Analysis
-
max time kernel
142s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
25-07-2021 09:03
Static task
static1
Behavioral task
behavioral1
Sample
1df80dc87cbf0939f1d693c02c538c78.exe
Resource
win7v20210408
General
-
Target
1df80dc87cbf0939f1d693c02c538c78.exe
-
Size
1.2MB
-
MD5
1df80dc87cbf0939f1d693c02c538c78
-
SHA1
1bb689f77d4548f07cd39b41d91996bf60185eac
-
SHA256
2f13aeda87ac36d7d1ed671093fb1c713eebba7c3536ccf44486aad6ae679450
-
SHA512
dbba7852f6d11efdc1ac05dfd9ef2b21d9c4bc8d40f6a87db2dc31c790401d33957b4579a7f1a92b5222d9d2c79e6dc6ea101cfcabc4cf53b81aebf220440efe
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 16 2904 rundll32.exe 17 1560 RUNDLL32.EXE -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2904 rundll32.exe 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC9062C217C3F883BD071E3CF01D033EABA846EA RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\DC9062C217C3F883BD071E3CF01D033EABA846EA\Blob = 030000000100000014000000dc9062c217c3f883bd071e3cf01d033eaba846ea20000000010000004602000030820242308201aba00302010202082e7fea931fd0d44e300d06092a864886f70d01010b0500304d3114301206035504030c0b476c326f62616c5369676e3120301e060355040b0c17476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a0c0a476c6f62616c5369676e301e170d3139303732363039303130345a170d3233303732353039303130345a304d3114301206035504030c0b476c326f62616c5369676e3120301e060355040b0c17476c6f62616c5369676e20526f6f74204341202d20523231133011060355040a0c0a476c6f62616c5369676e30819f300d06092a864886f70d010101050003818d0030818902818100ed849de220f6342fa827a0fd63a00c586a9eff4b0a8c1285102f23c17839094f6a976eb076dfb23553daf0e3a0f288d5752e7dd2bdb405338357c7d2c3c595620a25f67921dafebae3df514141b1a1c2e22900e7fd1437b6b10bca9673b15bdab0144766a8aa86460153f73ec53569156f7a62c27bc877a0ea5e2a900e61cfff0203010001a32b3029300f0603551d130101ff040530030101ff30160603551d11040f300d820b476c326f62616c5369676e300d06092a864886f70d01010b050003818100e9e76c7fcc529a1e22cc6d39bbd8ce78ce578a528ec428c481a660d23dfb57b78b946939cd7bf24824d0ab45ca65fe3f9b0e783bc8ec6afdb83d4587691f3e47fee811e8fd8593cbd4a9265b734e04d6d7c955c01f84040b34aa697c533223d0c0fa4ffe4e0ccdf4e73f4fafc7209d5d73f4d883a8d5fe9463397a07f250e3c0 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE 3856 powershell.exe 3856 powershell.exe 3856 powershell.exe 1560 RUNDLL32.EXE 1560 RUNDLL32.EXE 3984 powershell.exe 3984 powershell.exe 3984 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1560 RUNDLL32.EXE Token: SeDebugPrivilege 3856 powershell.exe Token: SeDebugPrivilege 3984 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 1560 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
1df80dc87cbf0939f1d693c02c538c78.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3432 wrote to memory of 2904 3432 1df80dc87cbf0939f1d693c02c538c78.exe rundll32.exe PID 3432 wrote to memory of 2904 3432 1df80dc87cbf0939f1d693c02c538c78.exe rundll32.exe PID 3432 wrote to memory of 2904 3432 1df80dc87cbf0939f1d693c02c538c78.exe rundll32.exe PID 2904 wrote to memory of 1560 2904 rundll32.exe RUNDLL32.EXE PID 2904 wrote to memory of 1560 2904 rundll32.exe RUNDLL32.EXE PID 2904 wrote to memory of 1560 2904 rundll32.exe RUNDLL32.EXE PID 1560 wrote to memory of 3856 1560 RUNDLL32.EXE powershell.exe PID 1560 wrote to memory of 3856 1560 RUNDLL32.EXE powershell.exe PID 1560 wrote to memory of 3856 1560 RUNDLL32.EXE powershell.exe PID 1560 wrote to memory of 3984 1560 RUNDLL32.EXE powershell.exe PID 1560 wrote to memory of 3984 1560 RUNDLL32.EXE powershell.exe PID 1560 wrote to memory of 3984 1560 RUNDLL32.EXE powershell.exe PID 3984 wrote to memory of 1468 3984 powershell.exe nslookup.exe PID 3984 wrote to memory of 1468 3984 powershell.exe nslookup.exe PID 3984 wrote to memory of 1468 3984 powershell.exe nslookup.exe PID 1560 wrote to memory of 724 1560 RUNDLL32.EXE schtasks.exe PID 1560 wrote to memory of 724 1560 RUNDLL32.EXE schtasks.exe PID 1560 wrote to memory of 724 1560 RUNDLL32.EXE schtasks.exe PID 1560 wrote to memory of 3496 1560 RUNDLL32.EXE schtasks.exe PID 1560 wrote to memory of 3496 1560 RUNDLL32.EXE schtasks.exe PID 1560 wrote to memory of 3496 1560 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1df80dc87cbf0939f1d693c02c538c78.exe"C:\Users\Admin\AppData\Local\Temp\1df80dc87cbf0939f1d693c02c538c78.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1DF80D~1.TMP,S C:\Users\Admin\AppData\Local\Temp\1DF80D~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\1DF80D~1.TMP,X0kWMkg=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5A46.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
b2b4ed93d5effe209d9613e446f4bce3
SHA12ba57bce3da8428eb8b43e6e2ac2732d3f0ca0b6
SHA256c33d4b03437068364751cee9c802c0639b471e555aa9c03a383c0385ecab1545
SHA5120c0b1b4b339c2ecdb368d8f1d4078eabe27ffef5aff5ab0ba1c2fad2b3791b9132a6404c75cf1b5f4ad95185c9530049ebd7235d034a6602535285397fc7e080
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
47cfdfde13df60229b3e885d72a3f81e
SHA1b785d4dd25f07483d89ce8a95e96b0e5590abf6e
SHA25661c1c26490cd20aeceb3fb036d86dbd7691e2209a3481b3f07771a56e3c0dcea
SHA512a8b3e618cb0b4b061aeb7e44dbd379ea3565a65e259b83c2714fd3da69db2bbdc6b6ebd0711cf13fc9973131f139c4273d7705bac51397f464b43478c4c60364
-
C:\Users\Admin\AppData\Local\Temp\1DF80D~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
C:\Users\Admin\AppData\Local\Temp\tmp5A46.tmp.ps1MD5
3abe3543efeabc9943eb2daeeca718ac
SHA1d82c3b3bb06728dc11401d7e2bf95ee60fe032a3
SHA2561f1fb944e4ddaec24452791b52a748de46e3087f7e587d197c8f19c76d1da989
SHA512c0ac61bd1331960bfa643d6b7bb98d9c73179de72cf529c55c8355d34678001921827bd44562c71ef3eef15c799cd9af37fa50cd2792e23c33e3676723c44bf0
-
C:\Users\Admin\AppData\Local\Temp\tmp5A47.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp6D53.tmp.ps1MD5
9bcad7a0f83aca01da1a042c7fc6f734
SHA1e0145384c483949d3ef29e90031ee9321d4dd050
SHA256ba80011e2f846118727f7d9959c4b91546d3c7d111466c8c1343cb54854d8153
SHA512052d4642f64856fc6d2c724a36e46e44ee8efe65db94a74d385c8cdc7348f597a2a70b98ac821031da669bd58136c9aa5c33be6f5436e489561e83c4dcf6719a
-
C:\Users\Admin\AppData\Local\Temp\tmp6D54.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\1DF80D~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
\Users\Admin\AppData\Local\Temp\1DF80D~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
\Users\Admin\AppData\Local\Temp\1DF80D~1.TMPMD5
ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
memory/724-184-0x0000000000000000-mapping.dmp
-
memory/1468-181-0x0000000000000000-mapping.dmp
-
memory/1560-126-0x0000000005B10000-0x0000000005B11000-memory.dmpFilesize
4KB
-
memory/1560-131-0x0000000004660000-0x00000000058F6000-memory.dmpFilesize
18.6MB
-
memory/1560-123-0x0000000003F90000-0x00000000040EF000-memory.dmpFilesize
1.4MB
-
memory/1560-120-0x0000000000000000-mapping.dmp
-
memory/2904-125-0x0000000004BA0000-0x0000000005E36000-memory.dmpFilesize
18.6MB
-
memory/2904-119-0x0000000000560000-0x0000000000561000-memory.dmpFilesize
4KB
-
memory/2904-114-0x0000000000000000-mapping.dmp
-
memory/3432-117-0x0000000002310000-0x0000000002410000-memory.dmpFilesize
1024KB
-
memory/3432-118-0x0000000000400000-0x0000000000546000-memory.dmpFilesize
1.3MB
-
memory/3496-186-0x0000000000000000-mapping.dmp
-
memory/3856-142-0x0000000006A42000-0x0000000006A43000-memory.dmpFilesize
4KB
-
memory/3856-140-0x00000000076B0000-0x00000000076B1000-memory.dmpFilesize
4KB
-
memory/3856-145-0x0000000007C30000-0x0000000007C31000-memory.dmpFilesize
4KB
-
memory/3856-143-0x0000000006F80000-0x0000000006F81000-memory.dmpFilesize
4KB
-
memory/3856-147-0x0000000007D70000-0x0000000007D71000-memory.dmpFilesize
4KB
-
memory/3856-152-0x00000000093D0000-0x00000000093D1000-memory.dmpFilesize
4KB
-
memory/3856-153-0x0000000008960000-0x0000000008961000-memory.dmpFilesize
4KB
-
memory/3856-154-0x00000000069D0000-0x00000000069D1000-memory.dmpFilesize
4KB
-
memory/3856-141-0x0000000006A40000-0x0000000006A41000-memory.dmpFilesize
4KB
-
memory/3856-157-0x0000000006A43000-0x0000000006A44000-memory.dmpFilesize
4KB
-
memory/3856-132-0x0000000000000000-mapping.dmp
-
memory/3856-144-0x0000000006FB0000-0x0000000006FB1000-memory.dmpFilesize
4KB
-
memory/3856-135-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/3856-139-0x0000000006E90000-0x0000000006E91000-memory.dmpFilesize
4KB
-
memory/3856-136-0x0000000007080000-0x0000000007081000-memory.dmpFilesize
4KB
-
memory/3856-137-0x0000000000CC0000-0x0000000000CC1000-memory.dmpFilesize
4KB
-
memory/3856-138-0x0000000006D20000-0x0000000006D21000-memory.dmpFilesize
4KB
-
memory/3984-172-0x0000000000DD2000-0x0000000000DD3000-memory.dmpFilesize
4KB
-
memory/3984-171-0x0000000000DD0000-0x0000000000DD1000-memory.dmpFilesize
4KB
-
memory/3984-170-0x0000000007B20000-0x0000000007B21000-memory.dmpFilesize
4KB
-
memory/3984-167-0x00000000076F0000-0x00000000076F1000-memory.dmpFilesize
4KB
-
memory/3984-185-0x0000000000DD3000-0x0000000000DD4000-memory.dmpFilesize
4KB
-
memory/3984-158-0x0000000000000000-mapping.dmp