Analysis
-
max time kernel
138s -
max time network
152s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 20:09
Static task
static1
Behavioral task
behavioral1
Sample
2571146d6b6333713a56e5d5adf128ea.exe
Resource
win7v20201028
General
-
Target
2571146d6b6333713a56e5d5adf128ea.exe
-
Size
2.6MB
-
MD5
2571146d6b6333713a56e5d5adf128ea
-
SHA1
d55355b911ecd28b632f56374ac8c885935846b7
-
SHA256
9d96347ba7dd239d6a6b667242965905d6e96114281cd7a18812e901712a8303
-
SHA512
50ee2625cb71b381065b488705c19e4b4b7c7d5d2ac62977d6cf69d73ecc9da3df12e6e61e7ad6a9bf510a6a6bb7da22346393f0362262d893a8b7b9778dae18
Malware Config
Extracted
danabot
142.11.240.144
45.153.243.113
88.150.227.95
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\257114~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\257114~1.DLL family_danabot \Users\Admin\AppData\Local\Temp\257114~1.DLL family_danabot -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 3124 created 4004 3124 WerFault.exe 2571146d6b6333713a56e5d5adf128ea.exe -
Blocklisted process makes network request 6 IoCs
Processes:
rundll32.exeflow pid process 16 3888 rundll32.exe 17 3888 rundll32.exe 18 3888 rundll32.exe 19 3888 rundll32.exe 20 3888 rundll32.exe 21 3888 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 2408 regsvr32.exe 3888 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3124 4004 WerFault.exe 2571146d6b6333713a56e5d5adf128ea.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe 3124 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3124 WerFault.exe Token: SeBackupPrivilege 3124 WerFault.exe Token: SeDebugPrivilege 3124 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2571146d6b6333713a56e5d5adf128ea.exeregsvr32.exedescription pid process target process PID 4004 wrote to memory of 2408 4004 2571146d6b6333713a56e5d5adf128ea.exe regsvr32.exe PID 4004 wrote to memory of 2408 4004 2571146d6b6333713a56e5d5adf128ea.exe regsvr32.exe PID 4004 wrote to memory of 2408 4004 2571146d6b6333713a56e5d5adf128ea.exe regsvr32.exe PID 2408 wrote to memory of 3888 2408 regsvr32.exe rundll32.exe PID 2408 wrote to memory of 3888 2408 regsvr32.exe rundll32.exe PID 2408 wrote to memory of 3888 2408 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2571146d6b6333713a56e5d5adf128ea.exe"C:\Users\Admin\AppData\Local\Temp\2571146d6b6333713a56e5d5adf128ea.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4004 -
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\257114~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\257114~1.EXE@40042⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\257114~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4004 -s 3962⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3124
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\257114~1.DLLMD5
4b1759cc40e9d935ef47c57deb4608ab
SHA1e1ffbef9c1f07394d03b8af8f666df9f980c0626
SHA25691f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917
SHA51218829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082
-
\Users\Admin\AppData\Local\Temp\257114~1.DLLMD5
4b1759cc40e9d935ef47c57deb4608ab
SHA1e1ffbef9c1f07394d03b8af8f666df9f980c0626
SHA25691f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917
SHA51218829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082
-
\Users\Admin\AppData\Local\Temp\257114~1.DLLMD5
4b1759cc40e9d935ef47c57deb4608ab
SHA1e1ffbef9c1f07394d03b8af8f666df9f980c0626
SHA25691f107648a048f50e25c350d3e2c6c94e3f39775815179e011fed5548fde7917
SHA51218829e61de42f0dfb01186abe334141bf0e3d649c015298727c857300ba3d95e9286b4edf59422292e39c39a956f0aced51a6596b7cf5979c023b82344adb082
-
memory/2408-2-0x0000000000000000-mapping.dmp
-
memory/3124-5-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3124-6-0x0000000004D50000-0x0000000004D51000-memory.dmpFilesize
4KB
-
memory/3124-11-0x0000000005280000-0x0000000005281000-memory.dmpFilesize
4KB
-
memory/3888-9-0x0000000000000000-mapping.dmp
-
memory/4004-1-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB