Analysis
-
max time kernel
146s -
max time network
127s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
15-12-2021 11:24
Static task
static1
Behavioral task
behavioral1
Sample
49f570914fa998c08360d461a5a3f03d.exe
Resource
win7-en-20211208
General
-
Target
49f570914fa998c08360d461a5a3f03d.exe
-
Size
5.4MB
-
MD5
49f570914fa998c08360d461a5a3f03d
-
SHA1
e0f2ba1960f68f7abbc70a12f4bc7a5a2b706389
-
SHA256
c9da5644a721e5cb83d8648f8b2c02323aba6154e80fc1f06d2d9659dceb5b8b
-
SHA512
e7da6b422d5f1a9edbd57ab6acf8bcf9916cd6f6e1cc0c3d39f51617c7bd4c3ecb03abf0898d0cd9055c4a14fae13b7f41962648bf2c5d06e953e98085b98d18
Malware Config
Extracted
danabot
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\NMQYRX~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\NMQYRX~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\NMQYRX~1.DLL DanabotLoader2021 behavioral2/memory/1476-156-0x00000000009F0000-0x0000000000C6C000-memory.dmp DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 32 3120 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
oxgoad.exepalmusvp.exenmqyrxbtoqy.exeDpEditor.exepid process 1560 oxgoad.exe 2852 palmusvp.exe 1536 nmqyrxbtoqy.exe 1724 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
DpEditor.exeoxgoad.exepalmusvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion oxgoad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion oxgoad.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe -
Loads dropped DLL 3 IoCs
Processes:
49f570914fa998c08360d461a5a3f03d.exerundll32.exepid process 2028 49f570914fa998c08360d461a5a3f03d.exe 1476 rundll32.exe 1476 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe themida behavioral2/memory/1560-122-0x0000000000810000-0x0000000000EF3000-memory.dmp themida behavioral2/memory/2852-126-0x0000000000E00000-0x00000000014D8000-memory.dmp themida behavioral2/memory/1560-124-0x0000000000810000-0x0000000000EF3000-memory.dmp themida behavioral2/memory/2852-123-0x0000000000E00000-0x00000000014D8000-memory.dmp themida behavioral2/memory/1560-128-0x0000000000810000-0x0000000000EF3000-memory.dmp themida behavioral2/memory/2852-129-0x0000000000E00000-0x00000000014D8000-memory.dmp themida behavioral2/memory/1560-130-0x0000000000810000-0x0000000000EF3000-memory.dmp themida behavioral2/memory/2852-131-0x0000000000E00000-0x00000000014D8000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/1724-142-0x0000000001120000-0x0000000001803000-memory.dmp themida behavioral2/memory/1724-143-0x0000000001120000-0x0000000001803000-memory.dmp themida behavioral2/memory/1724-144-0x0000000001120000-0x0000000001803000-memory.dmp themida behavioral2/memory/1724-145-0x0000000001120000-0x0000000001803000-memory.dmp themida -
Processes:
oxgoad.exepalmusvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA oxgoad.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA palmusvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 10 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
oxgoad.exepalmusvp.exeDpEditor.exepid process 1560 oxgoad.exe 2852 palmusvp.exe 1724 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
49f570914fa998c08360d461a5a3f03d.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acledit.dll 49f570914fa998c08360d461a5a3f03d.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 49f570914fa998c08360d461a5a3f03d.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 49f570914fa998c08360d461a5a3f03d.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
palmusvp.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 palmusvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString palmusvp.exe -
Modifies registry class 1 IoCs
Processes:
palmusvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings palmusvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 1724 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
oxgoad.exepalmusvp.exeDpEditor.exepid process 1560 oxgoad.exe 1560 oxgoad.exe 2852 palmusvp.exe 2852 palmusvp.exe 1724 DpEditor.exe 1724 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
49f570914fa998c08360d461a5a3f03d.exepalmusvp.exeoxgoad.exenmqyrxbtoqy.exedescription pid process target process PID 2028 wrote to memory of 1560 2028 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 2028 wrote to memory of 1560 2028 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 2028 wrote to memory of 1560 2028 49f570914fa998c08360d461a5a3f03d.exe oxgoad.exe PID 2028 wrote to memory of 2852 2028 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 2028 wrote to memory of 2852 2028 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 2028 wrote to memory of 2852 2028 49f570914fa998c08360d461a5a3f03d.exe palmusvp.exe PID 2852 wrote to memory of 1536 2852 palmusvp.exe nmqyrxbtoqy.exe PID 2852 wrote to memory of 1536 2852 palmusvp.exe nmqyrxbtoqy.exe PID 2852 wrote to memory of 1536 2852 palmusvp.exe nmqyrxbtoqy.exe PID 2852 wrote to memory of 3036 2852 palmusvp.exe WScript.exe PID 2852 wrote to memory of 3036 2852 palmusvp.exe WScript.exe PID 2852 wrote to memory of 3036 2852 palmusvp.exe WScript.exe PID 1560 wrote to memory of 1724 1560 oxgoad.exe DpEditor.exe PID 1560 wrote to memory of 1724 1560 oxgoad.exe DpEditor.exe PID 1560 wrote to memory of 1724 1560 oxgoad.exe DpEditor.exe PID 2852 wrote to memory of 3120 2852 palmusvp.exe WScript.exe PID 2852 wrote to memory of 3120 2852 palmusvp.exe WScript.exe PID 2852 wrote to memory of 3120 2852 palmusvp.exe WScript.exe PID 1536 wrote to memory of 1476 1536 nmqyrxbtoqy.exe rundll32.exe PID 1536 wrote to memory of 1476 1536 nmqyrxbtoqy.exe rundll32.exe PID 1536 wrote to memory of 1476 1536 nmqyrxbtoqy.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\49f570914fa998c08360d461a5a3f03d.exe"C:\Users\Admin\AppData\Local\Temp\49f570914fa998c08360d461a5a3f03d.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe"C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe"C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nmqyrxbtoqy.exe"C:\Users\Admin\AppData\Local\Temp\nmqyrxbtoqy.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\NMQYRX~1.DLL,s C:\Users\Admin\AppData\Local\Temp\NMQYRX~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\bxtcadumf.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\asmrhyjvewy.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
b3501d921a8f54e342f8a6ded5e362ce
SHA14df006b91b38106e7f101e1ee1ee88ae6f3374f7
SHA2561cf10fa694c0fcac7003d029eb48a9b682e2fbdd4bda23f4d373a1b4bc1cb400
SHA512b98f30ca15f11c347d00e92adfc1e9f60e3ac55fd3ff4958fd3bd7b7283de8218dd13f38b49191f286dbf192c4f67a78966308f5ad9d8ff15c895e53d94407ef
-
C:\Users\Admin\AppData\Local\Temp\NMQYRX~1.DLLMD5
3a0b207acf083a02ce51eee239b69af0
SHA182cd8af77e453c41eb7f6f4914f34f27715e26a2
SHA256ec3dba791f1a764162ec97f2cfe016e33150e4974d16cb05a485d1bb64f55562
SHA512aca76b6c43a098880f1fbe130a3e8eb19dbb4b036441f8717f77e1578d3556ed9eb3ef31b081e8246b2fbecfc55ade14e9fd5dd351488de1f7d3be8cbf552bc7
-
C:\Users\Admin\AppData\Local\Temp\asmrhyjvewy.vbsMD5
de9fd3d9bf2c1bcf58ff6bc9f39ced6a
SHA14274eed3c43df418638438528b4b3ce6aab91f5a
SHA25639c3b049f6856b375e2995ea9b7ba835ae95f1f1538780ac39c77a91be96fc36
SHA512a4107cd22f817f084a5b51b3925b8447e12586fa50a62c2d13f24813ef5b09721bb731941ebd56f818b06c3746dc1ca60f9af47975f350846259c533bad8a307
-
C:\Users\Admin\AppData\Local\Temp\bxtcadumf.vbsMD5
365a9c1656e8faae92789376b9adbc70
SHA1f2260260b11b167b1602e217508ee6961510d9bf
SHA2566c93d827cf3df9222c562c827de67350a7e7d444960b77e733010b2706ef9f1c
SHA512feb9af21834cd520eed6923b510bfcb68f69ce24443e6d88480d641e0bb84a286f317bfd49d374a5d59953f7a7a033f0d3794c11ea0d2a48b2964b55ae2dfc96
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Local\Temp\kulmet\oxgoad.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
C:\Users\Admin\AppData\Local\Temp\kulmet\palmusvp.exeMD5
b3de39f38010bfa37240d8dd4061c9d3
SHA19febed5deca5613a674caccdb3309b7e42a9564c
SHA256a70386ed21e9041f5535ad28396c68d003fcdc3a06039dd47f985292cfd16bcd
SHA512ab333e011fe1f8b30d4c05de86e0785bf430c27a63f18f05b50b77e85206c1945055431430df6594f72a145fe7308d431e7d66dba01c234887d3a16f5d1b3e88
-
C:\Users\Admin\AppData\Local\Temp\nmqyrxbtoqy.exeMD5
5b8ac949b8ed84ffc199b163e9824d2a
SHA102ed6b7fbe9ab4001c3361089f51dc5beb838d5e
SHA2569886aec9e4d28d17934672e6c595c95514647deaf54fbf19429cfaa143939a35
SHA51280025a2551fa67b5ee10bdfb152233a2371e5c769be0065f591c9fce9917bc78425aecac116aa498fbb136998f0fc9251d9773e7c83f51f91235dd2b2ae80005
-
C:\Users\Admin\AppData\Local\Temp\nmqyrxbtoqy.exeMD5
5b8ac949b8ed84ffc199b163e9824d2a
SHA102ed6b7fbe9ab4001c3361089f51dc5beb838d5e
SHA2569886aec9e4d28d17934672e6c595c95514647deaf54fbf19429cfaa143939a35
SHA51280025a2551fa67b5ee10bdfb152233a2371e5c769be0065f591c9fce9917bc78425aecac116aa498fbb136998f0fc9251d9773e7c83f51f91235dd2b2ae80005
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
b82ac64b539673dbd7f6c42f106a9c13
SHA1b34e177691d791dcbe277a758548f8ebef97b769
SHA256b2b1904a9fe424593d70476f786ef402baa3bbcd9c19625bca9f0a3f3074790e
SHA51254db32d16ffbead294bfe16bdf4b5e278999c798296ca7964ce5cb854cacfc203e53f1c46e6331f0c0c6975a00669d0d74a0735c7c60eec1c2177f6eafda5b75
-
\Users\Admin\AppData\Local\Temp\NMQYRX~1.DLLMD5
3a0b207acf083a02ce51eee239b69af0
SHA182cd8af77e453c41eb7f6f4914f34f27715e26a2
SHA256ec3dba791f1a764162ec97f2cfe016e33150e4974d16cb05a485d1bb64f55562
SHA512aca76b6c43a098880f1fbe130a3e8eb19dbb4b036441f8717f77e1578d3556ed9eb3ef31b081e8246b2fbecfc55ade14e9fd5dd351488de1f7d3be8cbf552bc7
-
\Users\Admin\AppData\Local\Temp\NMQYRX~1.DLLMD5
3a0b207acf083a02ce51eee239b69af0
SHA182cd8af77e453c41eb7f6f4914f34f27715e26a2
SHA256ec3dba791f1a764162ec97f2cfe016e33150e4974d16cb05a485d1bb64f55562
SHA512aca76b6c43a098880f1fbe130a3e8eb19dbb4b036441f8717f77e1578d3556ed9eb3ef31b081e8246b2fbecfc55ade14e9fd5dd351488de1f7d3be8cbf552bc7
-
\Users\Admin\AppData\Local\Temp\nssA47F.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/1476-152-0x0000000000000000-mapping.dmp
-
memory/1476-156-0x00000000009F0000-0x0000000000C6C000-memory.dmpFilesize
2.5MB
-
memory/1536-146-0x0000000000400000-0x00000000009A3000-memory.dmpFilesize
5.6MB
-
memory/1536-141-0x00000000011C0000-0x0000000001366000-memory.dmpFilesize
1.6MB
-
memory/1536-140-0x0000000001030000-0x00000000011BF000-memory.dmpFilesize
1.6MB
-
memory/1536-132-0x0000000000000000-mapping.dmp
-
memory/1560-125-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/1560-122-0x0000000000810000-0x0000000000EF3000-memory.dmpFilesize
6.9MB
-
memory/1560-124-0x0000000000810000-0x0000000000EF3000-memory.dmpFilesize
6.9MB
-
memory/1560-128-0x0000000000810000-0x0000000000EF3000-memory.dmpFilesize
6.9MB
-
memory/1560-130-0x0000000000810000-0x0000000000EF3000-memory.dmpFilesize
6.9MB
-
memory/1560-116-0x0000000000000000-mapping.dmp
-
memory/1724-137-0x0000000000000000-mapping.dmp
-
memory/1724-142-0x0000000001120000-0x0000000001803000-memory.dmpFilesize
6.9MB
-
memory/1724-143-0x0000000001120000-0x0000000001803000-memory.dmpFilesize
6.9MB
-
memory/1724-144-0x0000000001120000-0x0000000001803000-memory.dmpFilesize
6.9MB
-
memory/1724-145-0x0000000001120000-0x0000000001803000-memory.dmpFilesize
6.9MB
-
memory/1724-147-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2852-126-0x0000000000E00000-0x00000000014D8000-memory.dmpFilesize
6.8MB
-
memory/2852-131-0x0000000000E00000-0x00000000014D8000-memory.dmpFilesize
6.8MB
-
memory/2852-129-0x0000000000E00000-0x00000000014D8000-memory.dmpFilesize
6.8MB
-
memory/2852-123-0x0000000000E00000-0x00000000014D8000-memory.dmpFilesize
6.8MB
-
memory/2852-127-0x0000000077BF0000-0x0000000077D7E000-memory.dmpFilesize
1.6MB
-
memory/2852-119-0x0000000000000000-mapping.dmp
-
memory/3036-135-0x0000000000000000-mapping.dmp
-
memory/3120-148-0x0000000000000000-mapping.dmp