Analysis
-
max time kernel
105s -
max time network
113s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
26-09-2021 21:00
Static task
static1
General
-
Target
312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exe
-
Size
1.0MB
-
MD5
3f0c702ca97329dbd1058ee03554438c
-
SHA1
7144b00e3daf74537f320cc63ac27146f8f97db0
-
SHA256
312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a
-
SHA512
da3f45c45d206e56c70f8b6a44a647eff252bfb8359dd000058177ec8741c33cbe285a1798bf0dc7f4b5ccb7ca52914ae022243aa63d3a0dcfafa501c1b93ad6
Malware Config
Extracted
danabot
23.254.144.209:443
192.236.194.86:443
142.11.192.232:443
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\312F63~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\312F63~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\312F63~1.DLL DanabotLoader2021 behavioral1/memory/3880-120-0x00000000044F0000-0x0000000004653000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 12 3880 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 3880 rundll32.exe 3880 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exedescription pid process target process PID 4024 wrote to memory of 3880 4024 312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exe rundll32.exe PID 4024 wrote to memory of 3880 4024 312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exe rundll32.exe PID 4024 wrote to memory of 3880 4024 312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exe"C:\Users\Admin\AppData\Local\Temp\312f6356e84a66b37b45ee215003dcc0ef7e6ee64c86bd7acf7069818d98869a.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4024 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\312F63~1.DLL,s C:\Users\Admin\AppData\Local\Temp\312F63~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3880
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\312F63~1.DLLMD5
2f1cc868263ef39f234349e3b57967b8
SHA121537093c120564e1bde7373db0454b6a37cdd2c
SHA2563d1868bd168d0ca22d6b2c377f957ef8601cbe4ebf9f570fc3fd5c3556a4aed9
SHA5126d5392969655b1b42fc24f5cd57f37e46b12ec59472bb998603a801d7386034effe837e138c9157dd3bbb1493200e51922a5e49be4e66bb77638b5e9fe8d18c0
-
\Users\Admin\AppData\Local\Temp\312F63~1.DLLMD5
2f1cc868263ef39f234349e3b57967b8
SHA121537093c120564e1bde7373db0454b6a37cdd2c
SHA2563d1868bd168d0ca22d6b2c377f957ef8601cbe4ebf9f570fc3fd5c3556a4aed9
SHA5126d5392969655b1b42fc24f5cd57f37e46b12ec59472bb998603a801d7386034effe837e138c9157dd3bbb1493200e51922a5e49be4e66bb77638b5e9fe8d18c0
-
\Users\Admin\AppData\Local\Temp\312F63~1.DLLMD5
2f1cc868263ef39f234349e3b57967b8
SHA121537093c120564e1bde7373db0454b6a37cdd2c
SHA2563d1868bd168d0ca22d6b2c377f957ef8601cbe4ebf9f570fc3fd5c3556a4aed9
SHA5126d5392969655b1b42fc24f5cd57f37e46b12ec59472bb998603a801d7386034effe837e138c9157dd3bbb1493200e51922a5e49be4e66bb77638b5e9fe8d18c0
-
memory/3880-114-0x0000000000000000-mapping.dmp
-
memory/3880-120-0x00000000044F0000-0x0000000004653000-memory.dmpFilesize
1.4MB
-
memory/4024-115-0x00000000025C0000-0x00000000026C6000-memory.dmpFilesize
1.0MB
-
memory/4024-116-0x0000000000400000-0x000000000058F000-memory.dmpFilesize
1.6MB