Analysis
-
max time kernel
293s -
max time network
343s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
26-09-2021 12:43
Static task
static1
General
-
Target
tvqyodlskqy.exe
-
Size
1MB
-
MD5
1ccb04e0781f40686a84367247e42c6d
-
SHA1
4d4969f830b9d74de4b943063d0a7fbea23f020d
-
SHA256
9b68462224e951b51381fca03a21722bd7b4511ad495ba58700663944e8df9f2
-
SHA512
89f0cd763783a65aff86eb83f3e9a5528cc2321cae1b1427db4196708f3566866cef56e7c09e2ca210c7b4eb6fe085d20b64910e25c4f6bd5a0a236aa68c1bdf
Malware Config
Signatures
-
Danabot Loader Component 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\TVQYOD~1.DLL DanabotLoader2021 behavioral1/memory/468-69-0x0000000000A40000-0x0000000000BA3000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\TVQYOD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\TVQYOD~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\TVQYOD~1.DLL DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 4 468 rundll32.exe -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exepid process 468 rundll32.exe 468 rundll32.exe 468 rundll32.exe 468 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
tvqyodlskqy.exedescription pid process target process PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe PID 1884 wrote to memory of 468 1884 tvqyodlskqy.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tvqyodlskqy.exe"C:\Users\Admin\AppData\Local\Temp\tvqyodlskqy.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLL,s C:\Users\Admin\AppData\Local\Temp\TVQYOD~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLLMD5
e8503f0a4bfbb832630975604448f906
SHA1651186955053af29ae247087d538d36fac66beea
SHA2561bbd32dc3dd7e714c982f7cdec49375c3eb550ba747e924327dee0f63b05f7c8
SHA5126ebc57cd250b1c87202d4591df8ed29a453d5af33ed2fe188a30b422e8fa6282bfd917906499d0ef5e5a591242017ac98d8c99c4ccc1b1541ab841bf9f695e10
-
\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLLMD5
e8503f0a4bfbb832630975604448f906
SHA1651186955053af29ae247087d538d36fac66beea
SHA2561bbd32dc3dd7e714c982f7cdec49375c3eb550ba747e924327dee0f63b05f7c8
SHA5126ebc57cd250b1c87202d4591df8ed29a453d5af33ed2fe188a30b422e8fa6282bfd917906499d0ef5e5a591242017ac98d8c99c4ccc1b1541ab841bf9f695e10
-
\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLLMD5
e8503f0a4bfbb832630975604448f906
SHA1651186955053af29ae247087d538d36fac66beea
SHA2561bbd32dc3dd7e714c982f7cdec49375c3eb550ba747e924327dee0f63b05f7c8
SHA5126ebc57cd250b1c87202d4591df8ed29a453d5af33ed2fe188a30b422e8fa6282bfd917906499d0ef5e5a591242017ac98d8c99c4ccc1b1541ab841bf9f695e10
-
\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLLMD5
e8503f0a4bfbb832630975604448f906
SHA1651186955053af29ae247087d538d36fac66beea
SHA2561bbd32dc3dd7e714c982f7cdec49375c3eb550ba747e924327dee0f63b05f7c8
SHA5126ebc57cd250b1c87202d4591df8ed29a453d5af33ed2fe188a30b422e8fa6282bfd917906499d0ef5e5a591242017ac98d8c99c4ccc1b1541ab841bf9f695e10
-
\Users\Admin\AppData\Local\Temp\TVQYOD~1.DLLMD5
e8503f0a4bfbb832630975604448f906
SHA1651186955053af29ae247087d538d36fac66beea
SHA2561bbd32dc3dd7e714c982f7cdec49375c3eb550ba747e924327dee0f63b05f7c8
SHA5126ebc57cd250b1c87202d4591df8ed29a453d5af33ed2fe188a30b422e8fa6282bfd917906499d0ef5e5a591242017ac98d8c99c4ccc1b1541ab841bf9f695e10
-
memory/468-62-0x0000000000000000-mapping.dmp
-
memory/468-69-0x0000000000A40000-0x0000000000BA3000-memory.dmpFilesize
1MB
-
memory/1884-59-0x0000000001FE0000-0x00000000020E6000-memory.dmpFilesize
1MB
-
memory/1884-60-0x0000000000400000-0x0000000000592000-memory.dmpFilesize
1MB
-
memory/1884-61-0x0000000075891000-0x0000000075893000-memory.dmpFilesize
8KB