Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10
  • submitted
    23-09-2020 12:55

General

  • Target

    PCspeeder_4.bin.exe

  • Size

    5.1MB

  • MD5

    f598d0b8bd377286c61624b61a48e9e9

  • SHA1

    e23781f538220df5cb5263fa0f9db92db9162bf4

  • SHA256

    38f3cba0f8de19bbfe1a9faa79e81d9f4eba08593b3e2c391bf9597ccd9810a1

  • SHA512

    cdd14bcb2b608c07c451ea34ba327da2093c53f9c8e9852bb4e53cbcf2a9abfa0c94c09dde01baa580e11d16af49f4377dc52e809f7aaf53b3cb8ee055249720

Malware Config

Extracted

Family

danabot

C2

89.44.9.132

64.188.23.70

179.43.133.35

45.147.231.218

89.45.4.126

rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot x86 payload 3 IoCs

    Detection of Danabot x86 payload, mapped in memory during the execution of its loader.

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
  • Blocklisted process makes network request 12 IoCs
  • Executes dropped EXE 5 IoCs
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 42 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PCspeeder_4.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\PCspeeder_4.bin.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4012
    • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • Suspicious use of WriteProcessMemory
      PID:1000
      • C:\Windows\SysWOW64\CScript.exe
        "C:\Windows\system32\CScript.exe" "C:\Program Files (x86)\Ochko\dallas\pub4.vbs" //e:vbscript //B //NOLOGO
        3⤵
        • Blocklisted process makes network request
        PID:1916
      • C:\Program Files (x86)\Ochko\dallas\4.exe
        "C:\Program Files (x86)\Ochko\dallas\4.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Checks processor information in registry
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\f0hbH7z & timeout 2 & del /f /q "C:\Program Files (x86)\Ochko\dallas\4.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3360
          • C:\Windows\system32\timeout.exe
            timeout 2
            5⤵
            • Delays execution with timeout.exe
            PID:1516
      • C:\Program Files (x86)\Ochko\dallas\pub4.exe
        "C:\Program Files (x86)\Ochko\dallas\pub4.exe"
        3⤵
        • Executes dropped EXE
        • Checks BIOS information in registry
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1116
        • C:\Windows\SysWOW64\cmd.exe
          "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\fmgvbibvvopi.exe"
          4⤵
            PID:2516
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\fqpgjjaiugsk.exe"
            4⤵
              PID:3936
            • C:\Windows\SysWOW64\cmd.exe
              "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\evnvkraq.exe"
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:2360
              • C:\Users\Admin\AppData\Local\Temp\evnvkraq.exe
                "C:\Users\Admin\AppData\Local\Temp\evnvkraq.exe"
                5⤵
                • Executes dropped EXE
                • Suspicious use of WriteProcessMemory
                PID:3932
                • C:\Windows\SysWOW64\regsvr32.exe
                  C:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\evnvkraq.dll f1 C:\Users\Admin\AppData\Local\Temp\evnvkraq.exe@3932
                  6⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:2656
                  • C:\Windows\SysWOW64\rundll32.exe
                    C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\evnvkraq.dll,f0
                    7⤵
                    • Blocklisted process makes network request
                    • Loads dropped DLL
                    PID:996
        • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setupp.exe
          "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setupp.exe"
          2⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:1516
          • C:\Windows\SysWOW64\cmd.exe
            cmd.exe /C ping 1.1.1.1 -n 1 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\RarSFX0\setupp.exe"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3668
            • C:\Windows\SysWOW64\PING.EXE
              ping 1.1.1.1 -n 1 -w 3000
              4⤵
              • Runs ping.exe
              PID:2736

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Defense Evasion

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Credentials in Files

      2
      T1081

      Discovery

      Query Registry

      5
      T1012

      Virtualization/Sandbox Evasion

      2
      T1497

      System Information Discovery

      3
      T1082

      Remote System Discovery

      1
      T1018

      Collection

      Data from Local System

      2
      T1005

      Command and Control

      Web Service

      1
      T1102

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Ochko\dallas\4.exe
        MD5

        219f06da0c28ac8f9506adc02e910708

        SHA1

        475925352805eb5ba6349997f128acab96555618

        SHA256

        2d90aeaa4ffe1b5e678be61649548ba3c838a22b8717447bbc42bd4c456be7ec

        SHA512

        3fd216e2d0dffe8a3c0268d5a9a5fea3a79deefca688d0996aebd5e795dff34155d4fd05744fef4b1af6bd0d4b390743c813cdb084f650855c9264cb6a85c2c7

      • C:\Program Files (x86)\Ochko\dallas\4.exe
        MD5

        219f06da0c28ac8f9506adc02e910708

        SHA1

        475925352805eb5ba6349997f128acab96555618

        SHA256

        2d90aeaa4ffe1b5e678be61649548ba3c838a22b8717447bbc42bd4c456be7ec

        SHA512

        3fd216e2d0dffe8a3c0268d5a9a5fea3a79deefca688d0996aebd5e795dff34155d4fd05744fef4b1af6bd0d4b390743c813cdb084f650855c9264cb6a85c2c7

      • C:\Program Files (x86)\Ochko\dallas\pub4.exe
        MD5

        46e7abf2b2b5b38995ebb393425c6177

        SHA1

        825fe4356e17980271cb11160d4a3f3b3570254b

        SHA256

        310667e5fa4606cdad00166bbf93ba1adcb4f524d3eb23170dd789f5e8a26535

        SHA512

        793032be4f66a12ac1d6d753ae0dbc751dc05ebdc8c913bae52f4a1811b6d8c8c532b78e29c402729ce8e50d133777c7ed58db3ff606a34e8d5b52eec5b443a5

      • C:\Program Files (x86)\Ochko\dallas\pub4.exe
        MD5

        46e7abf2b2b5b38995ebb393425c6177

        SHA1

        825fe4356e17980271cb11160d4a3f3b3570254b

        SHA256

        310667e5fa4606cdad00166bbf93ba1adcb4f524d3eb23170dd789f5e8a26535

        SHA512

        793032be4f66a12ac1d6d753ae0dbc751dc05ebdc8c913bae52f4a1811b6d8c8c532b78e29c402729ce8e50d133777c7ed58db3ff606a34e8d5b52eec5b443a5

      • C:\Program Files (x86)\Ochko\dallas\pub4.vbs
        MD5

        bc65c7cbbae16b684415cc2828cbbf28

        SHA1

        95f5a7ec797a9f1e9c8a4b457b2a15f836fe0a8e

        SHA256

        cdd1ed87c79e64a3f9b2fc84ef78d7734ecf2542092cfbff192f21d48abd0fe3

        SHA512

        ee0cbc6598e0d5651319062b252ce866b81d915459c17d4c6a9f80b137d8a5e0fafb90cb946e9dd904ada63ab7096dab3a7848d72669cbd056d9b743ff0fcaf0

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\809F549ACD5D5E0FC927377BAAE913CC
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\809F549ACD5D5E0FC927377BAAE913CC
      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
        MD5

        07557ba74de67f8fd88e4c121f84cf9f

        SHA1

        bd9491ef106552809228c17008bf7dfb06a94dc5

        SHA256

        3f57164a4037a6303265405c18c024b6794b92f59fa2ca0532c36fe7338b5f12

        SHA512

        8f5616d9cee2c40345561dd71f35670d8c6f7a3d84bb81f8933fef8dbd4b2d910470a3e770f1cbcfd07f21557b0279797c3450c1bfb6dd650277b6bce939d719

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Setup.exe
        MD5

        07557ba74de67f8fd88e4c121f84cf9f

        SHA1

        bd9491ef106552809228c17008bf7dfb06a94dc5

        SHA256

        3f57164a4037a6303265405c18c024b6794b92f59fa2ca0532c36fe7338b5f12

        SHA512

        8f5616d9cee2c40345561dd71f35670d8c6f7a3d84bb81f8933fef8dbd4b2d910470a3e770f1cbcfd07f21557b0279797c3450c1bfb6dd650277b6bce939d719

      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setupp.exe
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\setupp.exe
      • C:\Users\Admin\AppData\Local\Temp\evnvkraq.dll
        MD5

        f44d1c7820bb02b486871ba9eab2f226

        SHA1

        d040d7b886002f37924536425b43091f21a3844b

        SHA256

        24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

        SHA512

        b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

      • C:\Users\Admin\AppData\Local\Temp\evnvkraq.exe
      • C:\Users\Admin\AppData\Local\Temp\evnvkraq.exe
      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\7QRXMM~1.ZIP
        MD5

        f01fa74064dd1a2bd3a4c3fe8dddc337

        SHA1

        33fda7435f79eeb8d2e0c065d7e508db7c097b17

        SHA256

        6c8bfe94f66026a4190d01fea9afb495d7e2a7ded01042da5e9f787d01edc7da

        SHA512

        65ca1dcae7becf695db35edcaaa55dc70650cd7fd44478fa7229dd7d211b8992ac358b66cce163037df301511864b53045c7bf8c6d9dcefdb489d43717327469

      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\HgE7.tmp
        MD5

        fa6c4206c9a14d596857f4ab3a5af869

        SHA1

        4ef5200d81ecc2ae2fdf2c44a0b0f73306ef2ea6

        SHA256

        c870dccb0d53524e0bf7da5b7ecb0157a7a2c90af1621c8c23f939f393b17e59

        SHA512

        e50d153501b766aaf9c2250ef9f3ec7493802bb435be6a3d4e57be17c9eb03e21a21eeb3ab40cf5f817f6e5e8ec0a6e1b9ac6976688656138e22abd8daaf0abe

      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\VNOZ6K~1.ZIP
      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\_Files\_INFOR~1.TXT
      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\_Files\_SCREE~1.JPE
      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\aEQmI3.tmp
        MD5

        fa6c4206c9a14d596857f4ab3a5af869

        SHA1

        4ef5200d81ecc2ae2fdf2c44a0b0f73306ef2ea6

        SHA256

        c870dccb0d53524e0bf7da5b7ecb0157a7a2c90af1621c8c23f939f393b17e59

        SHA512

        e50d153501b766aaf9c2250ef9f3ec7493802bb435be6a3d4e57be17c9eb03e21a21eeb3ab40cf5f817f6e5e8ec0a6e1b9ac6976688656138e22abd8daaf0abe

      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\dw6st.tmp
        MD5

        8e10ae9f691dd35f235e31b1a23c3a11

        SHA1

        90491937ce939b64124a75fea36d61cd59488ed0

        SHA256

        5a2856414ee7fb61a64c4594fb615e0639065065388e5db38320b3ee9ff856ae

        SHA512

        ffb773e254619464032ad325bd1af676e619450bbe55cdc67df4460753ff12d480a19cd4f70e2b21e427a7f3840d674131f8c426e4702a255ad710893dfc0739

      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\files_\SCREEN~1.JPG
        MD5

        4daf597ff568cd073caca61ec55bc6c5

        SHA1

        862c4595fb0195200d5627d5cc1e46c7d29e8862

        SHA256

        3f2186ecf7cc465e710669dfa8ead71dd5dc8caf2d875e61678b67096781dfce

        SHA512

        2aebc29254a3e752db1f5707952ad50e96b497e819be5c86d588f29c3d3b56dc2b083efb670f6d868ae37c6e22b6ae5fa42e1b615c03260440b8a2a68633d17f

      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\files_\SYSTEM~1.TXT
        MD5

        78804d85e6dd520b7e8cc05342748d8c

        SHA1

        d79c8fb1671a567a1910e357e7c408bcbe279bc2

        SHA256

        6999d58e50acdb61e5388e8060a2d04fb7d2bf8319bd84bfdc306465d793fdf5

        SHA512

        6e2f4cba67de82a25f6a8364d9c07eeb458c2b8c3e53a46104a720308c4c90d02913ddd3e34c05999d855c12d91a363f34f6cf75dd7085b818a527856abe374b

      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\oeqXbT.tmp
      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\r1rwE.tmp
      • C:\Users\Admin\AppData\Local\Temp\f0hbH7z\vrtR.tmp
      • \Users\Admin\AppData\Local\Temp\evnvkraq.dll
        MD5

        f44d1c7820bb02b486871ba9eab2f226

        SHA1

        d040d7b886002f37924536425b43091f21a3844b

        SHA256

        24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

        SHA512

        b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

      • \Users\Admin\AppData\Local\Temp\evnvkraq.dll
        MD5

        f44d1c7820bb02b486871ba9eab2f226

        SHA1

        d040d7b886002f37924536425b43091f21a3844b

        SHA256

        24bba101da3da6aefc2b1d454ede986180a5ac31c00ec601cc2d6827b00b26c2

        SHA512

        b633e8f09b12178da24e4dbd022289d4fdf0061175cd685e8357cef51183247da436deb81fd3672f8839b581428c3c46547c5dd3fcf4f726bc72dc070fc02baf

      • \Users\Admin\AppData\Local\Temp\nst1CC6.tmp\UAC.dll
        MD5

        adb29e6b186daa765dc750128649b63d

        SHA1

        160cbdc4cb0ac2c142d361df138c537aa7e708c9

        SHA256

        2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

        SHA512

        b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

      • \Users\Admin\AppData\Local\Temp\nst1CC6.tmp\nsExec.dll
        MD5

        132e6153717a7f9710dcea4536f364cd

        SHA1

        e39bc82c7602e6dd0797115c2bd12e872a5fb2ab

        SHA256

        d29afce2588d8dd7bb94c00ca91cac0e85b80ffa6b221f5ffcb83a2497228eb2

        SHA512

        9aeb0b3051ce07fb9f03dfee7cea4a5e423425e48cb538173bd2a167817f867a30bd4d27d07875f27ca00031745b24547030b7f146660b049fa717590f1c77e1

      • memory/996-57-0x0000000000000000-mapping.dmp
      • memory/1000-0-0x0000000000000000-mapping.dmp
      • memory/1000-3-0x0000000072F10000-0x0000000072FA3000-memory.dmp
        Filesize

        588KB

      • memory/1116-16-0x0000000000000000-mapping.dmp
      • memory/1116-33-0x0000000004F70000-0x0000000004F71000-memory.dmp
        Filesize

        4KB

      • memory/1116-34-0x0000000005770000-0x0000000005771000-memory.dmp
        Filesize

        4KB

      • memory/1116-19-0x0000000072F10000-0x0000000072FA3000-memory.dmp
        Filesize

        588KB

      • memory/1516-42-0x0000000000000000-mapping.dmp
      • memory/1516-32-0x0000000000000000-mapping.dmp
      • memory/1916-6-0x0000000000000000-mapping.dmp
      • memory/2360-41-0x0000000000000000-mapping.dmp
      • memory/2516-35-0x0000000000000000-mapping.dmp
      • memory/2656-54-0x0000000000000000-mapping.dmp
      • memory/2676-8-0x0000000000000000-mapping.dmp
      • memory/2676-11-0x00007FFCD85C0000-0x00007FFCD863E000-memory.dmp
        Filesize

        504KB

      • memory/2676-14-0x000001BDA5510000-0x000001BDA5511000-memory.dmp
        Filesize

        4KB

      • memory/2676-13-0x00007FF747950000-0x00007FF748014000-memory.dmp
        Filesize

        6.8MB

      • memory/2676-12-0x00007FF747950000-0x00007FF748014000-memory.dmp
        Filesize

        6.8MB

      • memory/2736-51-0x0000000000000000-mapping.dmp
      • memory/3360-15-0x0000000000000000-mapping.dmp
      • memory/3668-50-0x0000000000000000-mapping.dmp
      • memory/3932-53-0x00000000057C0000-0x00000000057C1000-memory.dmp
        Filesize

        4KB

      • memory/3932-49-0x0000000072F10000-0x0000000072FA3000-memory.dmp
        Filesize

        588KB

      • memory/3932-46-0x0000000000000000-mapping.dmp
      • memory/3932-45-0x0000000000000000-mapping.dmp
      • memory/3936-36-0x0000000000000000-mapping.dmp