Analysis
-
max time kernel
135s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
06-05-2021 15:03
Static task
static1
Behavioral task
behavioral1
Sample
cvhost.exe
Resource
win7v20210408
General
-
Target
cvhost.exe
-
Size
6.1MB
-
MD5
51209196cdca1e7988eac671f69a58a4
-
SHA1
eabe5ca552932cd3d94e95eaacc3449722cadae6
-
SHA256
8884c731201c65b7db739e95839374b509ac0cd4a2b18b7075864f56d13c9bd7
-
SHA512
3203aa4427fdc1fc56d6cb69537fb92dc1100871f069a034b07a085227690a217d8ff780b236461f9f006dcd507505e9249ef00c6da8915aa4bc1cf0406f03c8
Malware Config
Extracted
danabot
1827
3
184.95.51.180:443
192.236.147.83:443
184.95.51.175:443
184.95.51.183:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
RUNDLL32.EXEflow pid process 10 2648 RUNDLL32.EXE 22 2648 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 3756 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3756 rundll32.exe 2648 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 2052 powershell.exe 2052 powershell.exe 2052 powershell.exe 2648 RUNDLL32.EXE 2648 RUNDLL32.EXE 2164 powershell.exe 2164 powershell.exe 2164 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3756 rundll32.exe Token: SeDebugPrivilege 2648 RUNDLL32.EXE Token: SeDebugPrivilege 2052 powershell.exe Token: SeDebugPrivilege 2164 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 2648 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
cvhost.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 472 wrote to memory of 3756 472 cvhost.exe rundll32.exe PID 472 wrote to memory of 3756 472 cvhost.exe rundll32.exe PID 472 wrote to memory of 3756 472 cvhost.exe rundll32.exe PID 3756 wrote to memory of 2648 3756 rundll32.exe RUNDLL32.EXE PID 3756 wrote to memory of 2648 3756 rundll32.exe RUNDLL32.EXE PID 3756 wrote to memory of 2648 3756 rundll32.exe RUNDLL32.EXE PID 2648 wrote to memory of 2052 2648 RUNDLL32.EXE powershell.exe PID 2648 wrote to memory of 2052 2648 RUNDLL32.EXE powershell.exe PID 2648 wrote to memory of 2052 2648 RUNDLL32.EXE powershell.exe PID 2648 wrote to memory of 2164 2648 RUNDLL32.EXE powershell.exe PID 2648 wrote to memory of 2164 2648 RUNDLL32.EXE powershell.exe PID 2648 wrote to memory of 2164 2648 RUNDLL32.EXE powershell.exe PID 2164 wrote to memory of 3592 2164 powershell.exe nslookup.exe PID 2164 wrote to memory of 3592 2164 powershell.exe nslookup.exe PID 2164 wrote to memory of 3592 2164 powershell.exe nslookup.exe PID 2648 wrote to memory of 3152 2648 RUNDLL32.EXE schtasks.exe PID 2648 wrote to memory of 3152 2648 RUNDLL32.EXE schtasks.exe PID 2648 wrote to memory of 3152 2648 RUNDLL32.EXE schtasks.exe PID 2648 wrote to memory of 2268 2648 RUNDLL32.EXE schtasks.exe PID 2648 wrote to memory of 2268 2648 RUNDLL32.EXE schtasks.exe PID 2648 wrote to memory of 2268 2648 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\cvhost.exe"C:\Users\Admin\AppData\Local\Temp\cvhost.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\cvhost.exe2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\CVHOST~1.DLL,JAMh3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1F5.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp3C8F.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
1f8b4e9f5297a3568078d0fc8a5ae8fa
SHA122a27f1eed397982db0cc12669657edd7c07dfd8
SHA256119a24bb27340c08c416ca98b7e069fb0d4ee345efe6c8ca67c0f919edf21834
SHA5129fa5de22f5642e3f71251f5c3f4f7a5b8a2fd500e0bd99670345cee95ea7ca70a4e7b5e452047cff499c6fe6665610896d90f2cae74898a7f1348aea210a8ede
-
C:\Users\Admin\AppData\Local\Temp\CVHOST~1.DLLMD5
dd48fbaee3fa2b53707df0a329f63213
SHA1ff95cb081070d8f67faf399cec209f62c2d1c1eb
SHA25692204e0e3f9296e8e8d07fb7d8155d22a633812360bbfa4bd7221147820c6b24
SHA5125a437a522688ee190d4e531881227b5b42a790193b9698d1432e17270d86d1ed67648b5159e132edc0edcd3a3a49f0644eba3e570aaa6323b355739577e64973
-
C:\Users\Admin\AppData\Local\Temp\tmp1F5.tmp.ps1MD5
3bb6319b257b49ec7d46157e7a995a9b
SHA19dec2ff5eaa257ba6f3e598a6bc97b870f572e4f
SHA256627f9b72696cd43a18f073c6ae71dd612e6ad199e0ca45483f3a79d2b9e7200f
SHA512ce48d6041f2a68cc8aa0dd1dac3184de007fc126edb9d033c498b713352a28e4c03525873c588e9dd0caaf55c15337f9851ed2b2b43ff7d293b2b9353ac7404d
-
C:\Users\Admin\AppData\Local\Temp\tmp1F6.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp3C8F.tmp.ps1MD5
ae6a11f8101b614c178c15b9a4a23ff2
SHA1021aeb95fc772e8462a597e7fde45ffec6ecc459
SHA2562bebc35de99c55f21d84b6e52e3628bb54609a9bb963fef5c3381be9805fad6c
SHA512d5fa6486ce5aa803be54ee9132f5571ab09ddebddb29877c4673783c64a02062904c7359b2ce8b936053d030d43d525a8cf13243c52677af48536639d3e5a7f2
-
C:\Users\Admin\AppData\Local\Temp\tmp3C9F.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\CVHOST~1.DLLMD5
dd48fbaee3fa2b53707df0a329f63213
SHA1ff95cb081070d8f67faf399cec209f62c2d1c1eb
SHA25692204e0e3f9296e8e8d07fb7d8155d22a633812360bbfa4bd7221147820c6b24
SHA5125a437a522688ee190d4e531881227b5b42a790193b9698d1432e17270d86d1ed67648b5159e132edc0edcd3a3a49f0644eba3e570aaa6323b355739577e64973
-
\Users\Admin\AppData\Local\Temp\CVHOST~1.DLLMD5
dd48fbaee3fa2b53707df0a329f63213
SHA1ff95cb081070d8f67faf399cec209f62c2d1c1eb
SHA25692204e0e3f9296e8e8d07fb7d8155d22a633812360bbfa4bd7221147820c6b24
SHA5125a437a522688ee190d4e531881227b5b42a790193b9698d1432e17270d86d1ed67648b5159e132edc0edcd3a3a49f0644eba3e570aaa6323b355739577e64973
-
memory/472-115-0x0000000000400000-0x0000000000B12000-memory.dmpFilesize
7.1MB
-
memory/472-116-0x0000000002860000-0x0000000002861000-memory.dmpFilesize
4KB
-
memory/472-114-0x0000000002EA0000-0x00000000035A6000-memory.dmpFilesize
7.0MB
-
memory/2052-129-0x0000000000000000-mapping.dmp
-
memory/2052-151-0x0000000007F70000-0x0000000007F71000-memory.dmpFilesize
4KB
-
memory/2052-134-0x00000000042F0000-0x00000000042F1000-memory.dmpFilesize
4KB
-
memory/2052-135-0x00000000042F2000-0x00000000042F3000-memory.dmpFilesize
4KB
-
memory/2052-136-0x00000000075B0000-0x00000000075B1000-memory.dmpFilesize
4KB
-
memory/2052-137-0x0000000006DA0000-0x0000000006DA1000-memory.dmpFilesize
4KB
-
memory/2052-138-0x0000000007690000-0x0000000007691000-memory.dmpFilesize
4KB
-
memory/2052-139-0x0000000007700000-0x0000000007701000-memory.dmpFilesize
4KB
-
memory/2052-140-0x00000000069B0000-0x00000000069B1000-memory.dmpFilesize
4KB
-
memory/2052-141-0x0000000008010000-0x0000000008011000-memory.dmpFilesize
4KB
-
memory/2052-142-0x0000000007DF0000-0x0000000007DF1000-memory.dmpFilesize
4KB
-
memory/2052-132-0x0000000004300000-0x0000000004301000-memory.dmpFilesize
4KB
-
memory/2052-144-0x0000000007BA0000-0x0000000007BA1000-memory.dmpFilesize
4KB
-
memory/2052-149-0x00000000095D0000-0x00000000095D1000-memory.dmpFilesize
4KB
-
memory/2052-150-0x0000000008BF0000-0x0000000008BF1000-memory.dmpFilesize
4KB
-
memory/2052-133-0x0000000006E80000-0x0000000006E81000-memory.dmpFilesize
4KB
-
memory/2052-154-0x00000000042F3000-0x00000000042F4000-memory.dmpFilesize
4KB
-
memory/2164-167-0x00000000069F0000-0x00000000069F1000-memory.dmpFilesize
4KB
-
memory/2164-182-0x00000000069F3000-0x00000000069F4000-memory.dmpFilesize
4KB
-
memory/2164-164-0x00000000078F0000-0x00000000078F1000-memory.dmpFilesize
4KB
-
memory/2164-155-0x0000000000000000-mapping.dmp
-
memory/2164-169-0x00000000069F2000-0x00000000069F3000-memory.dmpFilesize
4KB
-
memory/2164-170-0x0000000007D30000-0x0000000007D31000-memory.dmpFilesize
4KB
-
memory/2268-184-0x0000000000000000-mapping.dmp
-
memory/2648-127-0x0000000005161000-0x00000000057C0000-memory.dmpFilesize
6.4MB
-
memory/2648-166-0x0000000002F10000-0x0000000002F11000-memory.dmpFilesize
4KB
-
memory/2648-122-0x0000000000000000-mapping.dmp
-
memory/3152-183-0x0000000000000000-mapping.dmp
-
memory/3592-179-0x0000000000000000-mapping.dmp
-
memory/3756-117-0x0000000000000000-mapping.dmp
-
memory/3756-128-0x0000000002EA0000-0x0000000002FEA000-memory.dmpFilesize
1.3MB
-
memory/3756-124-0x0000000004FF1000-0x0000000005650000-memory.dmpFilesize
6.4MB