Analysis
-
max time kernel
137s -
max time network
138s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
01-01-2022 00:26
Static task
static1
General
-
Target
17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe
-
Size
1.8MB
-
MD5
cb22039f60d3a5edb829a1983ca19b96
-
SHA1
f85c805b015cb885021436e406e14b6c936d1c26
-
SHA256
17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86
-
SHA512
c0787124e7131f54064cc8a9a1d9fbafdc1e92cd7ac15defcbb45492801d04d3fa9d4d1b8c0b7550500bc9b154b3b479e66bfa79a1425654ba8fc410c87bf08b
Malware Config
Extracted
danabot
4
142.11.244.223:443
192.236.194.72:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\17B7E6~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\17B7E6~1.DLL DanabotLoader2021 behavioral1/memory/4412-122-0x0000000004350000-0x00000000045CC000-memory.dmp DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4416 created 3828 4416 WerFault.exe 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 4412 rundll32.exe 4412 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4416 3828 WerFault.exe 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe 4416 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 4416 WerFault.exe Token: SeBackupPrivilege 4416 WerFault.exe Token: SeDebugPrivilege 4416 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exedescription pid process target process PID 3828 wrote to memory of 4412 3828 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe rundll32.exe PID 3828 wrote to memory of 4412 3828 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe rundll32.exe PID 3828 wrote to memory of 4412 3828 17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe"C:\Users\Admin\AppData\Local\Temp\17b7e69175169a06f1376ada53b70a77accbc30a5f7b3cec32e3fe8e9285eb86.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\17B7E6~1.DLL,s C:\Users\Admin\AppData\Local\Temp\17B7E6~1.EXE2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3828 -s 5762⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\17B7E6~1.DLLMD5
4d6fbcf6898688fb228f2f1262ed35a0
SHA1bdc4a5a8169f12b432ab5596e17c2772f975d7cf
SHA256c48af33b0db0104731dbc28027e99c66f25d35e9e6b161045e13149b538c99c1
SHA51246a162d48233ef93b99adecb4b32235b6b5439a888868ba93b764b00f0d8de88d925363c0deb9321138d857ca7413c4294ea29b1e6159866fc2200b0ead07751
-
\Users\Admin\AppData\Local\Temp\17B7E6~1.DLLMD5
4d6fbcf6898688fb228f2f1262ed35a0
SHA1bdc4a5a8169f12b432ab5596e17c2772f975d7cf
SHA256c48af33b0db0104731dbc28027e99c66f25d35e9e6b161045e13149b538c99c1
SHA51246a162d48233ef93b99adecb4b32235b6b5439a888868ba93b764b00f0d8de88d925363c0deb9321138d857ca7413c4294ea29b1e6159866fc2200b0ead07751
-
\Users\Admin\AppData\Local\Temp\17B7E6~1.DLLMD5
4d6fbcf6898688fb228f2f1262ed35a0
SHA1bdc4a5a8169f12b432ab5596e17c2772f975d7cf
SHA256c48af33b0db0104731dbc28027e99c66f25d35e9e6b161045e13149b538c99c1
SHA51246a162d48233ef93b99adecb4b32235b6b5439a888868ba93b764b00f0d8de88d925363c0deb9321138d857ca7413c4294ea29b1e6159866fc2200b0ead07751
-
memory/3828-115-0x0000000000A4D000-0x0000000000BDC000-memory.dmpFilesize
1.6MB
-
memory/3828-117-0x0000000000400000-0x00000000005E7000-memory.dmpFilesize
1.9MB
-
memory/3828-116-0x0000000000BE0000-0x0000000000D85000-memory.dmpFilesize
1.6MB
-
memory/4412-118-0x0000000000000000-mapping.dmp
-
memory/4412-122-0x0000000004350000-0x00000000045CC000-memory.dmpFilesize
2.5MB