-
Size
2.6MB
-
MD5
b12860db0af66cd54096834f586a31f7
-
SHA1
0407873ba5b9312f6f5d3a657721f054a74f4d87
-
SHA256
9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e
-
SHA512
0a252da57e3d104cb4f004cfb1faec931f110146804a04d6753579e7db2eeb007470bc9ec275daace4b133a10536340a291829cae977c57aa946cf661533203f
Malware Config
Extracted
danabot
137.74.66.92
185.227.138.52
192.236.146.249
172.93.201.168
193.34.166.244
23.83.133.10
Signatures
-
Danabot x86 payload 6 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL family_danabot -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 3 1888 rundll32.exe 6 1888 rundll32.exe 7 1888 rundll32.exe 9 1888 rundll32.exe 10 1888 rundll32.exe 11 1888 rundll32.exe 12 1888 rundll32.exe 15 1888 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 1868 regsvr32.exe 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe 1888 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exeregsvr32.exedescription pid process target process PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1752 wrote to memory of 1868 1752 9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe regsvr32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe PID 1868 wrote to memory of 1888 1868 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe"C:\Users\Admin\AppData\Local\Temp\9c4fade08ddee2e8d0dfc518414b188e6fd74f0d08260f8b2b9b1b0da3dc518e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.EXE@17522⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLLMD5
0feb12c711ef48565cc70fa9d563319c
SHA1e47c3669fa18ccc8340c1f22fce4ddc88603cf8d
SHA2567b8576f21c005298c87448e2309319e2bb05902a5e753907476e463a6517da3b
SHA5124d9ffcf0e2a4b76d5e840fa5fecc58d6be141861513533097785a5bdf11580edc1e9c9b2e13b43c4bb27fed2d960a63ac1ad2826dc1f6c47a99c80d08f89274e
-
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLLMD5
0feb12c711ef48565cc70fa9d563319c
SHA1e47c3669fa18ccc8340c1f22fce4ddc88603cf8d
SHA2567b8576f21c005298c87448e2309319e2bb05902a5e753907476e463a6517da3b
SHA5124d9ffcf0e2a4b76d5e840fa5fecc58d6be141861513533097785a5bdf11580edc1e9c9b2e13b43c4bb27fed2d960a63ac1ad2826dc1f6c47a99c80d08f89274e
-
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLLMD5
0feb12c711ef48565cc70fa9d563319c
SHA1e47c3669fa18ccc8340c1f22fce4ddc88603cf8d
SHA2567b8576f21c005298c87448e2309319e2bb05902a5e753907476e463a6517da3b
SHA5124d9ffcf0e2a4b76d5e840fa5fecc58d6be141861513533097785a5bdf11580edc1e9c9b2e13b43c4bb27fed2d960a63ac1ad2826dc1f6c47a99c80d08f89274e
-
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLLMD5
0feb12c711ef48565cc70fa9d563319c
SHA1e47c3669fa18ccc8340c1f22fce4ddc88603cf8d
SHA2567b8576f21c005298c87448e2309319e2bb05902a5e753907476e463a6517da3b
SHA5124d9ffcf0e2a4b76d5e840fa5fecc58d6be141861513533097785a5bdf11580edc1e9c9b2e13b43c4bb27fed2d960a63ac1ad2826dc1f6c47a99c80d08f89274e
-
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLLMD5
0feb12c711ef48565cc70fa9d563319c
SHA1e47c3669fa18ccc8340c1f22fce4ddc88603cf8d
SHA2567b8576f21c005298c87448e2309319e2bb05902a5e753907476e463a6517da3b
SHA5124d9ffcf0e2a4b76d5e840fa5fecc58d6be141861513533097785a5bdf11580edc1e9c9b2e13b43c4bb27fed2d960a63ac1ad2826dc1f6c47a99c80d08f89274e
-
\Users\Admin\AppData\Local\Temp\9C4FAD~1.DLLMD5
0feb12c711ef48565cc70fa9d563319c
SHA1e47c3669fa18ccc8340c1f22fce4ddc88603cf8d
SHA2567b8576f21c005298c87448e2309319e2bb05902a5e753907476e463a6517da3b
SHA5124d9ffcf0e2a4b76d5e840fa5fecc58d6be141861513533097785a5bdf11580edc1e9c9b2e13b43c4bb27fed2d960a63ac1ad2826dc1f6c47a99c80d08f89274e
-
memory/1752-0-0x0000000000870000-0x0000000000AE7000-memory.dmpFilesize
2.5MB
-
memory/1752-1-0x0000000000AF0000-0x0000000000B01000-memory.dmpFilesize
68KB
-
memory/1868-2-0x0000000000000000-mapping.dmp
-
memory/1888-5-0x0000000000000000-mapping.dmp