Analysis
-
max time kernel
8s -
max time network
11s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
17-04-2021 02:54
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe
-
Size
5.9MB
-
MD5
aa444cd99154f376edbbc9c3effa1f66
-
SHA1
3168456601e3aa7436ae521bb43d9af77171435d
-
SHA256
734f6783c377c10fd6816563b4eaf0a0c1f5fd30d0ceb271d5df53eabf553a49
-
SHA512
c259d41ce55bd50aae9b99f8f100c04ced6e484097fa6e664e086e7b39b48ac35388e901eb8d3c1e52e6259f0e08ec4f4a28915b29c7dc00669fa4e4af0dd576
Malware Config
Extracted
danabot
1827
3
192.236.147.83:443
23.106.123.141:443
192.210.198.12:443
23.254.225.170:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1764 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 1764 rundll32.exe 1764 rundll32.exe 1764 rundll32.exe 1764 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1764 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exerundll32.exedescription pid process target process PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1684 wrote to memory of 1764 1684 SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe rundll32.exe PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE PID 1764 wrote to memory of 1556 1764 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.12654.15342.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,QSsWjBwpA4z23⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
1e21e3c8239fe112a29ce4c2d8f613da
SHA10836ca42f0a835d67808bab98f89692da5fe5849
SHA256c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2
SHA512a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
1e21e3c8239fe112a29ce4c2d8f613da
SHA10836ca42f0a835d67808bab98f89692da5fe5849
SHA256c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2
SHA512a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
1e21e3c8239fe112a29ce4c2d8f613da
SHA10836ca42f0a835d67808bab98f89692da5fe5849
SHA256c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2
SHA512a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
1e21e3c8239fe112a29ce4c2d8f613da
SHA10836ca42f0a835d67808bab98f89692da5fe5849
SHA256c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2
SHA512a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
1e21e3c8239fe112a29ce4c2d8f613da
SHA10836ca42f0a835d67808bab98f89692da5fe5849
SHA256c8e72b618698d12d4373c50e7ae0bc7f7eee992af491c59dfc2c64751f5edde2
SHA512a0fc61b212d8cb7fde5afd5807f25f6eb29700286b5825754ec64ac270dad93b29d5083184116a44dbe891f3758ee0d3bff6fbb447da57049e7a8d400f82a81a
-
memory/1556-73-0x0000000000000000-mapping.dmp
-
memory/1684-63-0x0000000000220000-0x0000000000221000-memory.dmpFilesize
4KB
-
memory/1684-62-0x0000000000400000-0x0000000004352000-memory.dmpFilesize
63.3MB
-
memory/1684-61-0x0000000006460000-0x0000000006B54000-memory.dmpFilesize
7.0MB
-
memory/1684-60-0x0000000075B31000-0x0000000075B33000-memory.dmpFilesize
8KB
-
memory/1764-64-0x0000000000000000-mapping.dmp
-
memory/1764-71-0x0000000002160000-0x0000000002719000-memory.dmpFilesize
5.7MB
-
memory/1764-72-0x0000000003060000-0x0000000003061000-memory.dmpFilesize
4KB
-
memory/1764-74-0x00000000029F1000-0x000000000304F000-memory.dmpFilesize
6.4MB