Analysis
-
max time kernel
127s -
max time network
117s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
15-04-2021 17:27
Static task
static1
Behavioral task
behavioral1
Sample
70f39b918aa79601c5b9d17935559538.exe
Resource
win7v20210410
General
-
Target
70f39b918aa79601c5b9d17935559538.exe
-
Size
5.9MB
-
MD5
70f39b918aa79601c5b9d17935559538
-
SHA1
6f705010574cfbfe78c93b0710f41d0587697ce5
-
SHA256
0f237d9138bc4c7ed7b15f75a9690c25b6dbe90fd2f2a5f9b238d2b978d0e1f8
-
SHA512
a92eae29fd10f247db4641411592f42874516f819052abf7c4727193b381baef479e0eccdc2f1df15ddcc658ff6d48f1d5f55baa4f3d36904c90c6d2a3e0d61d
Malware Config
Extracted
danabot
1827
3
192.210.198.12:443
23.106.123.185:443
192.236.147.83:443
23.106.123.141:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 1264 RUNDLL32.EXE 5 1264 RUNDLL32.EXE 6 1264 RUNDLL32.EXE 7 1264 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1648 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1648 rundll32.exe 1264 RUNDLL32.EXE 1264 RUNDLL32.EXE 1264 RUNDLL32.EXE 1264 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\BQE06QBJ\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\XVLP3GFJ\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1648 rundll32.exe Token: SeDebugPrivilege 1264 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
70f39b918aa79601c5b9d17935559538.exerundll32.exedescription pid process target process PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1048 wrote to memory of 1648 1048 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE PID 1648 wrote to memory of 1264 1648 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f39b918aa79601c5b9d17935559538.exe"C:\Users\Admin\AppData\Local\Temp\70f39b918aa79601c5b9d17935559538.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\70F39B~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL,aEImjBwTAw==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
memory/1048-60-0x0000000002FA0000-0x0000000003694000-memory.dmpFilesize
7.0MB
-
memory/1048-61-0x0000000000400000-0x0000000000FCC000-memory.dmpFilesize
11.8MB
-
memory/1048-62-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1048-59-0x0000000075721000-0x0000000075723000-memory.dmpFilesize
8KB
-
memory/1264-72-0x0000000000000000-mapping.dmp
-
memory/1264-79-0x0000000002260000-0x0000000002819000-memory.dmpFilesize
5.7MB
-
memory/1264-81-0x00000000032A0000-0x00000000032A1000-memory.dmpFilesize
4KB
-
memory/1264-82-0x0000000002AF1000-0x000000000314F000-memory.dmpFilesize
6.4MB
-
memory/1648-70-0x0000000002030000-0x00000000025E9000-memory.dmpFilesize
5.7MB
-
memory/1648-71-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/1648-63-0x0000000000000000-mapping.dmp
-
memory/1648-78-0x00000000029A1000-0x0000000002FFF000-memory.dmpFilesize
6.4MB
-
memory/1648-80-0x00000000000F0000-0x00000000000F1000-memory.dmpFilesize
4KB