Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
03-12-2021 13:30
General
-
Target
96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3.exe
-
Size
5.3MB
-
MD5
8184e6cb56376660cf0756a1adef0671
-
SHA1
9bc48fddf1fe3eba10fb229723b256a350c66838
-
SHA256
96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3
-
SHA512
4b7c7797702d46a825ad8eb27b9f1481b1940e7f9e57ceb687b165fc9b32a2a65f1c96a65b2e8591952ad231f71fbfaf56a22fab3cafe92bf87b8326f56d06a5
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Danabot Loader Component 4 IoCs
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Loads dropped DLL 3 IoCs
-
Themida packer 18 IoCs
Detects Themida, an advanced Windows software protection system.
-
Checks whether UAC is enabled 1 TTPs 3 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
-
Drops file in Program Files directory 3 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 18 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3.exe"C:\Users\Admin\AppData\Local\Temp\96a780f5b7e0a8a780d93beaa88544f03daeb6626f9cd1cc785163120744ecb3.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\hiijjuf.exe"C:\Users\Admin\AppData\Local\Temp\hiijjuf.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\HIIJJU~1.DLL,s C:\Users\Admin\AppData\Local\Temp\hiijjuf.exe4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4400 -s 5764⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\idemwmcojkc.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rqeetnhsqq.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
d640cd409b9714414f542dc986e8ee53
SHA1e8d6b804c8e3fb07679188f3517b1e68fbffcd12
SHA2562061c92da1da7c4fddedbbdf3e27a18ddae8f62017c1225f89718f9de854e253
SHA512f942179ce63fe08290adde2ae932e217e6e8ebb86d4ee3b11945b06648c4ffbe98fe700c8571274fc85ba8245f7b664f29eec6fad119ec37b0aafbe1ca5f272b
-
C:\Users\Admin\AppData\Local\Temp\HIIJJU~1.DLLMD5
1f21f41b7f57276bb24ddcf9dda87484
SHA155f4de10060eb86d70b47c8fcef001f5210bedc6
SHA256f13fd91404b8a5dcd04dab7aa4b9a5f82dc405ad8290f2f055d3954900a07036
SHA51210e1b58d8c9cd6020590be9621d15fb6406aed861b007f61c5818093d392495072aa222464bddd3a07702601e2aecc2915f05e86c52f6c1143ed1cb3543b3f98
-
C:\Users\Admin\AppData\Local\Temp\hiijjuf.exeMD5
f3b37474e8c5d2c1842bbe56cd440771
SHA1e15a3ec5d6d5a035c6d748472c4cf01604c99475
SHA25613739e4d133d3c4e022b10e2ca5a7c22b8ed9852aca8a972424716bbdd265266
SHA5129e827c129b02b1e85aac8bc05a8c8df5e57dd7806f7ea58c6fa0ab9e368fde0baf5662c7498e4dc9970364ac037c0b996a7c67ee48cd55367008f7c747a870f9
-
C:\Users\Admin\AppData\Local\Temp\hiijjuf.exeMD5
f3b37474e8c5d2c1842bbe56cd440771
SHA1e15a3ec5d6d5a035c6d748472c4cf01604c99475
SHA25613739e4d133d3c4e022b10e2ca5a7c22b8ed9852aca8a972424716bbdd265266
SHA5129e827c129b02b1e85aac8bc05a8c8df5e57dd7806f7ea58c6fa0ab9e368fde0baf5662c7498e4dc9970364ac037c0b996a7c67ee48cd55367008f7c747a870f9
-
C:\Users\Admin\AppData\Local\Temp\idemwmcojkc.vbsMD5
b9f71b2b4adbf9299d636716acede6a1
SHA180c9fc1f92ac05eb8dd2ac942981611216d3e218
SHA2560cbd338d663fee44b845932315b02e2fa7df208b050e1cc3cf1b069f4cca7614
SHA5122a50c3157995a9e67782d8f7482f988e99ffc8488bb8d1f777081ef7b4d1a2ec9dd220f5487abe9046a04a7781f808ade4db8a993ddd19ae9e0c4b62f41d9815
-
C:\Users\Admin\AppData\Local\Temp\rqeetnhsqq.vbsMD5
b53fd10cf32f6fa3c09bc18532405239
SHA143ad3243a56bc77ffbf41624681381e4262574ec
SHA25617cb08ef9896c967d59f57ba1d5aa45371ce009e4fe917a0fc67d467a0864f47
SHA5123ec79d914276ad21e523b245a96280691de4d834bc1d948c87bbf29236707c0fb1f5aab05a5075d7624d87624b6507bd63efc797e9bb56c1777e88ec6d7315a0
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
b554ac040604842b3f5e186193896f2c
SHA1b403f2b366d042770080f659227666855f95ef46
SHA256a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39
SHA51263d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
b554ac040604842b3f5e186193896f2c
SHA1b403f2b366d042770080f659227666855f95ef46
SHA256a3aba366cb6f248137c74919386228c12d1b43faea175e36de7a6261d3ee9d39
SHA51263d08930078582a20fdf0e1d06a9c36855126f89f39de49a40d2db4a4891997d31fb310eb14f8c34270edf065a0c219efe1f82ea76da7f8227534940765a78ea
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
9316d0e5a1bd9f6813077b3f11d26b6e
SHA1707e38615d3f4fb54b0d49c9ace51de2f21069de
SHA256c5dc08f10bf632e34ce1057c6423597141fed6125a5282e0a2d3f3361c75fefb
SHA512122a19da734bb0a8c0a3cec6c6cda14af7a6fe460f8fe74fb27e9104bef6ceba2cca0f608e5bca52888edbc31c2911ce4aaf7cc644f8bb491e0fbbd51238160f
-
\Users\Admin\AppData\Local\Temp\HIIJJU~1.DLLMD5
1f21f41b7f57276bb24ddcf9dda87484
SHA155f4de10060eb86d70b47c8fcef001f5210bedc6
SHA256f13fd91404b8a5dcd04dab7aa4b9a5f82dc405ad8290f2f055d3954900a07036
SHA51210e1b58d8c9cd6020590be9621d15fb6406aed861b007f61c5818093d392495072aa222464bddd3a07702601e2aecc2915f05e86c52f6c1143ed1cb3543b3f98
-
\Users\Admin\AppData\Local\Temp\HIIJJU~1.DLLMD5
1f21f41b7f57276bb24ddcf9dda87484
SHA155f4de10060eb86d70b47c8fcef001f5210bedc6
SHA256f13fd91404b8a5dcd04dab7aa4b9a5f82dc405ad8290f2f055d3954900a07036
SHA51210e1b58d8c9cd6020590be9621d15fb6406aed861b007f61c5818093d392495072aa222464bddd3a07702601e2aecc2915f05e86c52f6c1143ed1cb3543b3f98
-
\Users\Admin\AppData\Local\Temp\nswBB43.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/768-138-0x0000000000000000-mapping.dmp
-
memory/1084-151-0x0000000000000000-mapping.dmp
-
memory/2040-155-0x0000000000000000-mapping.dmp
-
memory/2040-159-0x0000000004110000-0x000000000438D000-memory.dmpFilesize
2.5MB
-
memory/2880-128-0x00000000010C0000-0x00000000017A1000-memory.dmpFilesize
6.9MB
-
memory/2880-129-0x00000000010C0000-0x00000000017A1000-memory.dmpFilesize
6.9MB
-
memory/2880-119-0x0000000000000000-mapping.dmp
-
memory/2880-122-0x0000000077E10000-0x0000000077F9E000-memory.dmpFilesize
1.6MB
-
memory/2880-123-0x00000000010C0000-0x00000000017A1000-memory.dmpFilesize
6.9MB
-
memory/2880-127-0x00000000010C0000-0x00000000017A1000-memory.dmpFilesize
6.9MB
-
memory/3740-144-0x0000000000B60000-0x0000000001241000-memory.dmpFilesize
6.9MB
-
memory/3740-145-0x0000000000B60000-0x0000000001241000-memory.dmpFilesize
6.9MB
-
memory/3740-146-0x0000000000B60000-0x0000000001241000-memory.dmpFilesize
6.9MB
-
memory/3740-140-0x0000000000000000-mapping.dmp
-
memory/3740-148-0x0000000077E10000-0x0000000077F9E000-memory.dmpFilesize
1.6MB
-
memory/3740-143-0x0000000000B60000-0x0000000001241000-memory.dmpFilesize
6.9MB
-
memory/3920-132-0x00000000002B0000-0x0000000000970000-memory.dmpFilesize
6.8MB
-
memory/3920-131-0x00000000002B0000-0x0000000000970000-memory.dmpFilesize
6.8MB
-
memory/3920-130-0x00000000002B0000-0x0000000000970000-memory.dmpFilesize
6.8MB
-
memory/3920-124-0x0000000000000000-mapping.dmp
-
memory/3920-133-0x00000000002B0000-0x0000000000970000-memory.dmpFilesize
6.8MB
-
memory/3920-134-0x0000000077E10000-0x0000000077F9E000-memory.dmpFilesize
1.6MB
-
memory/4400-150-0x0000000000400000-0x0000000000652000-memory.dmpFilesize
2.3MB
-
memory/4400-135-0x0000000000000000-mapping.dmp
-
memory/4400-149-0x0000000000A70000-0x0000000000C17000-memory.dmpFilesize
1.7MB
-
memory/4400-147-0x00000000008BD000-0x0000000000A4D000-memory.dmpFilesize
1.6MB