Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
30-12-2021 00:22
Static task
static1
General
-
Target
ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe
-
Size
1.8MB
-
MD5
cd8efee431f89a137c6342618280431f
-
SHA1
d1ab5e7e235361b99c42dddfb4a82d808530197a
-
SHA256
ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853
-
SHA512
d3caa40e13b029cec3de30ac9814fb376c4fa8e05b3c4ca6533445cdb5e8f8edc500587fd9a6ba4f1860b3a28b05aba70c8361593d579df3c935cb5efea6dcd1
Malware Config
Extracted
danabot
4
142.11.244.223:443
192.236.194.72:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1532 created 2132 1532 WerFault.exe ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3420 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1532 2132 WerFault.exe ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe 1532 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1532 WerFault.exe Token: SeBackupPrivilege 1532 WerFault.exe Token: SeDebugPrivilege 1532 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exedescription pid process target process PID 2132 wrote to memory of 3420 2132 ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe rundll32.exe PID 2132 wrote to memory of 3420 2132 ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe rundll32.exe PID 2132 wrote to memory of 3420 2132 ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe"C:\Users\Admin\AppData\Local\Temp\ab5e684ec147b4984cee1c4fdd7228ebc35ebe00b55cfed6170a9a158da40853.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\AB5E68~1.DLL,s C:\Users\Admin\AppData\Local\Temp\AB5E68~1.EXE2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2132 -s 5762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\AB5E68~1.DLLMD5
9b1c0303078b2545b3f5387527d25f5e
SHA18fe0ac0417dca01f0156b70f4dc25adb508e31d5
SHA2568d9c7c90e14eaeb49389f2faf69f9225c1d5139b3b03e32d622237f5b96dd34c
SHA5121028f5f383e29090244714e0874c3a11c69674e7352ca2b8073eea807ad85802becf68ddc2096416cf68fc8d6654c9cb2a3b52d7035a8173b54964525d563ed0
-
\Users\Admin\AppData\Local\Temp\AB5E68~1.DLLMD5
9b1c0303078b2545b3f5387527d25f5e
SHA18fe0ac0417dca01f0156b70f4dc25adb508e31d5
SHA2568d9c7c90e14eaeb49389f2faf69f9225c1d5139b3b03e32d622237f5b96dd34c
SHA5121028f5f383e29090244714e0874c3a11c69674e7352ca2b8073eea807ad85802becf68ddc2096416cf68fc8d6654c9cb2a3b52d7035a8173b54964525d563ed0
-
memory/2132-115-0x0000000001250000-0x00000000013DF000-memory.dmpFilesize
1.6MB
-
memory/2132-116-0x00000000013E0000-0x0000000001585000-memory.dmpFilesize
1.6MB
-
memory/2132-117-0x0000000000400000-0x0000000000D9A000-memory.dmpFilesize
9.6MB
-
memory/3420-118-0x0000000000000000-mapping.dmp