Analysis
-
max time kernel
135s -
max time network
138s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
22-04-2021 20:02
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe
Resource
win7v20210408
General
-
Target
SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe
-
Size
5.9MB
-
MD5
9077ee02ee92c4a1f4e874f1f086e220
-
SHA1
651fd5e02b12155f79313db85e3669a82a528edb
-
SHA256
488d2bdd81feedeb4b82a8e1acf319c4ad8b6d3170dd877d768430c19513d52c
-
SHA512
c4aabefd8939e004d1c0616b49e5ef7c192e234bce928a86705549c387f5d371b8048c7d7cf6fe8c985e7cc1e963616875bdda3bffec8a6fcd7cb4c3fb5af388
Malware Config
Extracted
danabot
1827
3
23.106.123.141:443
23.254.225.170:443
23.106.123.185:443
37.220.31.94:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1176 created 3872 1176 WerFault.exe SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe -
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 14 3332 RUNDLL32.EXE 18 3332 RUNDLL32.EXE 19 3332 RUNDLL32.EXE 20 3332 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 336 rundll32.exe 336 rundll32.exe 3332 RUNDLL32.EXE 3332 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1176 3872 WerFault.exe SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
WerFault.exepid process 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe 1176 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
WerFault.exerundll32.exeRUNDLL32.EXEdescription pid process Token: SeRestorePrivilege 1176 WerFault.exe Token: SeBackupPrivilege 1176 WerFault.exe Token: SeDebugPrivilege 336 rundll32.exe Token: SeDebugPrivilege 1176 WerFault.exe Token: SeDebugPrivilege 3332 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.Troj.Androm-TY.30287.16181.exerundll32.exedescription pid process target process PID 3872 wrote to memory of 336 3872 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 3872 wrote to memory of 336 3872 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 3872 wrote to memory of 336 3872 SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe rundll32.exe PID 336 wrote to memory of 3332 336 rundll32.exe RUNDLL32.EXE PID 336 wrote to memory of 3332 336 rundll32.exe RUNDLL32.EXE PID 336 wrote to memory of 3332 336 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Troj.Androm-TY.30287.16181.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,iEBIfI023⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3872 -s 5642⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
7f83141b7f64313e569bcf085dd2ce74
SHA13368eb31aa88fd59730bdc73b4f38ba28c37ad5a
SHA256613b93ea5a9c267dcbb30d187625d5cf399fac4b9d35582bf0ad2f9a35cce60b
SHA5128bb4a980d117273f134430ffe2a75d5a1b5a5887c80f4f573b1fc06ac280f2bc5736e89e942c9695fe512579628ad055faef8ddfa542948b1bb8ee0f4c379dba
-
memory/336-123-0x0000000004C21000-0x000000000527F000-memory.dmpFilesize
6.4MB
-
memory/336-121-0x0000000004320000-0x00000000048DA000-memory.dmpFilesize
5.7MB
-
memory/336-117-0x0000000000000000-mapping.dmp
-
memory/336-125-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/336-122-0x00000000053D0000-0x00000000053D1000-memory.dmpFilesize
4KB
-
memory/3332-124-0x0000000000000000-mapping.dmp
-
memory/3332-128-0x0000000004530000-0x0000000004AEA000-memory.dmpFilesize
5.7MB
-
memory/3332-129-0x0000000004DC0000-0x0000000004DC1000-memory.dmpFilesize
4KB
-
memory/3332-130-0x00000000051A1000-0x00000000057FF000-memory.dmpFilesize
6.4MB
-
memory/3872-114-0x0000000005590000-0x0000000005C85000-memory.dmpFilesize
7.0MB
-
memory/3872-116-0x00000000032A0000-0x00000000033EA000-memory.dmpFilesize
1.3MB
-
memory/3872-115-0x0000000000400000-0x0000000003159000-memory.dmpFilesize
45.3MB