Resubmissions
08-10-2020 10:50
201008-e8qrqmf3ze 1008-10-2020 10:38
201008-88hf9vxww6 1008-10-2020 09:34
201008-pjmzjspx2n 10Analysis
-
max time kernel
600s -
max time network
601s -
platform
windows10_x64 -
resource
win10 -
submitted
08-10-2020 10:50
Static task
static1
General
-
Target
dan777.bin.exe
-
Size
2.3MB
-
MD5
565a67a6dff8d567038d9fe8c7fa0024
-
SHA1
a3f8c5b142a8fbeb72664d521dfe91e4939eaffe
-
SHA256
de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698
-
SHA512
f075b5ebf4ff35ce85ba5cf15ebfb3da760a67daa23c294545630c1d1a62d02a5282c5a24b82fd9fc5285ce68b6e6b79185c6e8812e882a058ae3ee3ca555022
Malware Config
Extracted
danabot
73.48.92.89
193.144.40.26
219.30.45.197
95.179.168.37
151.236.14.84
142.181.133.99
234.63.35.120
74.12.197.16
85.229.148.210
117.69.242.3
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot -
Blocklisted process makes network request 15 IoCs
Processes:
rundll32.exeflow pid process 8 2384 rundll32.exe 9 2384 rundll32.exe 10 2384 rundll32.exe 11 2384 rundll32.exe 12 2384 rundll32.exe 15 2384 rundll32.exe 16 2384 rundll32.exe 17 2384 rundll32.exe 18 2384 rundll32.exe 28 2384 rundll32.exe 29 2384 rundll32.exe 30 2384 rundll32.exe 31 2384 rundll32.exe 33 2384 rundll32.exe 34 2384 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 2156 regsvr32.exe 2384 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
dan777.bin.exeregsvr32.exedescription pid process target process PID 2948 wrote to memory of 2156 2948 dan777.bin.exe regsvr32.exe PID 2948 wrote to memory of 2156 2948 dan777.bin.exe regsvr32.exe PID 2948 wrote to memory of 2156 2948 dan777.bin.exe regsvr32.exe PID 2156 wrote to memory of 2384 2156 regsvr32.exe rundll32.exe PID 2156 wrote to memory of 2384 2156 regsvr32.exe rundll32.exe PID 2156 wrote to memory of 2384 2156 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\dan777.dll f1 C:\Users\Admin\AppData\Local\Temp\DAN777~1.EXE@29482⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\dan777.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
28c1aecd73e803ab59c0a24cf195057e
SHA1fe022eb915ce2d521539dafe0d0d6d60cbb978e7
SHA256c7a7449f51761699ebe8e133898fba97b86224d6b13df67a5cffd85168203bb6
SHA512fb5128956e76c79835ab0b4cea52aa002203eb4ee318b94985e54a58330cebfccc966f00ef88d5f08f52a4e10925399b7436146ac14dba77aedf40e1a690f76d
-
memory/2156-0-0x0000000000000000-mapping.dmp
-
memory/2384-3-0x0000000000000000-mapping.dmp