Resubmissions
14-04-2021 07:36
210414-5m9dl22k26 1018-03-2021 07:44
210318-kgqs6taqta 1017-03-2021 10:28
210317-57t2yctxrj 1Analysis
-
max time kernel
101s -
max time network
76s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
14-04-2021 07:36
Static task
static1
General
-
Target
b1a0e13af901eb4730c04e0162bcc470.exe
-
Size
6.0MB
-
MD5
b1a0e13af901eb4730c04e0162bcc470
-
SHA1
b5acb4bb5be306229d1d088ffb5c489447de0e13
-
SHA256
cf0a8e3f14b2483a5b62385f141d63314f239cbd604b87748feb9c53627c4a8d
-
SHA512
094925316433086d89103c96f05b6608fc9c6440710174d6d45046555059eeec94523d3b202bdd4aaf0c1a44dc95f4d4e4e8158d5e52cfc64450fb4517f5b088
Malware Config
Extracted
danabot
1765
3
142.44.224.16:443
23.106.123.117:443
192.3.26.98:443
192.161.48.5:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 5 752 RUNDLL32.EXE 6 752 RUNDLL32.EXE 7 752 RUNDLL32.EXE 8 752 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1720 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 1720 rundll32.exe 752 RUNDLL32.EXE 752 RUNDLL32.EXE 752 RUNDLL32.EXE 752 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VLFEZDK1\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1720 rundll32.exe Token: SeDebugPrivilege 752 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
b1a0e13af901eb4730c04e0162bcc470.exerundll32.exedescription pid process target process PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1864 wrote to memory of 1720 1864 b1a0e13af901eb4730c04e0162bcc470.exe rundll32.exe PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE PID 1720 wrote to memory of 752 1720 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\b1a0e13af901eb4730c04e0162bcc470.exe"C:\Users\Admin\AppData\Local\Temp\b1a0e13af901eb4730c04e0162bcc470.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\B1A0E1~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLL,NSMSNJ8=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
\Users\Admin\AppData\Local\Temp\B1A0E1~1.DLLMD5
d8751ef19dddbbcff76b692d24863327
SHA1db9e819a4c3752b78c6a3f1ba4c1425d8461c24f
SHA2567b33e716bb7d853da0936d60ac7db620206ec7c039ef991f93db01e2ae7ca369
SHA512ff7ae8d1f512fa97412bfc355470e04f2e38af661d568bb1def8f19cb2ab554968c73a5d34608f886550b4c03b67347c4e5d57fdf7440df287f4910a07b8a6ce
-
memory/752-82-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/752-83-0x0000000002A21000-0x0000000003082000-memory.dmpFilesize
6.4MB
-
memory/752-80-0x0000000002020000-0x00000000025DB000-memory.dmpFilesize
5.7MB
-
memory/752-74-0x0000000000000000-mapping.dmp
-
memory/1720-71-0x0000000001F70000-0x000000000252B000-memory.dmpFilesize
5.7MB
-
memory/1720-73-0x0000000002941000-0x0000000002FA2000-memory.dmpFilesize
6.4MB
-
memory/1720-72-0x00000000030C0000-0x00000000030C1000-memory.dmpFilesize
4KB
-
memory/1720-64-0x0000000000000000-mapping.dmp
-
memory/1720-81-0x00000000000B0000-0x00000000000B1000-memory.dmpFilesize
4KB
-
memory/1864-61-0x00000000038B0000-0x0000000003FA7000-memory.dmpFilesize
7.0MB
-
memory/1864-60-0x0000000076A81000-0x0000000076A83000-memory.dmpFilesize
8KB
-
memory/1864-62-0x0000000000400000-0x0000000003096000-memory.dmpFilesize
44.6MB
-
memory/1864-63-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB