Analysis
-
max time kernel
117s -
max time network
120s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 16:11
Static task
static1
General
-
Target
c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe
-
Size
1.0MB
-
MD5
213c0f7fb89f43365b974b25dd5fdedd
-
SHA1
69e2111d470af96c7ce42c55d3b503fffc8241df
-
SHA256
c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813
-
SHA512
c8671d77804a70793b1d3b1a96cebd5cb9729626a7d1caeaa4e7ef19cc140b7fe1da1672d78a3d965e5e4b655d3f1f5f7712bf69eff71237187021dcef70e95d
Malware Config
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\C760FB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\C760FB~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\C760FB~1.DLL DanabotLoader2021 behavioral1/memory/2468-121-0x0000000004190000-0x00000000042F3000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 2468 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 2468 rundll32.exe 2468 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exedescription pid process target process PID 2208 wrote to memory of 2468 2208 c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe rundll32.exe PID 2208 wrote to memory of 2468 2208 c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe rundll32.exe PID 2208 wrote to memory of 2468 2208 c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe"C:\Users\Admin\AppData\Local\Temp\c760fba5a180e35fa541e41bbe97de9ed8afe111bb8dc295a04f4afdb6783813.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C760FB~1.DLL,s C:\Users\Admin\AppData\Local\Temp\C760FB~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C760FB~1.DLLMD5
3ba252dc610351e13b1f6e947ccde14d
SHA1c095cc9aaaff31dbe20470b99f6203b0a7ee030f
SHA256c894a5bdd1684a89c3576dff3476ec3b64e473faba387620356c422a5069bb77
SHA512c1bc81fe90301028ec10964d9d0ee6dc3398e9c3e064d0e4dad3255934bb2d614cec696a4d53a6b10c1a4f573bbb7c16c95086d510727271ebc8692c12a1961d
-
\Users\Admin\AppData\Local\Temp\C760FB~1.DLLMD5
3ba252dc610351e13b1f6e947ccde14d
SHA1c095cc9aaaff31dbe20470b99f6203b0a7ee030f
SHA256c894a5bdd1684a89c3576dff3476ec3b64e473faba387620356c422a5069bb77
SHA512c1bc81fe90301028ec10964d9d0ee6dc3398e9c3e064d0e4dad3255934bb2d614cec696a4d53a6b10c1a4f573bbb7c16c95086d510727271ebc8692c12a1961d
-
\Users\Admin\AppData\Local\Temp\C760FB~1.DLLMD5
3ba252dc610351e13b1f6e947ccde14d
SHA1c095cc9aaaff31dbe20470b99f6203b0a7ee030f
SHA256c894a5bdd1684a89c3576dff3476ec3b64e473faba387620356c422a5069bb77
SHA512c1bc81fe90301028ec10964d9d0ee6dc3398e9c3e064d0e4dad3255934bb2d614cec696a4d53a6b10c1a4f573bbb7c16c95086d510727271ebc8692c12a1961d
-
memory/2208-116-0x0000000000400000-0x0000000000591000-memory.dmpFilesize
1.6MB
-
memory/2208-115-0x0000000002540000-0x0000000002646000-memory.dmpFilesize
1.0MB
-
memory/2468-117-0x0000000000000000-mapping.dmp
-
memory/2468-121-0x0000000004190000-0x00000000042F3000-memory.dmpFilesize
1.4MB