Analysis
-
max time kernel
119s -
max time network
125s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
21-10-2021 19:41
Static task
static1
General
-
Target
d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe
-
Size
1.1MB
-
MD5
8221e011ca9356d2f6f7126eb13553d1
-
SHA1
73c2e0986be301d0552b8f6662bd786a85cea382
-
SHA256
d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e
-
SHA512
b87f95122f40708a1b879fa03c8d8f27dd002dae575c684bf06958c4ce93ccf4be04540b51bafab759d61a28cab28f814d12080619ecfac76973a48305a2704a
Malware Config
Extracted
danabot
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\D07672~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\D07672~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\D07672~1.DLL DanabotLoader2021 behavioral1/memory/1676-122-0x0000000004280000-0x00000000043E0000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 32 1676 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1676 rundll32.exe 1676 rundll32.exe -
Drops file in Program Files directory 1 IoCs
Processes:
rundll32.exedescription ioc process File created C:\PROGRA~3\zohplghndapsm.tmp rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exedescription pid process target process PID 1976 wrote to memory of 1676 1976 d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe rundll32.exe PID 1976 wrote to memory of 1676 1976 d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe rundll32.exe PID 1976 wrote to memory of 1676 1976 d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe"C:\Users\Admin\AppData\Local\Temp\d076723f1269a1387c69018f4a3fac024b73176f8403372d06a7d58ade52d64e.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\D07672~1.DLL,s C:\Users\Admin\AppData\Local\Temp\D07672~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Program Files directory
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\D07672~1.DLLMD5
dbc387e8a1b2f9803590766272260da2
SHA1d7ab66e5b70a896582bc12d9d7f8e3aaa3c1193f
SHA25600039f510d60b41b71e22ac2f54185705660eba10253b0767cdb019b04185eeb
SHA51228cf0da46adda4546a62c23a7f26679145d1eb77f8974f83d4d3644d066f2f9d8d132017d1a4bfeb196a9fe6c2f568890f87262f3f18a128a188cfd0ce312646
-
\Users\Admin\AppData\Local\Temp\D07672~1.DLLMD5
dbc387e8a1b2f9803590766272260da2
SHA1d7ab66e5b70a896582bc12d9d7f8e3aaa3c1193f
SHA25600039f510d60b41b71e22ac2f54185705660eba10253b0767cdb019b04185eeb
SHA51228cf0da46adda4546a62c23a7f26679145d1eb77f8974f83d4d3644d066f2f9d8d132017d1a4bfeb196a9fe6c2f568890f87262f3f18a128a188cfd0ce312646
-
\Users\Admin\AppData\Local\Temp\D07672~1.DLLMD5
dbc387e8a1b2f9803590766272260da2
SHA1d7ab66e5b70a896582bc12d9d7f8e3aaa3c1193f
SHA25600039f510d60b41b71e22ac2f54185705660eba10253b0767cdb019b04185eeb
SHA51228cf0da46adda4546a62c23a7f26679145d1eb77f8974f83d4d3644d066f2f9d8d132017d1a4bfeb196a9fe6c2f568890f87262f3f18a128a188cfd0ce312646
-
memory/1676-118-0x0000000000000000-mapping.dmp
-
memory/1676-122-0x0000000004280000-0x00000000043E0000-memory.dmpFilesize
1.4MB
-
memory/1976-116-0x0000000004FB0000-0x00000000050B5000-memory.dmpFilesize
1.0MB
-
memory/1976-115-0x0000000004EC0000-0x0000000004FAE000-memory.dmpFilesize
952KB
-
memory/1976-117-0x0000000000400000-0x0000000002FE6000-memory.dmpFilesize
43.9MB