Analysis
-
max time kernel
124s -
max time network
124s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
13-03-2021 10:24
Static task
static1
Behavioral task
behavioral1
Sample
-BK-C-CTI.exe.dll
Resource
win7v20201028
General
-
Target
-BK-C-CTI.exe.dll
-
Size
5.7MB
-
MD5
f714cb42f51d508200da9286c4a171b0
-
SHA1
707c7920ade9ac71cc04b4e4dcf99536d76c46a3
-
SHA256
4178f235c96e570925dc63c9d4576b49bac66fba0cff227d8f42d691ff0ebf93
-
SHA512
50149c3dd12279ffb53ebf1eacd395b2269d20190369c11cad88bb77eefcb7decdb090eb424bf56ccbea66af5a3bde62a13f0c6b8d153309751fab8c1e0bbf7a
Malware Config
Extracted
danabot
1765
192.161.48.5:443
192.3.26.98:443
142.44.224.16:443
192.236.162.42:443
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
RUNDLL32.EXEflow pid process 13 1940 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 3168 powershell.exe 3168 powershell.exe 3168 powershell.exe 1940 RUNDLL32.EXE 1940 RUNDLL32.EXE 528 powershell.exe 528 powershell.exe 528 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4732 rundll32.exe Token: SeDebugPrivilege 1940 RUNDLL32.EXE Token: SeDebugPrivilege 3168 powershell.exe Token: SeDebugPrivilege 528 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 1940 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
rundll32.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 4684 wrote to memory of 4732 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4732 4684 rundll32.exe rundll32.exe PID 4684 wrote to memory of 4732 4684 rundll32.exe rundll32.exe PID 4732 wrote to memory of 1940 4732 rundll32.exe RUNDLL32.EXE PID 4732 wrote to memory of 1940 4732 rundll32.exe RUNDLL32.EXE PID 4732 wrote to memory of 1940 4732 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 3168 1940 RUNDLL32.EXE powershell.exe PID 1940 wrote to memory of 3168 1940 RUNDLL32.EXE powershell.exe PID 1940 wrote to memory of 3168 1940 RUNDLL32.EXE powershell.exe PID 1940 wrote to memory of 528 1940 RUNDLL32.EXE powershell.exe PID 1940 wrote to memory of 528 1940 RUNDLL32.EXE powershell.exe PID 1940 wrote to memory of 528 1940 RUNDLL32.EXE powershell.exe PID 528 wrote to memory of 1472 528 powershell.exe nslookup.exe PID 528 wrote to memory of 1472 528 powershell.exe nslookup.exe PID 528 wrote to memory of 1472 528 powershell.exe nslookup.exe PID 1940 wrote to memory of 1632 1940 RUNDLL32.EXE schtasks.exe PID 1940 wrote to memory of 1632 1940 RUNDLL32.EXE schtasks.exe PID 1940 wrote to memory of 1632 1940 RUNDLL32.EXE schtasks.exe PID 1940 wrote to memory of 1868 1940 RUNDLL32.EXE schtasks.exe PID 1940 wrote to memory of 1868 1940 RUNDLL32.EXE schtasks.exe PID 1940 wrote to memory of 1868 1940 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\-BK-C-CTI.exe.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\-BK-C-CTI.exe.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\-BK-C-CTI.exe.dll,ZU0YTI3N3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp50C5.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6597.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
bcc028eb6b55c8585ce33d68a7a5ed9a
SHA182aab021e185761e58658d4dc736ecccd9dab596
SHA256f0bcd110e0beed7076c449dddc2b2a01e0f4916b1d62b13ed2285db2472c0b50
SHA5126790ed8fdbd20c197bbeb298528212300384052049a2e9f953ab59a967cac70cb1f5f2e92afb2e5f42c6d8fed15ea22bfa440258250ab588fb26e9e3f38a557d
-
C:\Users\Admin\AppData\Local\Temp\tmp50C5.tmp.ps1MD5
ec75debaa421462746d2ff46dcd46d88
SHA15a2883e7d2c58b45c05a0c4f597d08690f788123
SHA2566e3eed2d95734f849d9b21dcd27b380af7d258e97952fdb9749de92adba19288
SHA5122d42c1fdde810a22ba21a19a983b9dfc0b7696b5df7afd94dc34e5e668809685b67843ef2066d5fcf8acb30d3387876b70c7d6d40b523d1ee8ab991906ad0b5d
-
C:\Users\Admin\AppData\Local\Temp\tmp50C6.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp6597.tmp.ps1MD5
2ce836512b4c01291b6ffed3a572a885
SHA10fbcdf6b8241849dc0cb464a7ca96b4c8dbc07f2
SHA256875191c9b6dc70cf666d7a7a19319b75c4216ae36acfebf0069e1352af17fc22
SHA512a49ba29f0c2445c081c0c7d9acd3e69745be1c4f9ac4927ca658ad78a93afd0ccde74639e3094d34f22b390849efaab4048013fdf05d2e40ae1e71e2f09e4762
-
C:\Users\Admin\AppData\Local\Temp\tmp6598.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
memory/528-39-0x00000000080F0000-0x00000000080F1000-memory.dmpFilesize
4KB
-
memory/528-41-0x00000000043C0000-0x00000000043C1000-memory.dmpFilesize
4KB
-
memory/528-42-0x00000000043C2000-0x00000000043C3000-memory.dmpFilesize
4KB
-
memory/528-50-0x00000000043C3000-0x00000000043C4000-memory.dmpFilesize
4KB
-
memory/528-36-0x0000000007760000-0x0000000007761000-memory.dmpFilesize
4KB
-
memory/528-30-0x0000000070AE0000-0x00000000711CE000-memory.dmpFilesize
6.9MB
-
memory/528-28-0x0000000000000000-mapping.dmp
-
memory/1472-47-0x0000000000000000-mapping.dmp
-
memory/1632-49-0x0000000000000000-mapping.dmp
-
memory/1868-51-0x0000000000000000-mapping.dmp
-
memory/1940-40-0x0000000002E50000-0x0000000002E51000-memory.dmpFilesize
4KB
-
memory/1940-7-0x0000000004DC1000-0x0000000005422000-memory.dmpFilesize
6.4MB
-
memory/1940-3-0x0000000000000000-mapping.dmp
-
memory/3168-12-0x0000000004F50000-0x0000000004F51000-memory.dmpFilesize
4KB
-
memory/3168-15-0x00000000080C0000-0x00000000080C1000-memory.dmpFilesize
4KB
-
memory/3168-24-0x0000000009610000-0x0000000009611000-memory.dmpFilesize
4KB
-
memory/3168-25-0x0000000007410000-0x0000000007411000-memory.dmpFilesize
4KB
-
memory/3168-22-0x00000000089B0000-0x00000000089B1000-memory.dmpFilesize
4KB
-
memory/3168-27-0x0000000004F53000-0x0000000004F54000-memory.dmpFilesize
4KB
-
memory/3168-20-0x0000000008890000-0x0000000008891000-memory.dmpFilesize
4KB
-
memory/3168-19-0x00000000089F0000-0x00000000089F1000-memory.dmpFilesize
4KB
-
memory/3168-18-0x00000000085A0000-0x00000000085A1000-memory.dmpFilesize
4KB
-
memory/3168-17-0x0000000008250000-0x0000000008251000-memory.dmpFilesize
4KB
-
memory/3168-16-0x0000000008050000-0x0000000008051000-memory.dmpFilesize
4KB
-
memory/3168-23-0x000000000A080000-0x000000000A081000-memory.dmpFilesize
4KB
-
memory/3168-14-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/3168-8-0x0000000000000000-mapping.dmp
-
memory/3168-13-0x0000000004F52000-0x0000000004F53000-memory.dmpFilesize
4KB
-
memory/3168-11-0x0000000007920000-0x0000000007921000-memory.dmpFilesize
4KB
-
memory/3168-10-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/3168-9-0x0000000071140000-0x000000007182E000-memory.dmpFilesize
6.9MB
-
memory/4732-2-0x0000000000000000-mapping.dmp
-
memory/4732-6-0x0000000003390000-0x0000000003391000-memory.dmpFilesize
4KB
-
memory/4732-5-0x0000000005581000-0x0000000005BE2000-memory.dmpFilesize
6.4MB