Analysis
-
max time kernel
132s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
15-04-2021 17:27
Static task
static1
Behavioral task
behavioral1
Sample
70f39b918aa79601c5b9d17935559538.exe
Resource
win7v20210410
General
-
Target
70f39b918aa79601c5b9d17935559538.exe
-
Size
5.9MB
-
MD5
70f39b918aa79601c5b9d17935559538
-
SHA1
6f705010574cfbfe78c93b0710f41d0587697ce5
-
SHA256
0f237d9138bc4c7ed7b15f75a9690c25b6dbe90fd2f2a5f9b238d2b978d0e1f8
-
SHA512
a92eae29fd10f247db4641411592f42874516f819052abf7c4727193b381baef479e0eccdc2f1df15ddcc658ff6d48f1d5f55baa4f3d36904c90c6d2a3e0d61d
Malware Config
Extracted
danabot
1827
3
192.210.198.12:443
23.106.123.185:443
192.236.147.83:443
23.106.123.141:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 11 4184 RUNDLL32.EXE 17 4184 RUNDLL32.EXE 18 4184 RUNDLL32.EXE 19 4184 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 3300 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3300 rundll32.exe 3300 rundll32.exe 4184 RUNDLL32.EXE 4184 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 3300 rundll32.exe Token: SeDebugPrivilege 4184 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
70f39b918aa79601c5b9d17935559538.exerundll32.exedescription pid process target process PID 4804 wrote to memory of 3300 4804 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 4804 wrote to memory of 3300 4804 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 4804 wrote to memory of 3300 4804 70f39b918aa79601c5b9d17935559538.exe rundll32.exe PID 3300 wrote to memory of 4184 3300 rundll32.exe RUNDLL32.EXE PID 3300 wrote to memory of 4184 3300 rundll32.exe RUNDLL32.EXE PID 3300 wrote to memory of 4184 3300 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\70f39b918aa79601c5b9d17935559538.exe"C:\Users\Admin\AppData\Local\Temp\70f39b918aa79601c5b9d17935559538.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\70F39B~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLL,SxwvZA==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
\Users\Admin\AppData\Local\Temp\70F39B~1.DLLMD5
64830f0126d8c55806fb14757c5972ba
SHA1a15d9828888e7581b85b493cb30b7336ded9742d
SHA256a646713e20c202b2a1894dbb4679a8bd7d35c0ddd38d2eb122cc4ff4ab4c9341
SHA5127879b9f69d188d9a0e24e57bfab23990d96803d2f673526e71c2d84c7edaeccb4de7f67daee76ee65331153061f4fcfdb982874fd46192d2c158377636e57b9e
-
memory/3300-122-0x00000000056C0000-0x00000000056C1000-memory.dmpFilesize
4KB
-
memory/3300-117-0x0000000000000000-mapping.dmp
-
memory/3300-121-0x0000000004610000-0x0000000004BC9000-memory.dmpFilesize
5.7MB
-
memory/3300-128-0x0000000004F11000-0x000000000556F000-memory.dmpFilesize
6.4MB
-
memory/3300-129-0x0000000000750000-0x0000000000751000-memory.dmpFilesize
4KB
-
memory/4184-123-0x0000000000000000-mapping.dmp
-
memory/4184-126-0x0000000000AD0000-0x0000000001089000-memory.dmpFilesize
5.7MB
-
memory/4184-127-0x00000000011D0000-0x00000000011D1000-memory.dmpFilesize
4KB
-
memory/4184-130-0x0000000004BD1000-0x000000000522F000-memory.dmpFilesize
6.4MB
-
memory/4804-114-0x00000000035D0000-0x0000000003CC4000-memory.dmpFilesize
7.0MB
-
memory/4804-116-0x0000000002D00000-0x0000000002D01000-memory.dmpFilesize
4KB
-
memory/4804-115-0x0000000000400000-0x0000000000FCC000-memory.dmpFilesize
11.8MB