Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
09-11-2020 19:37
Behavioral task
behavioral1
Sample
RgNOzTfNPzRgNPzRg.dll
Resource
win7v20201028
windows7_x64
0 signatures
0 seconds
General
-
Target
RgNOzTfNPzRgNPzRg.dll
-
Size
2.2MB
-
MD5
f69ae2857fd443a32acdf97fa08076f1
-
SHA1
ab9dfa582b8b3a4a80b476170518213600167cf4
-
SHA256
a1b70b52de7803c658fc787bb2e18305fb93b40e4b38feaefb5234abebcd3721
-
SHA512
2ec6154be4839135f903b691aea477f3da78a5a9f18eee2d6a3cf76962cb71a83fcd09c8df8ea159a0447fca376aed79d4773a8e3d6f1c2d35b5089b65742b81
Malware Config
Extracted
Family
danabot
C2
172.81.129.196
54.38.22.65
192.99.219.207
51.255.134.130
192.236.179.73
23.82.140.201
45.147.228.92
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 6 4036 rundll32.exe 16 4036 rundll32.exe 17 4036 rundll32.exe 19 4036 rundll32.exe 20 4036 rundll32.exe 21 4036 rundll32.exe 22 4036 rundll32.exe 24 4036 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3648 1704 WerFault.exe rundll32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
WerFault.exepid process 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe 3648 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 3648 WerFault.exe Token: SeBackupPrivilege 3648 WerFault.exe Token: SeDebugPrivilege 3648 WerFault.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1180 wrote to memory of 1704 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1704 1180 rundll32.exe rundll32.exe PID 1180 wrote to memory of 1704 1180 rundll32.exe rundll32.exe PID 1704 wrote to memory of 4036 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 4036 1704 rundll32.exe rundll32.exe PID 1704 wrote to memory of 4036 1704 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RgNOzTfNPzRgNPzRg.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\RgNOzTfNPzRgNPzRg.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\RgNOzTfNPzRgNPzRg.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 7403⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1704-0-0x0000000000000000-mapping.dmp
-
memory/1704-3-0x0000000000000000-mapping.dmp
-
memory/1704-4-0x0000000000000000-mapping.dmp
-
memory/1704-5-0x0000000000000000-mapping.dmp
-
memory/1704-6-0x0000000000000000-mapping.dmp
-
memory/3648-2-0x0000000004770000-0x0000000004771000-memory.dmpFilesize
4KB
-
memory/3648-8-0x0000000004DA0000-0x0000000004DA1000-memory.dmpFilesize
4KB
-
memory/4036-1-0x0000000000000000-mapping.dmp