Analysis
-
max time kernel
133s -
max time network
143s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
11-11-2020 10:51
Static task
static1
Behavioral task
behavioral1
Sample
siri_1.exe
Resource
win7v20201028
General
-
Target
siri_1.exe
-
Size
2.6MB
-
MD5
71c0859705ea213fbb15685db30f2312
-
SHA1
21c2f4231259df8d3a14993e605c63150fb3aea8
-
SHA256
25dfa7709940a235749d6be1658b9bc7b650dd2cf9a61934cc3f6deb38e7f38a
-
SHA512
fea69c9ba099dc06002f336d767b14bb36f265dc1f8de0cf09139add98ad06e6ad9bef969bc53f8ebfe6ca734fba8146e3d21d3a102d6f8db5ad942c9484abf2
Malware Config
Extracted
danabot
45.147.231.202
23.83.133.10
137.74.66.92
185.227.138.52
192.236.146.249
149.255.35.125
Signatures
-
Danabot x86 payload 4 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\siri_1.dll family_danabot \Users\Admin\AppData\Local\Temp\siri_1.dll family_danabot \Users\Admin\AppData\Local\Temp\siri_1.dll family_danabot \Users\Admin\AppData\Local\Temp\siri_1.dll family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 17 1100 rundll32.exe 21 1100 rundll32.exe 22 1100 rundll32.exe 24 1100 rundll32.exe 25 1100 rundll32.exe 27 1100 rundll32.exe 28 1100 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exerundll32.exepid process 2284 regsvr32.exe 1100 rundll32.exe 1100 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
siri_1.exeregsvr32.exedescription pid process target process PID 580 wrote to memory of 2284 580 siri_1.exe regsvr32.exe PID 580 wrote to memory of 2284 580 siri_1.exe regsvr32.exe PID 580 wrote to memory of 2284 580 siri_1.exe regsvr32.exe PID 2284 wrote to memory of 1100 2284 regsvr32.exe rundll32.exe PID 2284 wrote to memory of 1100 2284 regsvr32.exe rundll32.exe PID 2284 wrote to memory of 1100 2284 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\siri_1.exe"C:\Users\Admin\AppData\Local\Temp\siri_1.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\siri_1.dll f1 C:\Users\Admin\AppData\Local\Temp\siri_1.exe@5802⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\siri_1.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\siri_1.dllMD5
414bc892169d57d097d7fc1a04da3624
SHA1fbf48c2ea902de9e216032ec867561023220d577
SHA256a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798
SHA512225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae
-
\Users\Admin\AppData\Local\Temp\siri_1.dllMD5
414bc892169d57d097d7fc1a04da3624
SHA1fbf48c2ea902de9e216032ec867561023220d577
SHA256a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798
SHA512225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae
-
\Users\Admin\AppData\Local\Temp\siri_1.dllMD5
414bc892169d57d097d7fc1a04da3624
SHA1fbf48c2ea902de9e216032ec867561023220d577
SHA256a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798
SHA512225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae
-
\Users\Admin\AppData\Local\Temp\siri_1.dllMD5
414bc892169d57d097d7fc1a04da3624
SHA1fbf48c2ea902de9e216032ec867561023220d577
SHA256a1fcf4274e1f86fd689efc29859b6d4aef772915a9d346bc29c9e514b3b51798
SHA512225dc50a998ccd05b8dad6800aeccbc13b91060d49cb0d9c37049ead538b00912f22ffbca55f670db93582356bb4199d969ded1a053f86157e512f3cc3e7e7ae
-
memory/580-1-0x0000000004590000-0x0000000004591000-memory.dmpFilesize
4KB
-
memory/1100-5-0x0000000000000000-mapping.dmp
-
memory/2284-2-0x0000000000000000-mapping.dmp