Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
127s -
max time network
120s -
platform
windows10_x64 -
resource
win10 -
submitted
08/07/2020, 09:47
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
Resource
win7v200430
0 signatures
0 seconds
General
-
Target
SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe
-
Size
2.7MB
-
MD5
d1ad5859f4298afb39f9747460c9f499
-
SHA1
22b1e4142b34c3113772c31fe991c924c17ffaec
-
SHA256
5137839a49af8a01ab62a213c963ad63c77dcfda6b107d46709aecebe3c4f415
-
SHA512
be41fc0005263508df8020da14108bd46ab0938fa712e8222c43c5349f36d42296d97858eb610cb4af3cac24d056f16fc3a118d933f57dba979fc2735e2a45e2
Malware Config
Extracted
Family
danabot
C2
92.204.160.126
195.133.147.230
185.136.167.253
46.19.136.203
45.138.172.157
185.227.138.52
rsa_pubkey.plain
Signatures
-
Danabot x86 payload 5 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
resource yara_rule behavioral2/files/0x000200000001ad84-3.dat family_danabot behavioral2/files/0x000200000001ad84-4.dat family_danabot behavioral2/files/0x000200000001ad84-5.dat family_danabot behavioral2/files/0x000200000001ad84-8.dat family_danabot behavioral2/files/0x000200000001ad84-7.dat family_danabot -
Blocklisted process makes network request 10 IoCs
flow pid Process 1 3036 rundll32.exe 2 3036 rundll32.exe 3 3036 rundll32.exe 4 3036 rundll32.exe 5 3036 rundll32.exe 7 3036 rundll32.exe 8 3036 rundll32.exe 9 3036 rundll32.exe 10 3036 rundll32.exe 11 3036 rundll32.exe -
Loads dropped DLL 4 IoCs
pid Process 3052 regsvr32.exe 3052 regsvr32.exe 3036 rundll32.exe 3036 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 384 wrote to memory of 3052 384 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 68 PID 384 wrote to memory of 3052 384 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 68 PID 384 wrote to memory of 3052 384 SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe 68 PID 3052 wrote to memory of 3036 3052 regsvr32.exe 69 PID 3052 wrote to memory of 3036 3052 regsvr32.exe 69 PID 3052 wrote to memory of 3036 3052 regsvr32.exe 69
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Generic.mg.d1ad5859f4298afb.21100.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:384 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE@3842⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3036
-
-