Analysis
-
max time kernel
127s -
max time network
110s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
29-04-2021 18:06
Static task
static1
Behavioral task
behavioral1
Sample
c279a62ec30da201ec66c5ff8f4014d2.exe
Resource
win7v20210408
General
-
Target
c279a62ec30da201ec66c5ff8f4014d2.exe
-
Size
5.9MB
-
MD5
c279a62ec30da201ec66c5ff8f4014d2
-
SHA1
683ddb5789c777fc26fce49e9d2f976f099441e5
-
SHA256
16b4aafdfea48f7e044ad1420b2d14c936fac2881a3fecca360a9692faac2425
-
SHA512
80535d41ad8df48820a90dd238513b47b3942ec3a9d34d1fe1f047ac6615f507c70f348751a378dac6688e9a20c2487db2ce163632bef601ab455f5314f0f938
Malware Config
Extracted
danabot
1827
3
192.236.147.83:443
184.95.51.175:443
23.106.123.141:443
23.254.225.170:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 12 2896 RUNDLL32.EXE 16 2896 RUNDLL32.EXE 19 2896 RUNDLL32.EXE 21 2896 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 2772 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2772 rundll32.exe 2896 RUNDLL32.EXE 2896 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2772 rundll32.exe Token: SeDebugPrivilege 2896 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
c279a62ec30da201ec66c5ff8f4014d2.exerundll32.exedescription pid process target process PID 3892 wrote to memory of 2772 3892 c279a62ec30da201ec66c5ff8f4014d2.exe rundll32.exe PID 3892 wrote to memory of 2772 3892 c279a62ec30da201ec66c5ff8f4014d2.exe rundll32.exe PID 3892 wrote to memory of 2772 3892 c279a62ec30da201ec66c5ff8f4014d2.exe rundll32.exe PID 2772 wrote to memory of 2896 2772 rundll32.exe RUNDLL32.EXE PID 2772 wrote to memory of 2896 2772 rundll32.exe RUNDLL32.EXE PID 2772 wrote to memory of 2896 2772 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\c279a62ec30da201ec66c5ff8f4014d2.exe"C:\Users\Admin\AppData\Local\Temp\c279a62ec30da201ec66c5ff8f4014d2.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C279A6~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\C279A6~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C279A6~1.DLL,T0sEfI2j3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C279A6~1.DLLMD5
e7342946db0ec254e551e6cd101f260e
SHA1eb32d97542bb83814a3be7c096b4561a9979930d
SHA2562185beeb2ab481ba131147ff0ba67cea883fe3512cf41f652b3e7616fe3b19c5
SHA512985616138ce65a9ba0408efd88d760c45f6958c344f4bf82a9ad36b3f89ae267e388e75ad8b2b51918ac42907c5ea7a1552f84e59e79260b653150a47a3745ba
-
\Users\Admin\AppData\Local\Temp\C279A6~1.DLLMD5
e7342946db0ec254e551e6cd101f260e
SHA1eb32d97542bb83814a3be7c096b4561a9979930d
SHA2562185beeb2ab481ba131147ff0ba67cea883fe3512cf41f652b3e7616fe3b19c5
SHA512985616138ce65a9ba0408efd88d760c45f6958c344f4bf82a9ad36b3f89ae267e388e75ad8b2b51918ac42907c5ea7a1552f84e59e79260b653150a47a3745ba
-
\Users\Admin\AppData\Local\Temp\C279A6~1.DLLMD5
e7342946db0ec254e551e6cd101f260e
SHA1eb32d97542bb83814a3be7c096b4561a9979930d
SHA2562185beeb2ab481ba131147ff0ba67cea883fe3512cf41f652b3e7616fe3b19c5
SHA512985616138ce65a9ba0408efd88d760c45f6958c344f4bf82a9ad36b3f89ae267e388e75ad8b2b51918ac42907c5ea7a1552f84e59e79260b653150a47a3745ba
-
\Users\Admin\AppData\Local\Temp\C279A6~1.DLLMD5
e7342946db0ec254e551e6cd101f260e
SHA1eb32d97542bb83814a3be7c096b4561a9979930d
SHA2562185beeb2ab481ba131147ff0ba67cea883fe3512cf41f652b3e7616fe3b19c5
SHA512985616138ce65a9ba0408efd88d760c45f6958c344f4bf82a9ad36b3f89ae267e388e75ad8b2b51918ac42907c5ea7a1552f84e59e79260b653150a47a3745ba
-
memory/2772-127-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/2772-126-0x0000000005231000-0x000000000588F000-memory.dmpFilesize
6.4MB
-
memory/2772-114-0x0000000000000000-mapping.dmp
-
memory/2896-125-0x0000000003F90000-0x0000000004549000-memory.dmpFilesize
5.7MB
-
memory/2896-122-0x0000000000000000-mapping.dmp
-
memory/2896-128-0x0000000004690000-0x0000000004691000-memory.dmpFilesize
4KB
-
memory/2896-129-0x0000000004A81000-0x00000000050DF000-memory.dmpFilesize
6.4MB
-
memory/3892-119-0x0000000000B00000-0x0000000000BAE000-memory.dmpFilesize
696KB
-
memory/3892-118-0x0000000000400000-0x0000000000B00000-memory.dmpFilesize
7.0MB
-
memory/3892-115-0x0000000002EA0000-0x0000000003595000-memory.dmpFilesize
7.0MB