Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15/05/2021, 14:36

General

  • Target

    1.exe

  • Size

    1.9MB

  • MD5

    bd76ec72ff890207a686de77d3c09d02

  • SHA1

    0595c3c2ec5ee2325b7d30723a25367f9efb88fa

  • SHA256

    fa9417dffed167125c55c295823bdd37d79f3463ef20b452b4f29a6e2189403c

  • SHA512

    a4883a59c37547d8d8dd3f0b397c43403bdba440ebdd8db99d47d417a8598f91f2d53526dba4ab221ffbd5267d2c60e5c35eb23e01312e340141effc513b16aa

Malware Config

Extracted

Family

danabot

Version

1827

Botnet

3

C2

184.95.51.183:443

184.95.51.175:443

192.210.198.12:443

184.95.51.180:443

Attributes
  • embedded_hash

    AEF96B4D339B580ABB737F203C2D0F52

rsa_pubkey.plain
rsa_pubkey.plain

Signatures

  • CryptBot

    A C++ stealer distributed widely in bundle with other software.

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 1 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 9 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies registry class 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1.exe
    "C:\Users\Admin\AppData\Local\Temp\1.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2184
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Gurge.pps
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:812
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1140
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^VXCrSREhCmhELCYmOnwTGxvthdbPGaAqdekXEfbitrZxhmGTJzdyvciAAnPCzPGpYhgJdqVnwTOCceQNJDyjecEVVLbuAUNgvPcZkXDInRtCGEtnHwSQJxiDIaOEDPYuuAyFH$" Volli.pps
          4⤵
            PID:1388
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com
            Implorando.exe.com H
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:1896
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com H
              5⤵
              • Executes dropped EXE
              • Checks processor information in registry
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:2788
              • C:\Windows\SysWOW64\cmd.exe
                "C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\OjllgVU.exe"
                6⤵
                • Suspicious use of WriteProcessMemory
                PID:1288
                • C:\Users\Admin\AppData\Local\Temp\OjllgVU.exe
                  "C:\Users\Admin\AppData\Local\Temp\OjllgVU.exe"
                  7⤵
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Drops file in Program Files directory
                  • Suspicious use of WriteProcessMemory
                  PID:2784
                  • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe
                    "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn.exe"
                    8⤵
                    • Executes dropped EXE
                    • Suspicious use of WriteProcessMemory
                    PID:3268
                    • C:\Windows\SysWOW64\cmd.exe
                      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Fra.potx
                      9⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2760
                      • C:\Windows\SysWOW64\cmd.exe
                        C:\Windows\system32\cmd
                        10⤵
                        • Suspicious use of WriteProcessMemory
                        PID:3772
                        • C:\Windows\SysWOW64\findstr.exe
                          findstr /V /R "^xYCLcQIeccmBAtQnxVUeRSreWyTMvLWXTwOpHrhwlUygNwRbGwNkoTUBVAOfXVFJmCHnfGQsISSXNOgVgvuxYKOqujgigXtggvPkzaiZlvDfwXOukTwBPlLPNHsraIeLOEJd$" Ritroverai.potx
                          11⤵
                            PID:2124
                          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Volgendosi.exe.com
                            Volgendosi.exe.com n
                            11⤵
                            • Executes dropped EXE
                            • Suspicious use of WriteProcessMemory
                            PID:1316
                            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Volgendosi.exe.com
                              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.001\Volgendosi.exe.com n
                              12⤵
                              • Executes dropped EXE
                              • Checks processor information in registry
                              • Modifies registry class
                              • Suspicious use of WriteProcessMemory
                              PID:3216
                              • C:\Users\Admin\AppData\Local\Temp\mtrcbdimqb.exe
                                "C:\Users\Admin\AppData\Local\Temp\mtrcbdimqb.exe"
                                13⤵
                                • Executes dropped EXE
                                • Suspicious use of WriteProcessMemory
                                PID:348
                                • C:\Windows\SysWOW64\rundll32.exe
                                  C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\MTRCBD~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\MTRCBD~1.EXE
                                  14⤵
                                  • Loads dropped DLL
                                  • Suspicious use of AdjustPrivilegeToken
                                  PID:1912
                                  • C:\Windows\SysWOW64\RUNDLL32.EXE
                                    C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\MTRCBD~1.DLL,cD0zLDZNBVz5
                                    15⤵
                                    • Blocklisted process makes network request
                                    • Loads dropped DLL
                                    • Suspicious use of AdjustPrivilegeToken
                                    PID:3508
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\jbvilpdswrgr.vbs"
                                13⤵
                                  PID:4088
                            • C:\Windows\SysWOW64\PING.EXE
                              ping 127.0.0.1 -n 30
                              11⤵
                              • Runs ping.exe
                              PID:1216
                      • C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe
                        "C:\Users\Admin\AppData\Local\Temp\New Feature\4.exe"
                        8⤵
                        • Executes dropped EXE
                        • Drops startup file
                        • Suspicious use of WriteProcessMemory
                        PID:1816
                        • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
                          "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
                          9⤵
                          • Executes dropped EXE
                          • Suspicious behavior: AddClipboardFormatListener
                          PID:3148
                  • C:\Windows\SysWOW64\cmd.exe
                    "C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\MwlpxyVRMm & timeout 3 & del /f /q "C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Implorando.exe.com"
                    6⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3840
                    • C:\Windows\SysWOW64\timeout.exe
                      timeout 3
                      7⤵
                      • Delays execution with timeout.exe
                      PID:644
              • C:\Windows\SysWOW64\PING.EXE
                ping 127.0.0.1 -n 30
                4⤵
                • Runs ping.exe
                PID:1720

        Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • memory/348-176-0x0000000000400000-0x0000000000B14000-memory.dmp

                Filesize

                7.1MB

              • memory/348-175-0x0000000002E80000-0x0000000003587000-memory.dmp

                Filesize

                7.0MB

              • memory/1816-162-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/1816-161-0x0000000000460000-0x00000000005AA000-memory.dmp

                Filesize

                1.3MB

              • memory/1912-188-0x0000000005881000-0x0000000005EE0000-memory.dmp

                Filesize

                6.4MB

              • memory/1912-198-0x0000000003050000-0x0000000003051000-memory.dmp

                Filesize

                4KB

              • memory/1912-183-0x0000000005160000-0x0000000005161000-memory.dmp

                Filesize

                4KB

              • memory/1912-182-0x0000000004A50000-0x0000000005015000-memory.dmp

                Filesize

                5.8MB

              • memory/2788-128-0x0000000001BB0000-0x0000000001BB1000-memory.dmp

                Filesize

                4KB

              • memory/3148-166-0x0000000002180000-0x00000000021A6000-memory.dmp

                Filesize

                152KB

              • memory/3148-167-0x0000000000400000-0x000000000045B000-memory.dmp

                Filesize

                364KB

              • memory/3508-192-0x0000000004C80000-0x0000000005245000-memory.dmp

                Filesize

                5.8MB

              • memory/3508-193-0x0000000005410000-0x0000000005411000-memory.dmp

                Filesize

                4KB

              • memory/3508-199-0x0000000005851000-0x0000000005EB0000-memory.dmp

                Filesize

                6.4MB