Analysis
-
max time kernel
119s -
max time network
119s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
20-12-2021 04:56
Static task
static1
Behavioral task
behavioral1
Sample
6851ee86ef723624b9d8bb881188b745.exe
Resource
win7-en-20211208
General
-
Target
6851ee86ef723624b9d8bb881188b745.exe
-
Size
5.4MB
-
MD5
6851ee86ef723624b9d8bb881188b745
-
SHA1
bd1354f4b1679b4b5aa79bb3af38d3e041ebd24c
-
SHA256
0ffb06b7e5f65c17f974e200c9acf13e2acc3bb2c2f5dc9b17f14018cf0f47c7
-
SHA512
24ca73eb150904362a14577bbbd88f585412f1b1e660631ae7614d80d0dbea58d877548d8f816e56d76933bdc8af734051183624e728b2653a59713f7e75c7fa
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL DanabotLoader2021 behavioral2/memory/1596-156-0x0000000003FD0000-0x000000000424F000-memory.dmp DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 33 700 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
edenic.exegodwitvp.exeaxuvyyghc.exeDpEditor.exepid process 2676 edenic.exe 3512 godwitvp.exe 868 axuvyyghc.exe 3160 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
edenic.exegodwitvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion edenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion edenic.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion godwitvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 3 IoCs
Processes:
6851ee86ef723624b9d8bb881188b745.exerundll32.exepid process 2360 6851ee86ef723624b9d8bb881188b745.exe 1596 rundll32.exe 1596 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe themida C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe themida behavioral2/memory/2676-122-0x0000000001120000-0x000000000180B000-memory.dmp themida behavioral2/memory/2676-123-0x0000000001120000-0x000000000180B000-memory.dmp themida behavioral2/memory/2676-124-0x0000000001120000-0x000000000180B000-memory.dmp themida behavioral2/memory/2676-125-0x0000000001120000-0x000000000180B000-memory.dmp themida behavioral2/memory/3512-127-0x00000000003F0000-0x0000000000ABD000-memory.dmp themida behavioral2/memory/3512-129-0x00000000003F0000-0x0000000000ABD000-memory.dmp themida behavioral2/memory/3512-130-0x00000000003F0000-0x0000000000ABD000-memory.dmp themida behavioral2/memory/3512-131-0x00000000003F0000-0x0000000000ABD000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral2/memory/3160-140-0x0000000000EF0000-0x00000000015DB000-memory.dmp themida behavioral2/memory/3160-141-0x0000000000EF0000-0x00000000015DB000-memory.dmp themida behavioral2/memory/3160-142-0x0000000000EF0000-0x00000000015DB000-memory.dmp themida behavioral2/memory/3160-143-0x0000000000EF0000-0x00000000015DB000-memory.dmp themida -
Processes:
godwitvp.exeDpEditor.exeedenic.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA godwitvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA edenic.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 8 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
edenic.exegodwitvp.exeDpEditor.exepid process 2676 edenic.exe 3512 godwitvp.exe 3160 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
6851ee86ef723624b9d8bb881188b745.exedescription ioc process File created C:\Program Files (x86)\foler\olader\acledit.dll 6851ee86ef723624b9d8bb881188b745.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 6851ee86ef723624b9d8bb881188b745.exe File created C:\Program Files (x86)\foler\olader\adprovider.dll 6851ee86ef723624b9d8bb881188b745.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
godwitvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString godwitvp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 godwitvp.exe -
Modifies registry class 1 IoCs
Processes:
godwitvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2361464256-2201551969-2316606395-1000_Classes\Local Settings godwitvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 3160 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
edenic.exegodwitvp.exeDpEditor.exepid process 2676 edenic.exe 2676 edenic.exe 3512 godwitvp.exe 3512 godwitvp.exe 3160 DpEditor.exe 3160 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
6851ee86ef723624b9d8bb881188b745.exegodwitvp.exeedenic.exeaxuvyyghc.exedescription pid process target process PID 2360 wrote to memory of 2676 2360 6851ee86ef723624b9d8bb881188b745.exe edenic.exe PID 2360 wrote to memory of 2676 2360 6851ee86ef723624b9d8bb881188b745.exe edenic.exe PID 2360 wrote to memory of 2676 2360 6851ee86ef723624b9d8bb881188b745.exe edenic.exe PID 2360 wrote to memory of 3512 2360 6851ee86ef723624b9d8bb881188b745.exe godwitvp.exe PID 2360 wrote to memory of 3512 2360 6851ee86ef723624b9d8bb881188b745.exe godwitvp.exe PID 2360 wrote to memory of 3512 2360 6851ee86ef723624b9d8bb881188b745.exe godwitvp.exe PID 3512 wrote to memory of 868 3512 godwitvp.exe axuvyyghc.exe PID 3512 wrote to memory of 868 3512 godwitvp.exe axuvyyghc.exe PID 3512 wrote to memory of 868 3512 godwitvp.exe axuvyyghc.exe PID 3512 wrote to memory of 3644 3512 godwitvp.exe WScript.exe PID 3512 wrote to memory of 3644 3512 godwitvp.exe WScript.exe PID 3512 wrote to memory of 3644 3512 godwitvp.exe WScript.exe PID 2676 wrote to memory of 3160 2676 edenic.exe DpEditor.exe PID 2676 wrote to memory of 3160 2676 edenic.exe DpEditor.exe PID 2676 wrote to memory of 3160 2676 edenic.exe DpEditor.exe PID 3512 wrote to memory of 700 3512 godwitvp.exe WScript.exe PID 3512 wrote to memory of 700 3512 godwitvp.exe WScript.exe PID 3512 wrote to memory of 700 3512 godwitvp.exe WScript.exe PID 868 wrote to memory of 1596 868 axuvyyghc.exe rundll32.exe PID 868 wrote to memory of 1596 868 axuvyyghc.exe rundll32.exe PID 868 wrote to memory of 1596 868 axuvyyghc.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6851ee86ef723624b9d8bb881188b745.exe"C:\Users\Admin\AppData\Local\Temp\6851ee86ef723624b9d8bb881188b745.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
PID:3160 -
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exe"C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLL,s C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.EXE4⤵
- Loads dropped DLL
PID:1596 -
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\obyalovbt.vbs"3⤵PID:3644
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lfjfjmhdli.vbs"3⤵
- Blocklisted process makes network request
PID:700
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
d6ee9b2a32047b5ed8001017f0eb38fe
SHA1ec9e6ff0e043233291ff3e876c8f10ff105297ce
SHA2563cc4a17af573bbd1257f1ec1f19246e686027ceb82ccc7c9848cf531cb6ae9bf
SHA5122960bf1aaf60f568d0e022c3de191935164ad9e40caa6579cccca575c6e45f60d999c50dc7d887003b9e71e0f3785013d00ec498a2de56521725485c38e72792
-
C:\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLLMD5
953511e25c13dd42164eee581b8d22d1
SHA17cc3835aba8bffeefc2a3543771f612b9df10a45
SHA256265ec090b8e7ff8f265a4c6408913bd0e26cda3d24a281a0fdf5e15573da4997
SHA5129547135071da205cb5e06db6cfea0ef3d36c685bedded98718ad564bfa4d980159fb808fecf919037bde2a98ea466981d9992e4ccbafe3df1b5309d26a7810d9
-
C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exeMD5
5e6f48e80a2bb43b29d4745359f8b604
SHA1ad02a52026dc381b1993aa127ae245fe6fba639e
SHA256af6d253636a1e3bc1da6d81a834a5fa234e451ef55b7d880a750714333eeaa7a
SHA5129aa50e13247a5135c365a311a3a186f77681eb7fb5324b5c0d0495b6da84da91d79a458d33fbf4dc92c00d6718b9a5f5d3717e25ed71f650cc1501064fc39a0e
-
C:\Users\Admin\AppData\Local\Temp\axuvyyghc.exeMD5
5e6f48e80a2bb43b29d4745359f8b604
SHA1ad02a52026dc381b1993aa127ae245fe6fba639e
SHA256af6d253636a1e3bc1da6d81a834a5fa234e451ef55b7d880a750714333eeaa7a
SHA5129aa50e13247a5135c365a311a3a186f77681eb7fb5324b5c0d0495b6da84da91d79a458d33fbf4dc92c00d6718b9a5f5d3717e25ed71f650cc1501064fc39a0e
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
C:\Users\Admin\AppData\Local\Temp\gustus\edenic.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exeMD5
adca6cddf728ac19287c8da0690ce78e
SHA13bc43b39ac78d1edebf83ae6a95108b95acdb439
SHA2567aaf99f9ad42337851b40596faf2241ae2957048c2862aad402320312536c6d7
SHA51281dcd61505a0ced122e7b0ca12dd3520a475025643c8ca109edfd13fd017740c7ad32f854c87ea87c3eabadc780c3c4b041b247888aa7f22ffd5714be4051140
-
C:\Users\Admin\AppData\Local\Temp\gustus\godwitvp.exeMD5
adca6cddf728ac19287c8da0690ce78e
SHA13bc43b39ac78d1edebf83ae6a95108b95acdb439
SHA2567aaf99f9ad42337851b40596faf2241ae2957048c2862aad402320312536c6d7
SHA51281dcd61505a0ced122e7b0ca12dd3520a475025643c8ca109edfd13fd017740c7ad32f854c87ea87c3eabadc780c3c4b041b247888aa7f22ffd5714be4051140
-
C:\Users\Admin\AppData\Local\Temp\lfjfjmhdli.vbsMD5
eccde4d25a51e6987ac7be0773723f5e
SHA10c5d2c21e7cf9e4b65bd67f3331e5558344a303b
SHA256945054a9a4e76f433afe0eafdd4c5e9065e0e6ccc763486c7b3730316a934506
SHA51281a623e3d04cb7e34c29372be55bee978ee8f67ee1898f7563f2190792a54b655b294f62e4b229ad15e36098e310c95606e592075887855692b75f942cddff80
-
C:\Users\Admin\AppData\Local\Temp\obyalovbt.vbsMD5
82764bbf6e25db800dfcc3c1c3cca247
SHA146ac0a63852ca7f1864f3463eff5b68f52b1fe19
SHA256b088bb35b016f896803d933190ffc614e61e5b512e1a294a0b33d3af3d286e4b
SHA512cc9bea32fd3864fc55ef35de0b8498315da0353b76569756c4dcafa5c53a99bd51dbe8d61d4ea06e55793a58298707bac70fef2d89dc5988ae3134f4a0a05414
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
c9bdb6ed5eb6da1c74b956937bbd31b4
SHA1a9c6389196fa0c28b91b1802758981feee113031
SHA25631eb4eec08c93c2770affd600e010182855e63322fba278afede89816faff6aa
SHA512496657b02941e8548c397f9b59eeaa2671fa7921ac052d1b336147b881975bc47861da7a6c16c3a53e759704300cd66ce31ae1a3b286875bf5e563aa9a697295
-
\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLLMD5
953511e25c13dd42164eee581b8d22d1
SHA17cc3835aba8bffeefc2a3543771f612b9df10a45
SHA256265ec090b8e7ff8f265a4c6408913bd0e26cda3d24a281a0fdf5e15573da4997
SHA5129547135071da205cb5e06db6cfea0ef3d36c685bedded98718ad564bfa4d980159fb808fecf919037bde2a98ea466981d9992e4ccbafe3df1b5309d26a7810d9
-
\Users\Admin\AppData\Local\Temp\AXUVYY~1.DLLMD5
953511e25c13dd42164eee581b8d22d1
SHA17cc3835aba8bffeefc2a3543771f612b9df10a45
SHA256265ec090b8e7ff8f265a4c6408913bd0e26cda3d24a281a0fdf5e15573da4997
SHA5129547135071da205cb5e06db6cfea0ef3d36c685bedded98718ad564bfa4d980159fb808fecf919037bde2a98ea466981d9992e4ccbafe3df1b5309d26a7810d9
-
\Users\Admin\AppData\Local\Temp\nszCEFA.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/700-148-0x0000000000000000-mapping.dmp
-
memory/868-147-0x0000000000400000-0x0000000000653000-memory.dmpFilesize
2.3MB
-
memory/868-132-0x0000000000000000-mapping.dmp
-
memory/868-146-0x0000000002430000-0x00000000025D6000-memory.dmpFilesize
1.6MB
-
memory/868-145-0x0000000002298000-0x0000000002428000-memory.dmpFilesize
1.6MB
-
memory/1596-152-0x0000000000000000-mapping.dmp
-
memory/1596-156-0x0000000003FD0000-0x000000000424F000-memory.dmpFilesize
2.5MB
-
memory/2676-125-0x0000000001120000-0x000000000180B000-memory.dmpFilesize
6.9MB
-
memory/2676-126-0x0000000077930000-0x0000000077ABE000-memory.dmpFilesize
1.6MB
-
memory/2676-116-0x0000000000000000-mapping.dmp
-
memory/2676-122-0x0000000001120000-0x000000000180B000-memory.dmpFilesize
6.9MB
-
memory/2676-123-0x0000000001120000-0x000000000180B000-memory.dmpFilesize
6.9MB
-
memory/2676-124-0x0000000001120000-0x000000000180B000-memory.dmpFilesize
6.9MB
-
memory/3160-140-0x0000000000EF0000-0x00000000015DB000-memory.dmpFilesize
6.9MB
-
memory/3160-141-0x0000000000EF0000-0x00000000015DB000-memory.dmpFilesize
6.9MB
-
memory/3160-142-0x0000000000EF0000-0x00000000015DB000-memory.dmpFilesize
6.9MB
-
memory/3160-143-0x0000000000EF0000-0x00000000015DB000-memory.dmpFilesize
6.9MB
-
memory/3160-144-0x0000000077930000-0x0000000077ABE000-memory.dmpFilesize
1.6MB
-
memory/3160-137-0x0000000000000000-mapping.dmp
-
memory/3512-130-0x00000000003F0000-0x0000000000ABD000-memory.dmpFilesize
6.8MB
-
memory/3512-127-0x00000000003F0000-0x0000000000ABD000-memory.dmpFilesize
6.8MB
-
memory/3512-128-0x0000000077930000-0x0000000077ABE000-memory.dmpFilesize
1.6MB
-
memory/3512-129-0x00000000003F0000-0x0000000000ABD000-memory.dmpFilesize
6.8MB
-
memory/3512-131-0x00000000003F0000-0x0000000000ABD000-memory.dmpFilesize
6.8MB
-
memory/3512-119-0x0000000000000000-mapping.dmp
-
memory/3644-135-0x0000000000000000-mapping.dmp