Analysis
-
max time kernel
116s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20210920 -
submitted
26-09-2021 17:50
Static task
static1
General
-
Target
9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exe
-
Size
1.0MB
-
MD5
a23081e120c76214255c76882fed5158
-
SHA1
924f93589e61784120c19c7cc8be1ec1a5b1c8f3
-
SHA256
9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555
-
SHA512
8bfe1ce2c0e1b88b751465463408fa1af2688698e8d48a38dec4c01699818992ae4b221a326c4e184034779726ad5c1a6d094142ecf2db7ee4bb25afe0b7bba6
Malware Config
Extracted
danabot
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\9104FE~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\9104FE~1.DLL DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 7 2484 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2484 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exedescription pid process target process PID 2332 wrote to memory of 2484 2332 9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exe rundll32.exe PID 2332 wrote to memory of 2484 2332 9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exe rundll32.exe PID 2332 wrote to memory of 2484 2332 9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exe"C:\Users\Admin\AppData\Local\Temp\9104fee4fa7fa3fbc00647a684c4d431990fa8bfc1c4a9aeb4a76ce27abd6555.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9104FE~1.DLL,s C:\Users\Admin\AppData\Local\Temp\9104FE~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\9104FE~1.DLLMD5
9a0ec55943d662c363ae0893b9486ed6
SHA19f0638efb7377cdca8e6745ee7ad93ae7476bc7c
SHA256fe21c245b2339784497a75fcea06b476da65c684a3d4e1dfa548ca46075feb2d
SHA5127695a109265c3e225896758471e7377b0f4e1d9bae74bc2ed09d2090c0d8b7ae57c651f7882a66936c7ab772eb5aae770e5ff8a178fdba6903fd0fae6a4aa0af
-
\Users\Admin\AppData\Local\Temp\9104FE~1.DLLMD5
9a0ec55943d662c363ae0893b9486ed6
SHA19f0638efb7377cdca8e6745ee7ad93ae7476bc7c
SHA256fe21c245b2339784497a75fcea06b476da65c684a3d4e1dfa548ca46075feb2d
SHA5127695a109265c3e225896758471e7377b0f4e1d9bae74bc2ed09d2090c0d8b7ae57c651f7882a66936c7ab772eb5aae770e5ff8a178fdba6903fd0fae6a4aa0af
-
memory/2332-115-0x0000000002410000-0x0000000002516000-memory.dmpFilesize
1.0MB
-
memory/2332-119-0x0000000000400000-0x0000000000590000-memory.dmpFilesize
1.6MB
-
memory/2484-116-0x0000000000000000-mapping.dmp