Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
145s -
max time network
24s -
platform
windows7_x64 -
resource
win7v200430 -
submitted
08/07/2020, 09:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
Resource
win7v200430
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
-
Size
2.7MB
-
MD5
d1ad5859f4298afb39f9747460c9f499
-
SHA1
22b1e4142b34c3113772c31fe991c924c17ffaec
-
SHA256
5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415
-
SHA512
be41fc0005263508df8020da14108bd46ab0938fa712e8222c43c5349f36d42296d97858eb610cb4af3cac24d056f16fc3a118d933f57dba979fc2735e2a45e2
Malware Config
Extracted
Family
danabot
C2
92.204.160.126
195.133.147.230
185.136.167.253
46.19.136.203
45.138.172.157
185.227.138.52
rsa_pubkey.plain
Signatures
-
Danabot x86 payload 6 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral1/files/0x00040000000131b4-3.dat family_danabot behavioral1/files/0x00040000000131b4-4.dat family_danabot behavioral1/files/0x00040000000131b4-6.dat family_danabot behavioral1/files/0x00040000000131b4-7.dat family_danabot behavioral1/files/0x00040000000131b4-8.dat family_danabot behavioral1/files/0x00040000000131b4-9.dat family_danabot -
Blocklisted process makes network request 10 IoCs
flow pid Process 1 1500 rundll32.exe 2 1500 rundll32.exe 3 1500 rundll32.exe 4 1500 rundll32.exe 5 1500 rundll32.exe 6 1500 rundll32.exe 7 1500 rundll32.exe 8 1500 rundll32.exe 9 1500 rundll32.exe 10 1500 rundll32.exe -
Loads dropped DLL 5 IoCs
pid Process 1408 regsvr32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe 1500 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 904 wrote to memory of 1408 904 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 25 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26 PID 1408 wrote to memory of 1500 1408 regsvr32.exe 26
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@9042⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1500
-
-