Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
26-07-2021 06:08
Static task
static1
Behavioral task
behavioral1
Sample
7f8f5be06bf789146526e520a66be571.exe
Resource
win7v20210408
General
-
Target
7f8f5be06bf789146526e520a66be571.exe
-
Size
1.2MB
-
MD5
7f8f5be06bf789146526e520a66be571
-
SHA1
629681e69d3759d2085aa2c037c8c6fca4045ea2
-
SHA256
1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd
-
SHA512
4c396b8dadfd446f11b644ad33042e0c6fa19b418c02d744f4bda5409732b3b1601cc3bff191cb5a8a10f676672d0c662705420a1b4306f142a6a897a09210aa
Malware Config
Extracted
danabot
1987
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEflow pid process 15 2528 rundll32.exe 16 3868 RUNDLL32.EXE -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2528 rundll32.exe 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\Jvgzbfh.tmp rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 19 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19DF2C00A65E58B316BA82DFF4876FCC1317C889 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\19DF2C00A65E58B316BA82DFF4876FCC1317C889\Blob = 03000000010000001400000019df2c00a65e58b316ba82dff4876fcc1317c8892000000001000000ec020000308202e830820251a0030201020208240d102244f5d118300d06092a864886f70d01010b05003081863146304406035504030c3d56653672695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b3009060355040613025553301e170d3139303732373036303535315a170d3233303732363036303535315a3081863146304406035504030c3d56653672695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735311b3019060355040b0c1222286329203230303620566572695369676e31123010060355040a0c0922566572695369676e310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100bb3f9380788b4d06c686475050833f790ef39150892a6f1323be722513690546854c7f5019ba297c7d4605ad1add30c2d337532b0fd33dde06c228e993fe90c3f0653975bd0a39237d2e5493a3081dd5c84bc151326dd663e18ea20012c750e047f346c798faf1eaadba1f0eadf9d60635e292003a8894ff4c4efc49a303fc290203010001a35d305b300f0603551d130101ff040530030101ff30480603551d110441303f823d56653672695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735300d06092a864886f70d01010b050003818100077c5170fdbed13fd86535a1d51d2337dfb0cf5891a1dd8094bb1cb8b580a7db468db8a88e1e4357106258c0ebb8acff8c1858b9511325a3746a52b24d0f09b85e4b056b76750e8306ebb995f62abe59bd4e36b470c541273271a56bfe05af1b9df399b41a80fe0628431f7d81dbf37aa6ea95a520478cf8e5dc8149c7e2ce64 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exepid process 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE 1804 powershell.exe 1804 powershell.exe 1804 powershell.exe 3868 RUNDLL32.EXE 3868 RUNDLL32.EXE 2152 powershell.exe 2152 powershell.exe 2152 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
RUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3868 RUNDLL32.EXE Token: SeDebugPrivilege 1804 powershell.exe Token: SeDebugPrivilege 2152 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 3868 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
7f8f5be06bf789146526e520a66be571.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3172 wrote to memory of 2528 3172 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 3172 wrote to memory of 2528 3172 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 3172 wrote to memory of 2528 3172 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 2528 wrote to memory of 3868 2528 rundll32.exe RUNDLL32.EXE PID 2528 wrote to memory of 3868 2528 rundll32.exe RUNDLL32.EXE PID 2528 wrote to memory of 3868 2528 rundll32.exe RUNDLL32.EXE PID 3868 wrote to memory of 1804 3868 RUNDLL32.EXE powershell.exe PID 3868 wrote to memory of 1804 3868 RUNDLL32.EXE powershell.exe PID 3868 wrote to memory of 1804 3868 RUNDLL32.EXE powershell.exe PID 3868 wrote to memory of 2152 3868 RUNDLL32.EXE powershell.exe PID 3868 wrote to memory of 2152 3868 RUNDLL32.EXE powershell.exe PID 3868 wrote to memory of 2152 3868 RUNDLL32.EXE powershell.exe PID 2152 wrote to memory of 2528 2152 powershell.exe nslookup.exe PID 2152 wrote to memory of 2528 2152 powershell.exe nslookup.exe PID 2152 wrote to memory of 2528 2152 powershell.exe nslookup.exe PID 3868 wrote to memory of 584 3868 RUNDLL32.EXE schtasks.exe PID 3868 wrote to memory of 584 3868 RUNDLL32.EXE schtasks.exe PID 3868 wrote to memory of 584 3868 RUNDLL32.EXE schtasks.exe PID 3868 wrote to memory of 1896 3868 RUNDLL32.EXE schtasks.exe PID 3868 wrote to memory of 1896 3868 RUNDLL32.EXE schtasks.exe PID 3868 wrote to memory of 1896 3868 RUNDLL32.EXE schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,PQE8c3Q3MQ==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5B13.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\PROGRA~3\Jvgzbfh.tmpMD5
17027d5d8b71d79882fa359c64d07164
SHA1c7f47e13eed4c157c4d28307f20e071e61ade674
SHA256c5f026643ecf48b458646a1c35b2058761ff3c2c1edd3dc945a80fcf6c66ad51
SHA5124186d9e52500b3bf7131816c2d64f9333bbbaee30a58f4d6de89d94271bd54befb030dab1d78362d41912e028ed7802750ac6ee016242d673702d69e19cbdd03
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logMD5
47eebe401625bbc55e75dbfb72e9e89a
SHA1db3b2135942d2532c59b9788253638eb77e5995e
SHA256f1cd56000c44bbdb6880b5b133731f493fe8cba8198c5a861da6ae7b489ed0c3
SHA512590b149863d58be346e7927c28501375cc570858d2f156d234b03d68b86c5c0667a1038e2b6f6639172bf95638ca9f7c70f45270951abbcdf43b1be853b81d56
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5
88c4043684a8143055b7411ffc1584f0
SHA1f760a4497022ed152bd536e5ee917696d3071a65
SHA25651a7aa52b9ee561a85b75681f3f9d18bb89e22b872d426b8707f5675f172c2c0
SHA5124d31fb36e96339e412df50a30cab26bc82dbc7eeb5b9f7919ac542cc2019f7a8beda3a305bef915428e37f26de3bc44ef39918ced2707c0077c6a5131512e672
-
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMPMD5
5d31570b7ba4277cfb30dcf8952e76bb
SHA1e623e0630f480327885182e7c3f7c5017cf045f9
SHA25663a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095
SHA512ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927
-
C:\Users\Admin\AppData\Local\Temp\tmp47A8.tmp.ps1MD5
5e80536ca3f04550d3d9e98447816b98
SHA1f0dbdc675a6995615060c7c4d166b94e72d062b8
SHA25669f1416c75a0bfc4482a89f80215594d576b67c05000443807aedbcb9672cf62
SHA512c67c50502c68aecd7d661ebdf71c9b1c6e75fdba56a7f13e6cad61f53d32d6e6836575236d3bc0db6d356107e9c81383af6702de0d6606c5e05bf5751e78e1ad
-
C:\Users\Admin\AppData\Local\Temp\tmp47A9.tmpMD5
c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp5B13.tmp.ps1MD5
8a8384fc917c0d2567f9c0ecd2eea547
SHA1188cd8b5fd0d5405e9e297f82d4cfa63a35ab7e2
SHA25617e1ddd4d794000d414d81706200b8d234be4b6f62564247745763767ec39b2e
SHA5127651d49197a18775c75d6db16f1bd16564a84ac029665a7723c22d83579f642e3e6df39f6129a37ad50b6671c301c798c82af9ee8fba505904c4790284571a69
-
C:\Users\Admin\AppData\Local\Temp\tmp5B14.tmpMD5
1860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMPMD5
5d31570b7ba4277cfb30dcf8952e76bb
SHA1e623e0630f480327885182e7c3f7c5017cf045f9
SHA25663a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095
SHA512ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927
-
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMPMD5
5d31570b7ba4277cfb30dcf8952e76bb
SHA1e623e0630f480327885182e7c3f7c5017cf045f9
SHA25663a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095
SHA512ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927
-
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMPMD5
5d31570b7ba4277cfb30dcf8952e76bb
SHA1e623e0630f480327885182e7c3f7c5017cf045f9
SHA25663a38ca6e194c44328c568893c93a76725b0ca820c64488327583fb17517e095
SHA512ecfa2cea1eb97d73455063ead67b89e9462a1d7edf502564dcf63a9b1ea8ca91c8641db96e4dbe3687aeaf7a024aca6f1ece80646503af2255d47e297659a927
-
memory/584-196-0x0000000000000000-mapping.dmp
-
memory/1804-148-0x0000000007140000-0x0000000007141000-memory.dmpFilesize
4KB
-
memory/1804-155-0x0000000007880000-0x0000000007881000-memory.dmpFilesize
4KB
-
memory/1804-144-0x0000000000000000-mapping.dmp
-
memory/1804-149-0x00000000070C0000-0x00000000070C1000-memory.dmpFilesize
4KB
-
memory/1804-151-0x0000000006B00000-0x0000000006B01000-memory.dmpFilesize
4KB
-
memory/1804-150-0x00000000077E0000-0x00000000077E1000-memory.dmpFilesize
4KB
-
memory/1804-152-0x0000000006B02000-0x0000000006B03000-memory.dmpFilesize
4KB
-
memory/1804-153-0x0000000007AC0000-0x0000000007AC1000-memory.dmpFilesize
4KB
-
memory/1804-154-0x0000000007B30000-0x0000000007B31000-memory.dmpFilesize
4KB
-
memory/1804-147-0x00000000069A0000-0x00000000069A1000-memory.dmpFilesize
4KB
-
memory/1804-156-0x0000000008350000-0x0000000008351000-memory.dmpFilesize
4KB
-
memory/1804-157-0x0000000008140000-0x0000000008141000-memory.dmpFilesize
4KB
-
memory/1804-177-0x0000000006B03000-0x0000000006B04000-memory.dmpFilesize
4KB
-
memory/1804-159-0x0000000008250000-0x0000000008251000-memory.dmpFilesize
4KB
-
memory/1804-164-0x0000000009930000-0x0000000009931000-memory.dmpFilesize
4KB
-
memory/1804-165-0x0000000008EC0000-0x0000000008EC1000-memory.dmpFilesize
4KB
-
memory/1804-166-0x0000000006CB0000-0x0000000006CB1000-memory.dmpFilesize
4KB
-
memory/1896-198-0x0000000000000000-mapping.dmp
-
memory/2152-179-0x0000000004730000-0x0000000004731000-memory.dmpFilesize
4KB
-
memory/2152-184-0x0000000007C40000-0x0000000007C41000-memory.dmpFilesize
4KB
-
memory/2152-197-0x0000000004733000-0x0000000004734000-memory.dmpFilesize
4KB
-
memory/2152-169-0x0000000000000000-mapping.dmp
-
memory/2152-181-0x0000000007810000-0x0000000007811000-memory.dmpFilesize
4KB
-
memory/2152-180-0x0000000004732000-0x0000000004733000-memory.dmpFilesize
4KB
-
memory/2528-130-0x0000000004E00000-0x0000000006096000-memory.dmpFilesize
18.6MB
-
memory/2528-114-0x0000000000000000-mapping.dmp
-
memory/2528-193-0x0000000000000000-mapping.dmp
-
memory/3172-118-0x0000000000400000-0x0000000000547000-memory.dmpFilesize
1.3MB
-
memory/3172-117-0x0000000002330000-0x0000000002430000-memory.dmpFilesize
1024KB
-
memory/3868-128-0x0000000000B10000-0x0000000000C6E000-memory.dmpFilesize
1.4MB
-
memory/3868-125-0x0000000000000000-mapping.dmp
-
memory/3868-133-0x00000000045A0000-0x0000000005836000-memory.dmpFilesize
18.6MB