Analysis
-
max time kernel
137s -
max time network
128s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
12-04-2021 12:08
Static task
static1
Behavioral task
behavioral1
Sample
586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe
Resource
win7v20210408
General
-
Target
586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe
-
Size
6.0MB
-
MD5
233d9fd5a7f914b37db9921758aec1eb
-
SHA1
903ffecd586cd71cd83d87bffb6384b6d87ec743
-
SHA256
586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4
-
SHA512
ab2b207ed84dc603f759200e174dfc8e6ef902adf64ba4fbbdd3b0f5a8cfc33f2ee621034d7a381a577b97fd9e9d52ffbea748795095b49ded2eb19f87c56631
Malware Config
Extracted
danabot
1827
3
23.106.123.141:443
23.254.225.170:443
193.34.167.88:443
23.106.123.185:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 9 508 RUNDLL32.EXE 14 508 RUNDLL32.EXE 15 508 RUNDLL32.EXE 16 508 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 3172 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3172 rundll32.exe 508 RUNDLL32.EXE 508 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 3172 rundll32.exe Token: SeDebugPrivilege 508 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exerundll32.exedescription pid process target process PID 804 wrote to memory of 3172 804 586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe rundll32.exe PID 804 wrote to memory of 3172 804 586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe rundll32.exe PID 804 wrote to memory of 3172 804 586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe rundll32.exe PID 3172 wrote to memory of 508 3172 rundll32.exe RUNDLL32.EXE PID 3172 wrote to memory of 508 3172 rundll32.exe RUNDLL32.EXE PID 3172 wrote to memory of 508 3172 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe"C:\Users\Admin\AppData\Local\Temp\586b6b985abf0ac8b8e6cbf065e59989783409c9a5a390db3e9c1310da4c07a4.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\586B6B~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\586B6B~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\586B6B~1.DLL,NhAmLDa4BVQ=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\586B6B~1.DLLMD5
cd1fe6ca56034ce3d61c3cb3e96b93a4
SHA1148f6714446c5372654cc23366cfb230cf1b8b9a
SHA256ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f
SHA512a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c
-
\Users\Admin\AppData\Local\Temp\586B6B~1.DLLMD5
cd1fe6ca56034ce3d61c3cb3e96b93a4
SHA1148f6714446c5372654cc23366cfb230cf1b8b9a
SHA256ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f
SHA512a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c
-
\Users\Admin\AppData\Local\Temp\586B6B~1.DLLMD5
cd1fe6ca56034ce3d61c3cb3e96b93a4
SHA1148f6714446c5372654cc23366cfb230cf1b8b9a
SHA256ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f
SHA512a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c
-
\Users\Admin\AppData\Local\Temp\586B6B~1.DLLMD5
cd1fe6ca56034ce3d61c3cb3e96b93a4
SHA1148f6714446c5372654cc23366cfb230cf1b8b9a
SHA256ddad6c36e71f646627c9652577171cab4bfafa9086badac0e9f8220549d1aa7f
SHA512a46db2b3bf8a79c8986c81fe904ddb64f906c7adc0eb2d7dead2f6295e8b77aef8bdd70ec4adce1face6046c90dbd0375433bb70647e5abef8376b85743c978c
-
memory/508-122-0x0000000000000000-mapping.dmp
-
memory/508-125-0x00000000048C0000-0x0000000004E79000-memory.dmpFilesize
5.7MB
-
memory/508-128-0x0000000005080000-0x0000000005081000-memory.dmpFilesize
4KB
-
memory/508-129-0x00000000054B1000-0x0000000005B0F000-memory.dmpFilesize
6.4MB
-
memory/804-114-0x0000000006840000-0x0000000006F35000-memory.dmpFilesize
7.0MB
-
memory/804-115-0x0000000000400000-0x0000000004359000-memory.dmpFilesize
63.3MB
-
memory/804-116-0x00000000060A0000-0x00000000060A1000-memory.dmpFilesize
4KB
-
memory/3172-117-0x0000000000000000-mapping.dmp
-
memory/3172-126-0x0000000005401000-0x0000000005A5F000-memory.dmpFilesize
6.4MB
-
memory/3172-127-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB