Resubmissions
08-10-2020 10:50
201008-e8qrqmf3ze 1008-10-2020 10:38
201008-88hf9vxww6 1008-10-2020 09:34
201008-pjmzjspx2n 10Analysis
-
max time kernel
138s -
max time network
151s -
platform
windows7_x64 -
resource
win7v200722 -
submitted
08-10-2020 09:34
Static task
static1
Behavioral task
behavioral1
Sample
dan777.bin.exe
Resource
win7v200722
General
-
Target
dan777.bin.exe
-
Size
2.3MB
-
MD5
565a67a6dff8d567038d9fe8c7fa0024
-
SHA1
a3f8c5b142a8fbeb72664d521dfe91e4939eaffe
-
SHA256
de146c4ebb0ba2850b93cb358f78b671f50724c9710127d6755c1c2f2f23d698
-
SHA512
f075b5ebf4ff35ce85ba5cf15ebfb3da760a67daa23c294545630c1d1a62d02a5282c5a24b82fd9fc5285ce68b6e6b79185c6e8812e882a058ae3ee3ca555022
Malware Config
Extracted
danabot
73.48.92.89
193.144.40.26
219.30.45.197
95.179.168.37
151.236.14.84
142.181.133.99
234.63.35.120
74.12.197.16
85.229.148.210
117.69.242.3
Signatures
-
Danabot x86 payload 6 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot \Users\Admin\AppData\Local\Temp\dan777.dll family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 3 1676 rundll32.exe 4 1676 rundll32.exe 5 1676 rundll32.exe 6 1676 rundll32.exe 7 1676 rundll32.exe 8 1676 rundll32.exe 11 1676 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 1624 regsvr32.exe 1676 rundll32.exe 1676 rundll32.exe 1676 rundll32.exe 1676 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
dan777.bin.exeregsvr32.exedescription pid process target process PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 836 wrote to memory of 1624 836 dan777.bin.exe regsvr32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe PID 1624 wrote to memory of 1676 1624 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"C:\Users\Admin\AppData\Local\Temp\dan777.bin.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\dan777.dll f1 C:\Users\Admin\AppData\Local\Temp\DAN777~1.EXE@8362⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\dan777.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\dan777.dllMD5
21e288420d3eb5b6d5e37b83f0d2dff3
SHA1aa0ac85c290f4de5d01fb237e24787ff4e63263d
SHA256528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8
SHA512a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
21e288420d3eb5b6d5e37b83f0d2dff3
SHA1aa0ac85c290f4de5d01fb237e24787ff4e63263d
SHA256528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8
SHA512a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
21e288420d3eb5b6d5e37b83f0d2dff3
SHA1aa0ac85c290f4de5d01fb237e24787ff4e63263d
SHA256528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8
SHA512a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
21e288420d3eb5b6d5e37b83f0d2dff3
SHA1aa0ac85c290f4de5d01fb237e24787ff4e63263d
SHA256528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8
SHA512a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
21e288420d3eb5b6d5e37b83f0d2dff3
SHA1aa0ac85c290f4de5d01fb237e24787ff4e63263d
SHA256528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8
SHA512a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d
-
\Users\Admin\AppData\Local\Temp\dan777.dllMD5
21e288420d3eb5b6d5e37b83f0d2dff3
SHA1aa0ac85c290f4de5d01fb237e24787ff4e63263d
SHA256528f3a0e46fe32f740387f505f0fdf5d0e9bf36199d1c6a9a9eff55a53fc7cc8
SHA512a20e9c039198aea07b3d17f26bd7a5065faac99fe42a0735353a0b148aaa246610accbcab78d75ac775f40c5387768e46b2dd51aa67564eeeb49f19521e14e5d
-
memory/1624-0-0x0000000000000000-mapping.dmp
-
memory/1676-3-0x0000000000000000-mapping.dmp