Analysis
-
max time kernel
130s -
max time network
138s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
RgNOzTfNPzRgNPzRg.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
RgNOzTfNPzRgNPzRg.dll
-
Size
2.2MB
-
MD5
f69ae2857fd443a32acdf97fa08076f1
-
SHA1
ab9dfa582b8b3a4a80b476170518213600167cf4
-
SHA256
a1b70b52de7803c658fc787bb2e18305fb93b40e4b38feaefb5234abebcd3721
-
SHA512
2ec6154be4839135f903b691aea477f3da78a5a9f18eee2d6a3cf76962cb71a83fcd09c8df8ea159a0447fca376aed79d4773a8e3d6f1c2d35b5089b65742b81
Malware Config
Extracted
Family
danabot
C2
172.81.129.196
54.38.22.65
192.99.219.207
51.255.134.130
192.236.179.73
23.82.140.201
45.147.228.92
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 1 2004 rundll32.exe 3 2004 rundll32.exe 6 2004 rundll32.exe 7 2004 rundll32.exe 8 2004 rundll32.exe 11 2004 rundll32.exe 12 2004 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2020 1884 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
WerFault.exepid process 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe 2020 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
WerFault.exedescription pid process Token: SeDebugPrivilege 2020 WerFault.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 288 wrote to memory of 1884 288 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2004 1884 rundll32.exe rundll32.exe PID 1884 wrote to memory of 2020 1884 rundll32.exe WerFault.exe PID 1884 wrote to memory of 2020 1884 rundll32.exe WerFault.exe PID 1884 wrote to memory of 2020 1884 rundll32.exe WerFault.exe PID 1884 wrote to memory of 2020 1884 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RgNOzTfNPzRgNPzRg.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RgNOzTfNPzRgNPzRg.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\RgNOzTfNPzRgNPzRg.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 3843⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1884-0-0x0000000000000000-mapping.dmp
-
memory/1884-5-0x0000000000000000-mapping.dmp
-
memory/1884-4-0x0000000000000000-mapping.dmp
-
memory/2004-1-0x0000000000000000-mapping.dmp
-
memory/2020-2-0x0000000000000000-mapping.dmp
-
memory/2020-3-0x0000000002270000-0x0000000002281000-memory.dmpFilesize
68KB
-
memory/2020-6-0x0000000002900000-0x0000000002911000-memory.dmpFilesize
68KB