Analysis
-
max time kernel
135s -
max time network
74s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
22-04-2021 19:42
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe
-
Size
5.9MB
-
MD5
9077ee02ee92c4a1f4e874f1f086e220
-
SHA1
651fd5e02b12155f79313db85e3669a82a528edb
-
SHA256
488d2bdd81feedeb4b82a8e1acf319c4ad8b6d3170dd877d768430c19513d52c
-
SHA512
c4aabefd8939e004d1c0616b49e5ef7c192e234bce928a86705549c387f5d371b8048c7d7cf6fe8c985e7cc1e963616875bdda3bffec8a6fcd7cb4c3fb5af388
Malware Config
Extracted
danabot
1827
3
23.106.123.141:443
23.254.225.170:443
23.106.123.185:443
37.220.31.94:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 280 RUNDLL32.EXE 5 280 RUNDLL32.EXE 6 280 RUNDLL32.EXE 7 280 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1420 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1420 rundll32.exe 1420 rundll32.exe 1420 rundll32.exe 1420 rundll32.exe 280 RUNDLL32.EXE 280 RUNDLL32.EXE 280 RUNDLL32.EXE 280 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VNYR844D\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\H18KNA1T\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\NU1L7O13\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1420 rundll32.exe Token: SeDebugPrivilege 280 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
SecuriteInfo.com.Troj.Androm-TY.30287.16181.exerundll32.exedescription pid process target process PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 736 wrote to memory of 1420 736 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE PID 1420 wrote to memory of 280 1420 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,eVofTJ8=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
memory/280-78-0x0000000002000000-0x00000000025BA000-memory.dmpFilesize
5.7MB
-
memory/280-72-0x0000000000000000-mapping.dmp
-
memory/280-81-0x00000000026A0000-0x00000000026A1000-memory.dmpFilesize
4KB
-
memory/280-82-0x0000000002BB1000-0x000000000320F000-memory.dmpFilesize
6.4MB
-
memory/736-59-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB
-
memory/736-62-0x00000000001B0000-0x00000000001B1000-memory.dmpFilesize
4KB
-
memory/736-60-0x0000000005020000-0x0000000005715000-memory.dmpFilesize
7.0MB
-
memory/736-61-0x0000000000400000-0x0000000003159000-memory.dmpFilesize
45.3MB
-
memory/1420-63-0x0000000000000000-mapping.dmp
-
memory/1420-70-0x0000000001EB0000-0x000000000246A000-memory.dmpFilesize
5.7MB
-
memory/1420-71-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/1420-79-0x0000000002921000-0x0000000002F7F000-memory.dmpFilesize
6.4MB
-
memory/1420-80-0x0000000000180000-0x0000000000181000-memory.dmpFilesize
4KB