Analysis
-
max time kernel
149s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
21-12-2021 05:59
Static task
static1
General
-
Target
6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe
-
Size
5.2MB
-
MD5
b9bf83d695f3e0fd56b2426663cf32ee
-
SHA1
a6c30924a3db06bf7a615fa2b3b9fab020077a12
-
SHA256
6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548
-
SHA512
29397577e1897dc906439ce1d464178be86dd75bfefcd1bb6cbd38234fbf01c112be112efa23aa1039aab10b2d22492c0ed69be2a61942c06b3db482a07c5885
Malware Config
Extracted
danabot
4
142.11.244.223:443
23.106.122.139:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\UJAETG~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\UJAETG~1.DLL DanabotLoader2021 -
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 35 1236 WScript.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
guffer.exekadeinvp.exeujaetgeoqe.exeDpEditor.exepid process 3064 guffer.exe 4024 kadeinvp.exe 4344 ujaetgeoqe.exe 3252 DpEditor.exe -
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
guffer.exekadeinvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion guffer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion guffer.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion kadeinvp.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion DpEditor.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion DpEditor.exe -
Loads dropped DLL 2 IoCs
Processes:
6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exerundll32.exepid process 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe 1568 rundll32.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe themida C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe themida behavioral1/memory/3064-121-0x0000000000150000-0x00000000007E1000-memory.dmp themida behavioral1/memory/3064-122-0x0000000000150000-0x00000000007E1000-memory.dmp themida behavioral1/memory/4024-123-0x0000000000210000-0x00000000008D8000-memory.dmp themida behavioral1/memory/3064-124-0x0000000000150000-0x00000000007E1000-memory.dmp themida behavioral1/memory/4024-125-0x0000000000210000-0x00000000008D8000-memory.dmp themida behavioral1/memory/3064-126-0x0000000000150000-0x00000000007E1000-memory.dmp themida behavioral1/memory/4024-127-0x0000000000210000-0x00000000008D8000-memory.dmp themida behavioral1/memory/4024-128-0x0000000000210000-0x00000000008D8000-memory.dmp themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe themida behavioral1/memory/3252-139-0x0000000000D70000-0x0000000001401000-memory.dmp themida behavioral1/memory/3252-140-0x0000000000D70000-0x0000000001401000-memory.dmp themida behavioral1/memory/3252-141-0x0000000000D70000-0x0000000001401000-memory.dmp themida behavioral1/memory/3252-142-0x0000000000D70000-0x0000000001401000-memory.dmp themida -
Processes:
guffer.exekadeinvp.exeDpEditor.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA guffer.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA kadeinvp.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA DpEditor.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 9 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
guffer.exekadeinvp.exeDpEditor.exepid process 3064 guffer.exe 4024 kadeinvp.exe 3252 DpEditor.exe -
Drops file in Program Files directory 3 IoCs
Processes:
6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exedescription ioc process File created C:\Program Files (x86)\foler\olader\adprovider.dll 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe File created C:\Program Files (x86)\foler\olader\acledit.dll 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe File created C:\Program Files (x86)\foler\olader\acppage.dll 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
kadeinvp.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString kadeinvp.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 kadeinvp.exe -
Modifies registry class 1 IoCs
Processes:
kadeinvp.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-369956170-74428499-1628131376-1000_Classes\Local Settings kadeinvp.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
DpEditor.exepid process 3252 DpEditor.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
guffer.exekadeinvp.exeDpEditor.exepid process 3064 guffer.exe 3064 guffer.exe 4024 kadeinvp.exe 4024 kadeinvp.exe 3252 DpEditor.exe 3252 DpEditor.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exekadeinvp.exeguffer.exeujaetgeoqe.exedescription pid process target process PID 3616 wrote to memory of 3064 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe guffer.exe PID 3616 wrote to memory of 3064 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe guffer.exe PID 3616 wrote to memory of 3064 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe guffer.exe PID 3616 wrote to memory of 4024 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe kadeinvp.exe PID 3616 wrote to memory of 4024 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe kadeinvp.exe PID 3616 wrote to memory of 4024 3616 6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe kadeinvp.exe PID 4024 wrote to memory of 4344 4024 kadeinvp.exe ujaetgeoqe.exe PID 4024 wrote to memory of 4344 4024 kadeinvp.exe ujaetgeoqe.exe PID 4024 wrote to memory of 4344 4024 kadeinvp.exe ujaetgeoqe.exe PID 4024 wrote to memory of 424 4024 kadeinvp.exe WScript.exe PID 4024 wrote to memory of 424 4024 kadeinvp.exe WScript.exe PID 4024 wrote to memory of 424 4024 kadeinvp.exe WScript.exe PID 3064 wrote to memory of 3252 3064 guffer.exe DpEditor.exe PID 3064 wrote to memory of 3252 3064 guffer.exe DpEditor.exe PID 3064 wrote to memory of 3252 3064 guffer.exe DpEditor.exe PID 4024 wrote to memory of 1236 4024 kadeinvp.exe WScript.exe PID 4024 wrote to memory of 1236 4024 kadeinvp.exe WScript.exe PID 4024 wrote to memory of 1236 4024 kadeinvp.exe WScript.exe PID 4344 wrote to memory of 1568 4344 ujaetgeoqe.exe rundll32.exe PID 4344 wrote to memory of 1568 4344 ujaetgeoqe.exe rundll32.exe PID 4344 wrote to memory of 1568 4344 ujaetgeoqe.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe"C:\Users\Admin\AppData\Local\Temp\6210e72d2957ad378fe12f0b32551c5df654ddb2405c3be5d19005637fa9a548.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe"C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exe"3⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe"C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exe"2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ujaetgeoqe.exe"C:\Users\Admin\AppData\Local\Temp\ujaetgeoqe.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\UJAETG~1.DLL,s C:\Users\Admin\AppData\Local\Temp\UJAETG~1.EXE4⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ehdohspktys.vbs"3⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\lfvxvenolgl.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\103621DE9CD5414CC2538780B4B75751MD5
54e9306f95f32e50ccd58af19753d929
SHA1eab9457321f34d4dcf7d4a0ac83edc9131bf7c57
SHA25645f94dceb18a8f738a26da09ce4558995a4fe02b971882e8116fc9b59813bb72
SHA5128711a4d866f21cdf4d4e6131ec4cfaf6821d0d22b90946be8b5a09ab868af0270a89bc326f03b858f0361a83c11a1531b894dfd1945e4812ba429a7558791f4f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\103621DE9CD5414CC2538780B4B75751MD5
a4d16c6de92815ad81cbdbe5b61dd613
SHA16df483c1fb075d5d488ddd4b44a2fe7b5e9ce48b
SHA2560cc859cf69bd600fc21494199f46b25ef4038d902df9a39e7159c3c1a35f2a4e
SHA51213d1b1ffa79fe7087a2a8e9854569b95eefeb30bc12c424d6d78b41b00dc93fed0a168180f6998c0c9dfa7c4e4f7f489ba3076978d7382d8d1ebd09607faa9aa
-
C:\Users\Admin\AppData\Local\Temp\UJAETG~1.DLLMD5
6d20012a31cb8f120d46de2a1b73a39c
SHA15200a352a17f79d2e5cd3253caa65874dfb51df1
SHA2562272f010b1aec721f53fb38bc36eb4d1cd60dcd91195f762df4c35015f30674e
SHA512892511f6288429636385838bbac355656572ac48c2ee430d2131b89f822a9a22e1b1093501f90fd57a13f041ef3b4f33b3fd637b60a77b6ce4ebf727512aa955
-
C:\Users\Admin\AppData\Local\Temp\ehdohspktys.vbsMD5
a7e3b61a417e6aeabb0df55eac92d915
SHA16e0345f303f00d9a9db78e2eeef4eebcaee4c582
SHA25607acaafb7c0a415f658ba49ab4acaa05e544dd1d8f222f31f5065d3990ab01c6
SHA5120c4041dcf5ca2976779a4a9e19fb42d2f0ff869527a59075a9a9a26c3259194a55645653b629ca5e0a1d6564e1d987d059bdf92d6d5c0fa71ad89ce8792aab3e
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
C:\Users\Admin\AppData\Local\Temp\kobong\guffer.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exeMD5
2c4e52fe62ac5afb2a24336305345494
SHA1f1d64b2983733a3d94206b208f3a0e7a3b948ef7
SHA2564f391986aa04d1ed0d6577f4b9f2c06558c4fad6ed183b49761a6aa410b09bae
SHA51290b1ecae6f97dd79016900c428932710c0e7612416c1f20ee8d9eb264cce62d580042036f8d8cfb74fcfbf5e5976ed05d9f31edb4618491afcce7569832c4cf4
-
C:\Users\Admin\AppData\Local\Temp\kobong\kadeinvp.exeMD5
2c4e52fe62ac5afb2a24336305345494
SHA1f1d64b2983733a3d94206b208f3a0e7a3b948ef7
SHA2564f391986aa04d1ed0d6577f4b9f2c06558c4fad6ed183b49761a6aa410b09bae
SHA51290b1ecae6f97dd79016900c428932710c0e7612416c1f20ee8d9eb264cce62d580042036f8d8cfb74fcfbf5e5976ed05d9f31edb4618491afcce7569832c4cf4
-
C:\Users\Admin\AppData\Local\Temp\lfvxvenolgl.vbsMD5
a88977d313861240d2f80f79364d7f78
SHA11b4f6c8a3c5a08f1e12da9881547e9288c369ea8
SHA256116f17f686ba8c2cf51b3975feb21d53df5357faa684a91f034de3f68648e7bb
SHA51240fc115824e2ce214fb27cb712040a2ae5c2fd69ad01b360ff2abfc05186feb0dcc2892b994bfbdae7d0e48f22a9a61ec774103ad0025a8b105a32c791f751f9
-
C:\Users\Admin\AppData\Local\Temp\ujaetgeoqe.exeMD5
16becf447fabb2dce6c299dff92616b2
SHA1fd10debbd1b55c7128b550558848d4994bab0c3b
SHA256518efd8e9c413c6c008050265de94558a1da5448366834da639e7242a28ef70d
SHA51253debcba9d784751f8cfff401203bc9fbba8f6ba27430ac20d71a79c163c572edc1e52527eff28c0dfa4da3628fafb4f4c90ebf21ef3854ccd18aa50f835d66d
-
C:\Users\Admin\AppData\Local\Temp\ujaetgeoqe.exeMD5
16becf447fabb2dce6c299dff92616b2
SHA1fd10debbd1b55c7128b550558848d4994bab0c3b
SHA256518efd8e9c413c6c008050265de94558a1da5448366834da639e7242a28ef70d
SHA51253debcba9d784751f8cfff401203bc9fbba8f6ba27430ac20d71a79c163c572edc1e52527eff28c0dfa4da3628fafb4f4c90ebf21ef3854ccd18aa50f835d66d
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
C:\Users\Admin\AppData\Roaming\NCH Software\DrawPad\DpEditor.exeMD5
1b7b336a66fc7977a919aa61cbd9bd7f
SHA191b31bfb4a5f59ae94fc399a839a74ed7c5acdbc
SHA2562bff85dab968f5c5ff26c9d8a807b696eabe9e22abe42d475acfdd93ad68bf4b
SHA51227877728ce2ef4cb3b3dae014dacf3ba1604eb8cbebe9e5b28eb6bbe23dd5375866ef062b4e6cb7ab12edcd5ea2ce34b8ad5093aa659f84c68dc93710c1d71a7
-
\Users\Admin\AppData\Local\Temp\UJAETG~1.DLLMD5
6d20012a31cb8f120d46de2a1b73a39c
SHA15200a352a17f79d2e5cd3253caa65874dfb51df1
SHA2562272f010b1aec721f53fb38bc36eb4d1cd60dcd91195f762df4c35015f30674e
SHA512892511f6288429636385838bbac355656572ac48c2ee430d2131b89f822a9a22e1b1093501f90fd57a13f041ef3b4f33b3fd637b60a77b6ce4ebf727512aa955
-
\Users\Admin\AppData\Local\Temp\nsa90B9.tmp\UAC.dllMD5
adb29e6b186daa765dc750128649b63d
SHA1160cbdc4cb0ac2c142d361df138c537aa7e708c9
SHA2562f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08
SHA512b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada
-
memory/424-134-0x0000000000000000-mapping.dmp
-
memory/1236-147-0x0000000000000000-mapping.dmp
-
memory/1568-151-0x0000000000000000-mapping.dmp
-
memory/3064-124-0x0000000000150000-0x00000000007E1000-memory.dmpFilesize
6.6MB
-
memory/3064-126-0x0000000000150000-0x00000000007E1000-memory.dmpFilesize
6.6MB
-
memory/3064-115-0x0000000000000000-mapping.dmp
-
memory/3064-121-0x0000000000150000-0x00000000007E1000-memory.dmpFilesize
6.6MB
-
memory/3064-129-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/3064-122-0x0000000000150000-0x00000000007E1000-memory.dmpFilesize
6.6MB
-
memory/3252-136-0x0000000000000000-mapping.dmp
-
memory/3252-139-0x0000000000D70000-0x0000000001401000-memory.dmpFilesize
6.6MB
-
memory/3252-140-0x0000000000D70000-0x0000000001401000-memory.dmpFilesize
6.6MB
-
memory/3252-141-0x0000000000D70000-0x0000000001401000-memory.dmpFilesize
6.6MB
-
memory/3252-142-0x0000000000D70000-0x0000000001401000-memory.dmpFilesize
6.6MB
-
memory/3252-143-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/4024-127-0x0000000000210000-0x00000000008D8000-memory.dmpFilesize
6.8MB
-
memory/4024-125-0x0000000000210000-0x00000000008D8000-memory.dmpFilesize
6.8MB
-
memory/4024-123-0x0000000000210000-0x00000000008D8000-memory.dmpFilesize
6.8MB
-
memory/4024-128-0x0000000000210000-0x00000000008D8000-memory.dmpFilesize
6.8MB
-
memory/4024-118-0x0000000000000000-mapping.dmp
-
memory/4024-130-0x0000000077BC0000-0x0000000077D4E000-memory.dmpFilesize
1.6MB
-
memory/4344-145-0x0000000001230000-0x00000000013D3000-memory.dmpFilesize
1.6MB
-
memory/4344-146-0x0000000000400000-0x0000000000997000-memory.dmpFilesize
5.6MB
-
memory/4344-144-0x00000000010A0000-0x000000000122D000-memory.dmpFilesize
1.6MB
-
memory/4344-131-0x0000000000000000-mapping.dmp