Analysis
-
max time kernel
127s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
17-02-2021 02:13
Static task
static1
Behavioral task
behavioral1
Sample
C0EB80_1.EXE.dll
Resource
win7v20201028
General
-
Target
C0EB80_1.EXE.dll
-
Size
3.7MB
-
MD5
f26f748189e89ba787e8a68284689617
-
SHA1
48ec327fadb4065f3d0e37f76201344971e1468f
-
SHA256
9b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef
-
SHA512
34758cba4e046d076a88bd7926bb2422ad2dcbd5e62d2d3c42089329e572644115b86c67cd09e58c95d8d297f44e6476c6e9974aff39c0060cb7b13eaa8f961b
Malware Config
Extracted
danabot
1732
3
23.226.132.92:443
23.106.123.249:443
108.62.141.152:443
104.144.64.163:443
-
embedded_hash
49574F66CD0103BBD725C08A9805C2BE
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 9 2640 RUNDLL32.EXE 14 2640 RUNDLL32.EXE 16 2640 RUNDLL32.EXE 17 2640 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 656 rundll32.exe Token: SeDebugPrivilege 2640 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3984 wrote to memory of 656 3984 rundll32.exe rundll32.exe PID 3984 wrote to memory of 656 3984 rundll32.exe rundll32.exe PID 3984 wrote to memory of 656 3984 rundll32.exe rundll32.exe PID 656 wrote to memory of 2640 656 rundll32.exe RUNDLL32.EXE PID 656 wrote to memory of 2640 656 rundll32.exe RUNDLL32.EXE PID 656 wrote to memory of 2640 656 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\C0EB80_1.EXE.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\C0EB80_1.EXE.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C0EB80_1.EXE.dll,SS8aLDYXBQ==3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/656-2-0x0000000000000000-mapping.dmp
-
memory/656-3-0x0000000003FF1000-0x00000000043A8000-memory.dmpFilesize
3.7MB
-
memory/656-11-0x0000000004931000-0x0000000004F8F000-memory.dmpFilesize
6.4MB
-
memory/2640-9-0x0000000000000000-mapping.dmp
-
memory/2640-10-0x0000000004681000-0x0000000004A38000-memory.dmpFilesize
3.7MB
-
memory/2640-12-0x0000000004FC1000-0x000000000561F000-memory.dmpFilesize
6.4MB