Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
19-07-2021 22:12
Static task
static1
Behavioral task
behavioral1
Sample
c65eb22434cbf550e158d45cf9a64470.exe
Resource
win7v20210410
General
-
Target
c65eb22434cbf550e158d45cf9a64470.exe
-
Size
1.0MB
-
MD5
c65eb22434cbf550e158d45cf9a64470
-
SHA1
65bc53c6b4866cdc82a55a24c107359ed424cc55
-
SHA256
c76a9b5f3a1d4456cf2fe90c115f808e4a53f04a5520eabd945af7d41c44b986
-
SHA512
395b7404dde5a9b7ca42c5cda84ad92184ea23f471747f8b86ed91b7b832b2797d473e58156504ede1ae1327795c3f5967edbf505d14545639a89003afb36bf7
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 15 3688 rundll32.exe 16 4092 RUNDLL32.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3688 rundll32.exe 4092 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 4092 set thread context of 580 4092 RUNDLL32.EXE rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A672D776EE33A054B15B4766321280FAA2D7A7A0\Blob = 030000000100000014000000a672d776ee33a054b15b4766321280faa2d7a7a02000000001000000300200003082022c30820195a00302010202087d43433e141702fa300d06092a864886f70d01010b050030403118301606035504030c0f4453305420526f6f7420434120583331243022060355040a0c1b4469676974616c205369676e617475726520547275737420436f2e301e170d3139303732313030303935325a170d3233303732303030303935325a30403118301606035504030c0f4453305420526f6f7420434120583331243022060355040a0c1b4469676974616c205369676e617475726520547275737420436f2e30819f300d06092a864886f70d010101050003818d0030818902818100c622a4ea51f619a810f6b399b4f793fabeb8dae1d5694204ebb077891714737869001f635c666f96134b87cf7e3c3b7dbbbb84a1aeb058f05f8a6520ab12b820294e619d1c63a222ab58a891247dcdc9197cd2a517ae3f7bdb554d2e2b2c55a7d68e185543558947a0bdf8dc9498cc90ad2f57982fb4a52e0061266d49ea7c210203010001a32f302d300f0603551d130101ff040530030101ff301a0603551d1104133011820f4453305420526f6f74204341205833300d06092a864886f70d01010b0500038181008cc6b492cd4d326a519340b720cb2f2f2d3fbcd1922c4017a375ccc4c33a6f5ec3a1406d37cde9a13dc4cf6211e865123d89e8a9398d5268a693ee356c5edc7652e934db954b757d66a5933c74189779278ccfd8f5c99f8606a08f2af7d0359b88b580eee93e28f53a5a522e0343618df0b5328139cf84fcbc2c23c2dda59111 RUNDLL32.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A672D776EE33A054B15B4766321280FAA2D7A7A0 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 964 powershell.exe 964 powershell.exe 964 powershell.exe 4092 RUNDLL32.EXE 4092 RUNDLL32.EXE 3060 powershell.exe 3060 powershell.exe 3060 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4092 RUNDLL32.EXE Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 3060 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 4092 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c65eb22434cbf550e158d45cf9a64470.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 4648 wrote to memory of 3688 4648 c65eb22434cbf550e158d45cf9a64470.exe rundll32.exe PID 4648 wrote to memory of 3688 4648 c65eb22434cbf550e158d45cf9a64470.exe rundll32.exe PID 4648 wrote to memory of 3688 4648 c65eb22434cbf550e158d45cf9a64470.exe rundll32.exe PID 3688 wrote to memory of 4092 3688 rundll32.exe RUNDLL32.EXE PID 3688 wrote to memory of 4092 3688 rundll32.exe RUNDLL32.EXE PID 3688 wrote to memory of 4092 3688 rundll32.exe RUNDLL32.EXE PID 4092 wrote to memory of 580 4092 RUNDLL32.EXE rundll32.exe PID 4092 wrote to memory of 580 4092 RUNDLL32.EXE rundll32.exe PID 4092 wrote to memory of 580 4092 RUNDLL32.EXE rundll32.exe PID 4092 wrote to memory of 964 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 964 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 964 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 3060 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 3060 4092 RUNDLL32.EXE powershell.exe PID 4092 wrote to memory of 3060 4092 RUNDLL32.EXE powershell.exe PID 3060 wrote to memory of 4360 3060 powershell.exe nslookup.exe PID 3060 wrote to memory of 4360 3060 powershell.exe nslookup.exe PID 3060 wrote to memory of 4360 3060 powershell.exe nslookup.exe PID 4092 wrote to memory of 4448 4092 RUNDLL32.EXE schtasks.exe PID 4092 wrote to memory of 4448 4092 RUNDLL32.EXE schtasks.exe PID 4092 wrote to memory of 4448 4092 RUNDLL32.EXE schtasks.exe PID 4092 wrote to memory of 4476 4092 RUNDLL32.EXE schtasks.exe PID 4092 wrote to memory of 4476 4092 RUNDLL32.EXE schtasks.exe PID 4092 wrote to memory of 4476 4092 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c65eb22434cbf550e158d45cf9a64470.exe"C:\Users\Admin\AppData\Local\Temp\c65eb22434cbf550e158d45cf9a64470.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP,S C:\Users\Admin\AppData\Local\Temp\C65EB2~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C65EB2~1.TMP,giBiRzFL3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 178944⤵
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpA643.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpCB13.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
8303b2caddfa02d1e3bd7796fc8f36e0
SHA1b1b02156710b146139620b5fb8bf90ab8a3de615
SHA256b1228441b57de321998f4697c8d62dd7ad676e032b52a7539171f10dafe7765d
SHA51209f16b9281154f91c68b3609fe4468786be41005b3ce3af6997f11b7610a73ef61b8168ff093a375cae439f5231f1708bc33b05a9d566bdf5c74a590681773df
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
b077c370fe7a707180a8c64ab8959d28
SHA1abcfc0049b29710d55d867491e5c66fc24c4d248
SHA2563f3d234a9de1e981212695a94d0ef7ae26ba47e30939e0885f4104f458a67f81
SHA512690430e2e64a262dec70cc6477c46a2e24b267a0a8425c2b70cf4d568103e75e7c9370b9ffb6e7cf4b3b1bf8682364683d0035ff9977017c7b7134ee07849231
-
C:\Users\Admin\AppData\Local\Temp\C65EB2~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
C:\Users\Admin\AppData\Local\Temp\tmpA643.tmp.ps1MD5
2235ee713c761fe6a7943e197361e28e
SHA1203543d7df09418f6428c6a698cf840c6884a8b8
SHA256d625a6d059e61f0ef120a3a8dd6db76743316c41533b6859c6b57e5df54d6dbd
SHA51260ef7f8d7173c0d9358aaaded8a27ebfb544683ac067171b0172c8a68b59589cf2f2673aabeacacdbd474f4573cadf3d7b0290b1b9853396d2efddf186bc4cce
-
C:\Users\Admin\AppData\Local\Temp\tmpA654.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmpCB13.tmp.ps1MD5
8b1d1f53a7cffb5b31d15ddfe3a20799
SHA15f0c0c4ababd75dd4a9852785e0adf75256a7fae
SHA2565fc1695fb0cf40d0f1caca23772d1462239683d2ac7c0c742f74cf45c6a7f397
SHA51244e8a9f9ba1281c220823dbcc00bf63da4ab2a8ed3c6d3f3056fc4678fef0f09192fa6ecfc763fef7577f4f3d30591c5785691cce49f84c99a8cc51b7e7cf1b3
-
C:\Users\Admin\AppData\Local\Temp\tmpCB14.tmpMD5
3154d454e465e6ac556a3da9d73e139f
SHA156633038f8372c0a639ad75f378edd0864e5d228
SHA256e4a0eb823868d3c8288f3709c9ed230f90d3b4160e30b77d3a4faeb7902782be
SHA51236179359ff1f72e8b856e6947d23e86817fe5c107500c713dfa92158ef75ec342e3f67416107990a2164309e4300e53ff630d1148230454d592a2a015085b262
-
\Users\Admin\AppData\Local\Temp\C65EB2~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
\Users\Admin\AppData\Local\Temp\C65EB2~1.TMPMD5
7421975d09f0de9fc505ba95c37e5794
SHA1052e5981f44c5451d896f6383df93bcdf5235fe5
SHA256643138b1767f6d5bb05ca771238afc2b2e6d70594d5c5d4b027d20c8c1b733bd
SHA5127fb6e065e98a0f4c2f919e675ef2daa8932b575329965a6c1034340c7d1c219ea9500d032006346617975399e3b6f2fbf90054f9f135dccf6d1de170d753b2ec
-
memory/580-136-0x00007FF6745A5FD0-mapping.dmp
-
memory/580-141-0x00000000001A0000-0x0000000000340000-memory.dmpFilesize
1.6MB
-
memory/580-140-0x000001F0A3570000-0x000001F0A3721000-memory.dmpFilesize
1.7MB
-
memory/964-142-0x0000000000000000-mapping.dmp
-
memory/964-152-0x0000000008060000-0x0000000008061000-memory.dmpFilesize
4KB
-
memory/964-145-0x00000000070B0000-0x00000000070B1000-memory.dmpFilesize
4KB
-
memory/964-146-0x00000000077B0000-0x00000000077B1000-memory.dmpFilesize
4KB
-
memory/964-147-0x0000000007170000-0x0000000007171000-memory.dmpFilesize
4KB
-
memory/964-148-0x0000000007172000-0x0000000007173000-memory.dmpFilesize
4KB
-
memory/964-149-0x0000000007DE0000-0x0000000007DE1000-memory.dmpFilesize
4KB
-
memory/964-150-0x0000000007E80000-0x0000000007E81000-memory.dmpFilesize
4KB
-
memory/964-151-0x0000000007FF0000-0x0000000007FF1000-memory.dmpFilesize
4KB
-
memory/964-164-0x0000000009650000-0x0000000009651000-memory.dmpFilesize
4KB
-
memory/964-153-0x0000000008430000-0x0000000008431000-memory.dmpFilesize
4KB
-
memory/964-154-0x0000000008590000-0x0000000008591000-memory.dmpFilesize
4KB
-
memory/964-155-0x00000000088B0000-0x00000000088B1000-memory.dmpFilesize
4KB
-
memory/964-167-0x0000000007173000-0x0000000007174000-memory.dmpFilesize
4KB
-
memory/964-157-0x0000000007390000-0x0000000007391000-memory.dmpFilesize
4KB
-
memory/964-162-0x000000000A020000-0x000000000A021000-memory.dmpFilesize
4KB
-
memory/964-163-0x00000000095A0000-0x00000000095A1000-memory.dmpFilesize
4KB
-
memory/3060-168-0x0000000000000000-mapping.dmp
-
memory/3060-180-0x0000000008B70000-0x0000000008B71000-memory.dmpFilesize
4KB
-
memory/3060-195-0x0000000007273000-0x0000000007274000-memory.dmpFilesize
4KB
-
memory/3060-182-0x0000000007272000-0x0000000007273000-memory.dmpFilesize
4KB
-
memory/3060-181-0x0000000007270000-0x0000000007271000-memory.dmpFilesize
4KB
-
memory/3060-177-0x00000000081A0000-0x00000000081A1000-memory.dmpFilesize
4KB
-
memory/3688-128-0x00000000051E0000-0x0000000006476000-memory.dmpFilesize
18.6MB
-
memory/3688-115-0x0000000000000000-mapping.dmp
-
memory/4092-125-0x0000000000000000-mapping.dmp
-
memory/4092-139-0x0000000006380000-0x0000000006381000-memory.dmpFilesize
4KB
-
memory/4092-135-0x0000000004E90000-0x0000000006126000-memory.dmpFilesize
18.6MB
-
memory/4360-191-0x0000000000000000-mapping.dmp
-
memory/4448-194-0x0000000000000000-mapping.dmp
-
memory/4476-196-0x0000000000000000-mapping.dmp
-
memory/4648-114-0x0000000000DB0000-0x0000000000EAF000-memory.dmpFilesize
1020KB
-
memory/4648-118-0x0000000000400000-0x0000000000972000-memory.dmpFilesize
5.4MB