Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
15/05/2021, 14:36
Static task
static1
Behavioral task
behavioral1
Sample
1.exe
Resource
win7v20210410
General
-
Target
1.exe
-
Size
1.9MB
-
MD5
bd76ec72ff890207a686de77d3c09d02
-
SHA1
0595c3c2ec5ee2325b7d30723a25367f9efb88fa
-
SHA256
fa9417dffed167125c55c295823bdd37d79f3463ef20b452b4f29a6e2189403c
-
SHA512
a4883a59c37547d8d8dd3f0b397c43403bdba440ebdd8db99d47d417a8598f91f2d53526dba4ab221ffbd5267d2c60e5c35eb23e01312e340141effc513b16aa
Malware Config
Extracted
danabot
1827
3
184.95.51.183:443
184.95.51.175:443
192.210.198.12:443
184.95.51.180:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 40 3508 RUNDLL32.EXE -
Downloads MZ/PE file
-
Executes dropped EXE 9 IoCs
pid Process 1896 Implorando.exe.com 2788 Implorando.exe.com 2784 OjllgVU.exe 3268 vpn.exe 1816 4.exe 1316 Volgendosi.exe.com 3216 Volgendosi.exe.com 3148 SmartClock.exe 348 mtrcbdimqb.exe -
Drops startup file 1 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk 4.exe -
Loads dropped DLL 5 IoCs
pid Process 2784 OjllgVU.exe 1912 rundll32.exe 1912 rundll32.exe 3508 RUNDLL32.EXE 3508 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 26 ip-api.com -
Drops file in Program Files directory 3 IoCs
description ioc Process File created C:\Program Files (x86)\foler\olader\acppage.dll OjllgVU.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll OjllgVU.exe File created C:\Program Files (x86)\foler\olader\acledit.dll OjllgVU.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Volgendosi.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Volgendosi.exe.com Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Implorando.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Implorando.exe.com -
Delays execution with timeout.exe 1 IoCs
pid Process 644 timeout.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings Volgendosi.exe.com -
Runs ping.exe 1 TTPs 2 IoCs
pid Process 1720 PING.EXE 1216 PING.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 3148 SmartClock.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1912 rundll32.exe Token: SeDebugPrivilege 3508 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2788 Implorando.exe.com 2788 Implorando.exe.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2184 wrote to memory of 812 2184 1.exe 74 PID 2184 wrote to memory of 812 2184 1.exe 74 PID 2184 wrote to memory of 812 2184 1.exe 74 PID 812 wrote to memory of 1140 812 cmd.exe 76 PID 812 wrote to memory of 1140 812 cmd.exe 76 PID 812 wrote to memory of 1140 812 cmd.exe 76 PID 1140 wrote to memory of 1388 1140 cmd.exe 78 PID 1140 wrote to memory of 1388 1140 cmd.exe 78 PID 1140 wrote to memory of 1388 1140 cmd.exe 78 PID 1140 wrote to memory of 1896 1140 cmd.exe 79 PID 1140 wrote to memory of 1896 1140 cmd.exe 79 PID 1140 wrote to memory of 1896 1140 cmd.exe 79 PID 1140 wrote to memory of 1720 1140 cmd.exe 80 PID 1140 wrote to memory of 1720 1140 cmd.exe 80 PID 1140 wrote to memory of 1720 1140 cmd.exe 80 PID 1896 wrote to memory of 2788 1896 Implorando.exe.com 82 PID 1896 wrote to memory of 2788 1896 Implorando.exe.com 82 PID 1896 wrote to memory of 2788 1896 Implorando.exe.com 82 PID 2788 wrote to memory of 1288 2788 Implorando.exe.com 86 PID 2788 wrote to memory of 1288 2788 Implorando.exe.com 86 PID 2788 wrote to memory of 1288 2788 Implorando.exe.com 86 PID 1288 wrote to memory of 2784 1288 cmd.exe 88 PID 1288 wrote to memory of 2784 1288 cmd.exe 88 PID 1288 wrote to memory of 2784 1288 cmd.exe 88 PID 2784 wrote to memory of 3268 2784 OjllgVU.exe 89 PID 2784 wrote to memory of 3268 2784 OjllgVU.exe 89 PID 2784 wrote to memory of 3268 2784 OjllgVU.exe 89 PID 2784 wrote to memory of 1816 2784 OjllgVU.exe 90 PID 2784 wrote to memory of 1816 2784 OjllgVU.exe 90 PID 2784 wrote to memory of 1816 2784 OjllgVU.exe 90 PID 3268 wrote to memory of 2760 3268 vpn.exe 91 PID 3268 wrote to memory of 2760 3268 vpn.exe 91 PID 3268 wrote to memory of 2760 3268 vpn.exe 91 PID 2760 wrote to memory of 3772 2760 cmd.exe 93 PID 2760 wrote to memory of 3772 2760 cmd.exe 93 PID 2760 wrote to memory of 3772 2760 cmd.exe 93 PID 3772 wrote to memory of 2124 3772 cmd.exe 94 PID 3772 wrote to memory of 2124 3772 cmd.exe 94 PID 3772 wrote to memory of 2124 3772 cmd.exe 94 PID 3772 wrote to memory of 1316 3772 cmd.exe 95 PID 3772 wrote to memory of 1316 3772 cmd.exe 95 PID 3772 wrote to memory of 1316 3772 cmd.exe 95 PID 1316 wrote to memory of 3216 1316 Volgendosi.exe.com 96 PID 1316 wrote to memory of 3216 1316 Volgendosi.exe.com 96 PID 1316 wrote to memory of 3216 1316 Volgendosi.exe.com 96 PID 2788 wrote to memory of 3840 2788 Implorando.exe.com 97 PID 2788 wrote to memory of 3840 2788 Implorando.exe.com 97 PID 2788 wrote to memory of 3840 2788 Implorando.exe.com 97 PID 3772 wrote to memory of 1216 3772 cmd.exe 99 PID 3772 wrote to memory of 1216 3772 cmd.exe 99 PID 3772 wrote to memory of 1216 3772 cmd.exe 99 PID 3840 wrote to memory of 644 3840 cmd.exe 100 PID 3840 wrote to memory of 644 3840 cmd.exe 100 PID 3840 wrote to memory of 644 3840 cmd.exe 100 PID 1816 wrote to memory of 3148 1816 4.exe 101 PID 1816 wrote to memory of 3148 1816 4.exe 101 PID 1816 wrote to memory of 3148 1816 4.exe 101 PID 3216 wrote to memory of 348 3216 Volgendosi.exe.com 103 PID 3216 wrote to memory of 348 3216 Volgendosi.exe.com 103 PID 3216 wrote to memory of 348 3216 Volgendosi.exe.com 103 PID 3216 wrote to memory of 4088 3216 Volgendosi.exe.com 104 PID 3216 wrote to memory of 4088 3216 Volgendosi.exe.com 104 PID 3216 wrote to memory of 4088 3216 Volgendosi.exe.com 104 PID 348 wrote to memory of 1912 348 mtrcbdimqb.exe 105
Processes
-
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2184 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Gurge.pps2⤵
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd3⤵
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^VXCrSREhCmhELCYmOnwTGxvthdbPGaAqdekXEfbitrZxhmGTJzdyvciAAnPCzPGpYhgJdqVnwTOCceQNJDyjecEVVLbuAUNgvPcZkXDInRtCGEtnHwSQJxiDIaOEDPYuuAyFH$" Volli.pps4⤵PID:1388
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.comImplorando.exe.com H4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com H5⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\OjllgVU.exe"6⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Users\Admin\AppData\Local\Temp\OjllgVU.exe"C:\Users\Admin\AppData\Local\Temp\OjllgVU.exe"7⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fra.potx9⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd10⤵
- Suspicious use of WriteProcessMemory
PID:3772 -
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^xYCLcQIeccmBAtQnxVUeRSreWyTMvLWXTwOpHrhwlUygNwRbGwNkoTUBVAOfXVFJmCHnfGQsISSXNOgVgvuxYKOqujgigXtggvPkzaiZlvDfwXOukTwBPlLPNHsraIeLOEJd$" Ritroverai.potx11⤵PID:2124
-
-
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Volgendosi.exe.comVolgendosi.exe.com n11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1316 -
C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Volgendosi.exe.comC:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Volgendosi.exe.com n12⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Users\Admin\AppData\Local\Temp\mtrcbdimqb.exe"C:\Users\Admin\AppData\Local\Temp\mtrcbdimqb.exe"13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:348 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MTRCBD~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\MTRCBD~1.EXE14⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:1912 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\MTRCBD~1.DLL,cD0zLDZNBVz515⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:3508
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jbvilpdswrgr.vbs"13⤵PID:4088
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 3011⤵
- Runs ping.exe
PID:1216
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"8⤵
- Executes dropped EXE
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:1816 -
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"9⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
PID:3148
-
-
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MwlpxyVRMm & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com"6⤵
- Suspicious use of WriteProcessMemory
PID:3840 -
C:\Windows\SysWOW64\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:644
-
-
-
-
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
PID:1720
-
-
-