Analysis
-
max time kernel
129s -
max time network
135s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
03-05-2021 15:01
Static task
static1
Behavioral task
behavioral1
Sample
SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe
Resource
win7v20210410
General
-
Target
SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe
-
Size
6.0MB
-
MD5
7b1ad0c4bb7e5bc33b2da7ebffe86e6f
-
SHA1
276b2ae7a851a06e7e026022bdee6d4113495551
-
SHA256
345a564dd605f8d904c4f1ff4d3bf5686a9d88b9fe4b586aba4b23f45cffe297
-
SHA512
ec7aa5d9f50bbe33421f59de774b00bc9cd8899be34a1c8fc7ee09935e255ff4c50904bd019d67a57734e5852eafc19e2815e9a6be53ce97f796bc65fd7276cd
Malware Config
Extracted
danabot
1827
3
23.106.123.185:443
192.210.198.12:443
192.236.147.83:443
37.220.31.94:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 13 1196 RUNDLL32.EXE 18 1196 RUNDLL32.EXE 19 1196 RUNDLL32.EXE 20 1196 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 504 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 504 rundll32.exe 1196 RUNDLL32.EXE 1196 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 504 rundll32.exe Token: SeDebugPrivilege 1196 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exerundll32.exedescription pid process target process PID 2992 wrote to memory of 504 2992 SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe rundll32.exe PID 2992 wrote to memory of 504 2992 SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe rundll32.exe PID 2992 wrote to memory of 504 2992 SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe rundll32.exe PID 504 wrote to memory of 1196 504 rundll32.exe RUNDLL32.EXE PID 504 wrote to memory of 1196 504 rundll32.exe RUNDLL32.EXE PID 504 wrote to memory of 1196 504 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.W32.AIDetect.malware1.32629.3499.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\SECURI~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLL,TBg0LDaBBQ==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
\Users\Admin\AppData\Local\Temp\SECURI~1.DLLMD5
ce2816dd27b6f679acfbfbad58c5ac6e
SHA12a1b1d7fa0b4f61ff178b197766943bb338bbe8c
SHA25690f0e6c8e7905975130412bf839e824f72f90d708fcc431f53e5ad9f35666f27
SHA5121f96be6c8259c5baec52cd568f4ab549af0b057f750126cafc5e04c4d1b2b66cfec7a65e2dd541f9f4d59dba9e09197d1f589a563c0f5816cc40dc5fa45ce44e
-
memory/504-126-0x0000000004FD1000-0x000000000562F000-memory.dmpFilesize
6.4MB
-
memory/504-117-0x0000000000000000-mapping.dmp
-
memory/504-127-0x0000000000F40000-0x000000000108A000-memory.dmpFilesize
1.3MB
-
memory/1196-122-0x0000000000000000-mapping.dmp
-
memory/1196-125-0x00000000044B0000-0x0000000004A6A000-memory.dmpFilesize
5.7MB
-
memory/1196-128-0x0000000004C80000-0x0000000004C81000-memory.dmpFilesize
4KB
-
memory/1196-129-0x0000000005081000-0x00000000056DF000-memory.dmpFilesize
6.4MB
-
memory/2992-116-0x0000000000F50000-0x0000000000F51000-memory.dmpFilesize
4KB
-
memory/2992-114-0x00000000030E0000-0x00000000037D5000-memory.dmpFilesize
7.0MB
-
memory/2992-115-0x0000000000400000-0x0000000000DF2000-memory.dmpFilesize
9.9MB