Analysis
-
max time kernel
147s -
max time network
129s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 11:08
Static task
static1
General
-
Target
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe
-
Size
5.4MB
-
MD5
49f570914fa998c08360d461a5a3f03d
-
SHA1
e0f2ba1960f68f7abbc70a12f4bc7a5a2b706389
-
SHA256
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b
-
SHA512
e7da6b422d5f1a9edbd57ab6acf8bcf9916cd6f6e1cc0c3d39f51617c7bd4c3ecb03abf0898d0cd9055c4a14fae13b7f41962648bf2c5d06e953e98085b98d18
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\BDSCMF~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\BDSCMF~1.DLL DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 36 908 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
oxgoad.exepalmusvp.exebdscmfyep.exeDpEditor.exepid process 4044 oxgoad.exe 4036 palmusvp.exe 4392 bdscmfyep.exe 4476 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
oxgoad.exepalmusvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oxgoad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oxgoad.exe -
Loads dropped DLL 2 IoCs
Processes:
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exerundll32.exepid process 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe 1848 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida behavioral1/memory/4044-122-0x00000000009F0000-0x00000000010D3000-memory.dmp themida behavioral1/memory/4044-123-0x00000000009F0000-0x00000000010D3000-memory.dmp themida behavioral1/memory/4036-124-0x0000000000CB0000-0x0000000001388000-memory.dmp themida behavioral1/memory/4044-125-0x00000000009F0000-0x00000000010D3000-memory.dmp themida behavioral1/memory/4036-126-0x0000000000CB0000-0x0000000001388000-memory.dmp themida behavioral1/memory/4044-127-0x00000000009F0000-0x00000000010D3000-memory.dmp themida behavioral1/memory/4036-128-0x0000000000CB0000-0x0000000001388000-memory.dmp themida behavioral1/memory/4036-129-0x0000000000CB0000-0x0000000001388000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/4476-141-0x00000000003E0000-0x0000000000AC3000-memory.dmp themida behavioral1/memory/4476-140-0x00000000003E0000-0x0000000000AC3000-memory.dmp themida behavioral1/memory/4476-142-0x00000000003E0000-0x0000000000AC3000-memory.dmp themida behavioral1/memory/4476-143-0x00000000003E0000-0x0000000000AC3000-memory.dmp themida -
Processes:
oxgoad.exepalmusvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oxgoad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA palmusvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
oxgoad.exepalmusvp.exeDpEditor.exepid process 4044 oxgoad.exe 4036 palmusvp.exe 4476 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe File created C:\Program Files (x86)\foler\olader\acledit.dll c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe File created C:\Program Files (x86)\foler\olader\acppage.dll c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
palmusvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString palmusvp.exe -
Modifies registry class 1 IoCs
Processes:
palmusvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings palmusvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 4476 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
oxgoad.exepalmusvp.exeDpEditor.exepid process 4044 oxgoad.exe 4044 oxgoad.exe 4036 palmusvp.exe 4036 palmusvp.exe 4476 DpEditor.exe 4476 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exepalmusvp.exeoxgoad.exebdscmfyep.exedescription pid process target process PID 3704 wrote to memory of 4044 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe oxgoad.exe PID 3704 wrote to memory of 4044 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe oxgoad.exe PID 3704 wrote to memory of 4044 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe oxgoad.exe PID 3704 wrote to memory of 4036 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe palmusvp.exe PID 3704 wrote to memory of 4036 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe palmusvp.exe PID 3704 wrote to memory of 4036 3704 c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe palmusvp.exe PID 4036 wrote to memory of 4392 4036 palmusvp.exe bdscmfyep.exe PID 4036 wrote to memory of 4392 4036 palmusvp.exe bdscmfyep.exe PID 4036 wrote to memory of 4392 4036 palmusvp.exe bdscmfyep.exe PID 4036 wrote to memory of 736 4036 palmusvp.exe WScript.exe PID 4036 wrote to memory of 736 4036 palmusvp.exe WScript.exe PID 4036 wrote to memory of 736 4036 palmusvp.exe WScript.exe PID 4044 wrote to memory of 4476 4044 oxgoad.exe DpEditor.exe PID 4044 wrote to memory of 4476 4044 oxgoad.exe DpEditor.exe PID 4044 wrote to memory of 4476 4044 oxgoad.exe DpEditor.exe PID 4036 wrote to memory of 908 4036 palmusvp.exe WScript.exe PID 4036 wrote to memory of 908 4036 palmusvp.exe WScript.exe PID 4036 wrote to memory of 908 4036 palmusvp.exe WScript.exe PID 4392 wrote to memory of 1848 4392 bdscmfyep.exe rundll32.exe PID 4392 wrote to memory of 1848 4392 bdscmfyep.exe rundll32.exe PID 4392 wrote to memory of 1848 4392 bdscmfyep.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe"C:\Users\Admin\AppData\Local\Temp\c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe"C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe"C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bdscmfyep.exe"C:\Users\Admin\AppData\Local\Temp\bdscmfyep.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BDSCMF~1.DLL,s C:\Users\Admin\AppData\Local\Temp\BDSCMF~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cwnaapuekwr.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\chaemvloarj.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
ae2db20f2110edce097ff112ee53439c
SHA11d3cc78247fc831c5f21ddf218457612e4c9b9e0
SHA256af6d413b640cc0400771b3dad14feb088b9201736d4cc20cee89ce129ac9a6fd
SHA51208a4f9a0fde4e60acb75c76a504b75d76f63b1e54aba35774a5d9440aa46e50295f94684dbf1451ddbe8b5f33f22b9d52b8f47c4feb284f0d11ba6e7be79fb08
-
C:\Users\Admin\AppData\Local\Temp\BDSCMF~1.DLLMD5
650e56a961c6f06dd2254ecc7b0ebb99
SHA16d284c6d6948fe2e5612159685573be6b6a0aedb
SHA256d20320eeb83391df42155733b01f30981b16f77f7357b433eb365e779fc8ebd6
SHA51258205e638f2fc68a2a5e07cef47ac3cfd617294f8d22573ae388d2003837c8ff3eaedb037d3269657606cc366a66e58f3bc41bb651b3d7eece09be03de6afab4
-
C:\Users\Admin\AppData\Local\Temp\bdscmfyep.exeMD5
5b8ac949b8ed84ffc199b163e9824d2a
SHA102ed6b7fbe9ab4001c3361089f51dc5beb838d5e
SHA2569886aec9e4d28d17934672e6c595c95514647deaf54fbf19429cfaa143939a35
SHA51280025a2551fa67b5ee10bdfb152233a2371e5c769be0065f591c9fce9917bc78425aecac116aa498fbb136998f0fc9251d9773e7c83f51f91235dd2b2ae80005
-
C:\Users\Admin\AppData\Local\Temp\bdscmfyep.exeMD5
5b8ac949b8ed84ffc199b163e9824d2a
SHA102ed6b7fbe9ab4001c3361089f51dc5beb838d5e
SHA2569886aec9e4d28d17934672e6c595c95514647deaf54fbf19429cfaa143939a35
SHA51280025a2551fa67b5ee10bdfb152233a2371e5c769be0065f591c9fce9917bc78425aecac116aa498fbb136998f0fc9251d9773e7c83f51f91235dd2b2ae80005
-
C:\Users\Admin\AppData\Local\Temp\chaemvloarj.vbsMD5
00fa90dcfedc4ccd9e7ff0769325cd10
SHA1db4f811fc2a40f2f11ffa44d974ef28c2bc47209
SHA25692d0dd6fee5b56fecf695d3f709d8b2811aa16825cde35ac3c159657ee674c60
SHA51216ec5246b7cedc810425179557b94f891525b2eb5a24b414905c64b2aad33a35da01083911ab3794c74db0ba33beae19a3d33aaa82fca0459b164b0356ce32f7
-
C:\Users\Admin\AppData\Local\Temp\cwnaapuekwr.vbsMD5
5d54e77e7524ecd0044faca232b4b05e
SHA14a57882f5606caad879f6becea7e267c6509051d
SHA256efd3476a954f90f7e0abc6bcece88e75fae0433ee3ffba1692b09fff7e6fc202
SHA512cb04e674c837839b35b80c1828c9983b17dec2b5696790dbf2fd8628b65f702db7988178f2234661896e3b017bd1eb8b86797ed249288981b1cf39553f02179b
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Local\Temp\BDSCMF~1.DLLMD5
650e56a961c6f06dd2254ecc7b0ebb99
SHA16d284c6d6948fe2e5612159685573be6b6a0aedb
SHA256d20320eeb83391df42155733b01f30981b16f77f7357b433eb365e779fc8ebd6
SHA51258205e638f2fc68a2a5e07cef47ac3cfd617294f8d22573ae388d2003837c8ff3eaedb037d3269657606cc366a66e58f3bc41bb651b3d7eece09be03de6afab4
-
\Users\Admin\AppData\Local\Temp\nsi98C7.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/736-135-0x0000000000000000-mapping.dmp
-
memory/908-148-0x0000000000000000-mapping.dmp
-
memory/1848-152-0x0000000000000000-mapping.dmp
-
memory/4036-119-0x0000000000000000-mapping.dmp
-
memory/4036-131-0x0000000076FD0000-0x000000007715E000-memory.dmpFilesize
1.6MB
-
memory/4036-129-0x0000000000CB0000-0x0000000001388000-memory.dmpFilesize
6.8MB
-
memory/4036-128-0x0000000000CB0000-0x0000000001388000-memory.dmpFilesize
6.8MB
-
memory/4036-126-0x0000000000CB0000-0x0000000001388000-memory.dmpFilesize
6.8MB
-
memory/4036-124-0x0000000000CB0000-0x0000000001388000-memory.dmpFilesize
6.8MB
-
memory/4044-125-0x00000000009F0000-0x00000000010D3000-memory.dmpFilesize
6.9MB
-
memory/4044-130-0x0000000076FD0000-0x000000007715E000-memory.dmpFilesize
1.6MB
-
memory/4044-116-0x0000000000000000-mapping.dmp
-
memory/4044-122-0x00000000009F0000-0x00000000010D3000-memory.dmpFilesize
6.9MB
-
memory/4044-123-0x00000000009F0000-0x00000000010D3000-memory.dmpFilesize
6.9MB
-
memory/4044-127-0x00000000009F0000-0x00000000010D3000-memory.dmpFilesize
6.9MB
-
memory/4392-132-0x0000000000000000-mapping.dmp
-
memory/4392-145-0x0000000001050000-0x00000000011DF000-memory.dmpFilesize
1.6MB
-
memory/4392-147-0x0000000000400000-0x00000000009A3000-memory.dmpFilesize
5.6MB
-
memory/4392-146-0x00000000011E0000-0x0000000001386000-memory.dmpFilesize
1.6MB
-
memory/4476-137-0x0000000000000000-mapping.dmp
-
memory/4476-141-0x00000000003E0000-0x0000000000AC3000-memory.dmpFilesize
6.9MB
-
memory/4476-144-0x0000000076FD0000-0x000000007715E000-memory.dmpFilesize
1.6MB
-
memory/4476-143-0x00000000003E0000-0x0000000000AC3000-memory.dmpFilesize
6.9MB
-
memory/4476-142-0x00000000003E0000-0x0000000000AC3000-memory.dmpFilesize
6.9MB
-
memory/4476-140-0x00000000003E0000-0x0000000000AC3000-memory.dmpFilesize
6.9MB