Analysis
-
max time kernel
154s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211014 -
submitted
04-12-2021 07:35
Static task
static1
Behavioral task
behavioral1
Sample
6313fcca4988a89b15e1e68b7c9ee96e.exe
Resource
win7-en-20211014
General
-
Target
6313fcca4988a89b15e1e68b7c9ee96e.exe
-
Size
5.4MB
-
MD5
6313fcca4988a89b15e1e68b7c9ee96e
-
SHA1
a53ce6d8455d9f0cea51c0863425532f96d3250d
-
SHA256
a486e98ea8d025f3510f79b22f56e344f18c29a64a21b15cd1b3caa2721bf554
-
SHA512
c13536c79b25b0b048fa255f7dffccb10b1d4c9515c303095d1787021fc51c37464dadddaf30f5c6d01859316447ff874e114a8025e4389237cf704dcb616398
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL DanabotLoader2021 behavioral2/memory/2340-156-0x00000000047B0000-0x0000000004A2D000-memory.dmp DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 30 1256 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
orchic.exequothavp.exeqeysarbeam.exeDpEditor.exepid process 4052 orchic.exe 988 quothavp.exe 2124 qeysarbeam.exe 1832 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
quothavp.exeDpEditor.exeorchic.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion orchic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion orchic.exe -
Loads dropped DLL 3 IoCs
Processes:
6313fcca4988a89b15e1e68b7c9ee96e.exerundll32.exepid process 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe 2340 rundll32.exe 2340 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe themida C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe themida behavioral2/memory/4052-123-0x0000000000AB0000-0x000000000119A000-memory.dmp themida behavioral2/memory/4052-124-0x0000000000AB0000-0x000000000119A000-memory.dmp themida behavioral2/memory/4052-125-0x0000000000AB0000-0x000000000119A000-memory.dmp themida behavioral2/memory/4052-126-0x0000000000AB0000-0x000000000119A000-memory.dmp themida behavioral2/memory/988-127-0x0000000001320000-0x00000000019FE000-memory.dmp themida behavioral2/memory/988-128-0x0000000001320000-0x00000000019FE000-memory.dmp themida behavioral2/memory/988-130-0x0000000001320000-0x00000000019FE000-memory.dmp themida behavioral2/memory/988-131-0x0000000001320000-0x00000000019FE000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/1832-142-0x00000000013B0000-0x0000000001A9A000-memory.dmp themida behavioral2/memory/1832-140-0x00000000013B0000-0x0000000001A9A000-memory.dmp themida behavioral2/memory/1832-143-0x00000000013B0000-0x0000000001A9A000-memory.dmp themida behavioral2/memory/1832-144-0x00000000013B0000-0x0000000001A9A000-memory.dmp themida -
Processes:
DpEditor.exeorchic.exequothavp.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA orchic.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA quothavp.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
orchic.exequothavp.exeDpEditor.exepid process 4052 orchic.exe 988 quothavp.exe 1832 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
6313fcca4988a89b15e1e68b7c9ee96e.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acppage.dll 6313fcca4988a89b15e1e68b7c9ee96e.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 6313fcca4988a89b15e1e68b7c9ee96e.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 6313fcca4988a89b15e1e68b7c9ee96e.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
quothavp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 quothavp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString quothavp.exe -
Modifies registry class 1 IoCs
Processes:
quothavp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings quothavp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1832 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
orchic.exequothavp.exeDpEditor.exepid process 4052 orchic.exe 4052 orchic.exe 988 quothavp.exe 988 quothavp.exe 1832 DpEditor.exe 1832 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
6313fcca4988a89b15e1e68b7c9ee96e.exequothavp.exeorchic.exeqeysarbeam.exedescription pid process target process PID 3556 wrote to memory of 4052 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe orchic.exe PID 3556 wrote to memory of 4052 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe orchic.exe PID 3556 wrote to memory of 4052 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe orchic.exe PID 3556 wrote to memory of 988 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe quothavp.exe PID 3556 wrote to memory of 988 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe quothavp.exe PID 3556 wrote to memory of 988 3556 6313fcca4988a89b15e1e68b7c9ee96e.exe quothavp.exe PID 988 wrote to memory of 2124 988 quothavp.exe qeysarbeam.exe PID 988 wrote to memory of 2124 988 quothavp.exe qeysarbeam.exe PID 988 wrote to memory of 2124 988 quothavp.exe qeysarbeam.exe PID 988 wrote to memory of 3736 988 quothavp.exe WScript.exe PID 988 wrote to memory of 3736 988 quothavp.exe WScript.exe PID 988 wrote to memory of 3736 988 quothavp.exe WScript.exe PID 4052 wrote to memory of 1832 4052 orchic.exe DpEditor.exe PID 4052 wrote to memory of 1832 4052 orchic.exe DpEditor.exe PID 4052 wrote to memory of 1832 4052 orchic.exe DpEditor.exe PID 988 wrote to memory of 1256 988 quothavp.exe WScript.exe PID 988 wrote to memory of 1256 988 quothavp.exe WScript.exe PID 988 wrote to memory of 1256 988 quothavp.exe WScript.exe PID 2124 wrote to memory of 2340 2124 qeysarbeam.exe rundll32.exe PID 2124 wrote to memory of 2340 2124 qeysarbeam.exe rundll32.exe PID 2124 wrote to memory of 2340 2124 qeysarbeam.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6313fcca4988a89b15e1e68b7c9ee96e.exe"C:\Users\Admin\AppData\Local\Temp\6313fcca4988a89b15e1e68b7c9ee96e.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3556 -
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4052 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:1832 -
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:988 -
C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exe"C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2124 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLL,s C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.EXE4⤵
- Loads dropped DLL
PID:2340 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ltudisaf.vbs"3⤵PID:3736
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\yvomqnau.vbs"3⤵
- Blocklisted process makes network request
PID:1256
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
99a5a8fb6873e1a558dad8c460a256a0
SHA1ae6919cce8cfe07d6a829caa1c9f9e6b63174862
SHA256820cdfb9cb2a1ce4728f595c7742dcbdb8984f74389b9e190004c2df211f3df4
SHA512a489a3615c25f05497726989d7956d37100420c90d2412dba8cc4e15b335ef00c526f47c77179d6aecdb611b7e0f34bdbb03104ec683e15e393039e7dd96c41d
-
C:\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLLMD5
da86d0ac367a22994d23ad3e669af8fe
SHA1b13845b487d6e6591227684aa436747d70dde852
SHA25641a4f423c3c7c78ac704123a96eacd3b95241d4a6f5176f9f3cb0672a6b2be6a
SHA51200408ba3301e6ce07cbb623028234602a263a8857b66391abb1d56643b72b56fcf8f67323112876c764e451ddd8bebbff6042b287f96e490194b5879f90ee45e
-
C:\Users\Admin\AppData\Local\Temp\ltudisaf.vbsMD5
0973c3953c88923b4a3c6401fd1643b8
SHA16e6c1d7dbf039d5438195fae347c1aefdbca02e3
SHA256c7003123df63868cdf406bc05b763592768d91ed19afdd88b38765b0c9124bbb
SHA512199cc6d2a28598fc30b90685ee6a64cd98cd8c46588e9c8b2d5f3c718f0818ea21f88f4f1aaf9a9bd4541e83c19967863f2303e2920d0122af8127841744ece1
-
C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exeMD5
3c55016b9594fc1aeb69976466528bae
SHA1b21c915d9f85036cf23059a12810fe8014f3c8b3
SHA256af4df125c8018d224c5964778c863e2dd0449efb11d8b59a2fcae12f043111d0
SHA512bb542883f49be855f5e82e45c047baac9f1c31dd4cb367e3c223a63c4eb8898c05ea7606e5397efc40e5a7e03215579c94c1580da83d94e396a96563222924cd
-
C:\Users\Admin\AppData\Local\Temp\qeysarbeam.exeMD5
3c55016b9594fc1aeb69976466528bae
SHA1b21c915d9f85036cf23059a12810fe8014f3c8b3
SHA256af4df125c8018d224c5964778c863e2dd0449efb11d8b59a2fcae12f043111d0
SHA512bb542883f49be855f5e82e45c047baac9f1c31dd4cb367e3c223a63c4eb8898c05ea7606e5397efc40e5a7e03215579c94c1580da83d94e396a96563222924cd
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Local\Temp\shovel\orchic.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
745ba11a8c55465bd8f91325543fe28a
SHA125c57c81189f6763615c45735402f5a7a221289e
SHA256f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37
SHA51236bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce
-
C:\Users\Admin\AppData\Local\Temp\shovel\quothavp.exeMD5
745ba11a8c55465bd8f91325543fe28a
SHA125c57c81189f6763615c45735402f5a7a221289e
SHA256f2cf231fdb42806b43ccaee4e123cf74012b860411e56b534c59bb860852ff37
SHA51236bdd6297510d789b704183dc83a9d041e29a96fe654f25875bba21319dd09855f40d2e9c72f6e83f868b10dca833add11d73bfa4e0186fdb935aaa9159d04ce
-
C:\Users\Admin\AppData\Local\Temp\yvomqnau.vbsMD5
5bb87c3110857c4e59fea15ca3ae3c52
SHA15cccb3decf7601b8fe59d6b58e6b429c9f33c920
SHA256b997b798f180c4516594fb37ef37fc83d82b3cbf7b891544b50769249d53c98f
SHA5123d1e38d68e1d512b78647b0e36bcd0ef492ac1b8e490999b5a7e095e8293ea8c4421103b402da126a074aefee38916f48a39047953f206002054e149192829df
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
2eb04ff3566639089f24cb4e87b1c789
SHA11ae976819149068108dcf192b1bfab6e248e5927
SHA2567dba73da4149fdda472df8f67f779589e77a8d65a3d6ec30b673a3f3d8608d08
SHA512f0d36e0533678cfac027a085b45e9f8ea87246fe34be9ab52586ec560edc2333ca5d5b4642051512785a5028e21e9254292fce7d0c16f9de753729a2fe40416b
-
\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLLMD5
da86d0ac367a22994d23ad3e669af8fe
SHA1b13845b487d6e6591227684aa436747d70dde852
SHA25641a4f423c3c7c78ac704123a96eacd3b95241d4a6f5176f9f3cb0672a6b2be6a
SHA51200408ba3301e6ce07cbb623028234602a263a8857b66391abb1d56643b72b56fcf8f67323112876c764e451ddd8bebbff6042b287f96e490194b5879f90ee45e
-
\Users\Admin\AppData\Local\Temp\QEYSAR~1.DLLMD5
da86d0ac367a22994d23ad3e669af8fe
SHA1b13845b487d6e6591227684aa436747d70dde852
SHA25641a4f423c3c7c78ac704123a96eacd3b95241d4a6f5176f9f3cb0672a6b2be6a
SHA51200408ba3301e6ce07cbb623028234602a263a8857b66391abb1d56643b72b56fcf8f67323112876c764e451ddd8bebbff6042b287f96e490194b5879f90ee45e
-
\Users\Admin\AppData\Local\Temp\nszE783.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/988-120-0x0000000000000000-mapping.dmp
-
memory/988-131-0x0000000001320000-0x00000000019FE000-memory.dmpFilesize
6.9MB
-
memory/988-129-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/988-128-0x0000000001320000-0x00000000019FE000-memory.dmpFilesize
6.9MB
-
memory/988-127-0x0000000001320000-0x00000000019FE000-memory.dmpFilesize
6.9MB
-
memory/988-130-0x0000000001320000-0x00000000019FE000-memory.dmpFilesize
6.9MB
-
memory/1256-148-0x0000000000000000-mapping.dmp
-
memory/1832-141-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/1832-137-0x0000000000000000-mapping.dmp
-
memory/1832-142-0x00000000013B0000-0x0000000001A9A000-memory.dmpFilesize
6.9MB
-
memory/1832-140-0x00000000013B0000-0x0000000001A9A000-memory.dmpFilesize
6.9MB
-
memory/1832-143-0x00000000013B0000-0x0000000001A9A000-memory.dmpFilesize
6.9MB
-
memory/1832-144-0x00000000013B0000-0x0000000001A9A000-memory.dmpFilesize
6.9MB
-
memory/2124-145-0x000000000233E000-0x00000000024CE000-memory.dmpFilesize
1.6MB
-
memory/2124-146-0x00000000024D0000-0x0000000002677000-memory.dmpFilesize
1.7MB
-
memory/2124-147-0x0000000000400000-0x00000000005CD000-memory.dmpFilesize
1.8MB
-
memory/2124-132-0x0000000000000000-mapping.dmp
-
memory/2340-152-0x0000000000000000-mapping.dmp
-
memory/2340-156-0x00000000047B0000-0x0000000004A2D000-memory.dmpFilesize
2.5MB
-
memory/3736-135-0x0000000000000000-mapping.dmp
-
memory/4052-126-0x0000000000AB0000-0x000000000119A000-memory.dmpFilesize
6.9MB
-
memory/4052-125-0x0000000000AB0000-0x000000000119A000-memory.dmpFilesize
6.9MB
-
memory/4052-124-0x0000000000AB0000-0x000000000119A000-memory.dmpFilesize
6.9MB
-
memory/4052-123-0x0000000000AB0000-0x000000000119A000-memory.dmpFilesize
6.9MB
-
memory/4052-119-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4052-116-0x0000000000000000-mapping.dmp