Analysis
-
max time kernel
140s -
max time network
139s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
02-01-2022 01:55
Static task
static1
Behavioral task
behavioral1
Sample
8e33169905bd13e9036657eb3146d2ec.exe
Resource
win7-en-20211208
General
-
Target
8e33169905bd13e9036657eb3146d2ec.exe
-
Size
1.8MB
-
MD5
8e33169905bd13e9036657eb3146d2ec
-
SHA1
e4626a48869d18ad4ad4a20edd7a60fa961dc0a1
-
SHA256
8d72a6f7a3815a3c786aa596cb7b2ba0a5253228343c154e9a32e9ab690cba33
-
SHA512
308cad35cdf485f90ff20fb8f4d831cad48328351e30aa6e274ddcb2ceabeb5dc6432fa44d1f8dd77709d9bd3e93edb70c69f9f12fefcb80fe82ad3a080e53b7
Malware Config
Extracted
danabot
4
142.11.244.223:443
192.236.194.72:443
-
embedded_hash
0FA95F120D6EB149A5D48E36BC76879D
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\8E3316~1.DLL DanabotLoader2021 \Users\Admin\AppData\Local\Temp\8E3316~1.DLL DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 1424 created 2480 1424 WerFault.exe 8e33169905bd13e9036657eb3146d2ec.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3404 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1424 2480 WerFault.exe 8e33169905bd13e9036657eb3146d2ec.exe -
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
WerFault.exepid process 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe 1424 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
WerFault.exedescription pid process Token: SeRestorePrivilege 1424 WerFault.exe Token: SeBackupPrivilege 1424 WerFault.exe Token: SeDebugPrivilege 1424 WerFault.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
8e33169905bd13e9036657eb3146d2ec.exedescription pid process target process PID 2480 wrote to memory of 3404 2480 8e33169905bd13e9036657eb3146d2ec.exe rundll32.exe PID 2480 wrote to memory of 3404 2480 8e33169905bd13e9036657eb3146d2ec.exe rundll32.exe PID 2480 wrote to memory of 3404 2480 8e33169905bd13e9036657eb3146d2ec.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8e33169905bd13e9036657eb3146d2ec.exe"C:\Users\Admin\AppData\Local\Temp\8e33169905bd13e9036657eb3146d2ec.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8E3316~1.DLL,s C:\Users\Admin\AppData\Local\Temp\8E3316~1.EXE2⤵
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2480 -s 5442⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8E3316~1.DLLMD5
0508ba0d5d0eed169c59586fe5ec322c
SHA1281cfd33ee791f87b2e216d50273d39a3e80a5c1
SHA25679fe98410f0a3d66fa9d6622f9e58ec93d3777dbc73ef9de91cc2e790fb07a64
SHA5123853d13d72bd262591a68286576dec76b78d7aaa6c3311fd09e8339cc182a1e1c7bbddd6ddbc3ee250ab17e48f149540089b111a70f118cb16c77d99179d0557
-
\Users\Admin\AppData\Local\Temp\8E3316~1.DLLMD5
0508ba0d5d0eed169c59586fe5ec322c
SHA1281cfd33ee791f87b2e216d50273d39a3e80a5c1
SHA25679fe98410f0a3d66fa9d6622f9e58ec93d3777dbc73ef9de91cc2e790fb07a64
SHA5123853d13d72bd262591a68286576dec76b78d7aaa6c3311fd09e8339cc182a1e1c7bbddd6ddbc3ee250ab17e48f149540089b111a70f118cb16c77d99179d0557
-
memory/2480-115-0x0000000000B4F000-0x0000000000CDE000-memory.dmpFilesize
1.6MB
-
memory/2480-116-0x0000000000CE0000-0x0000000000E85000-memory.dmpFilesize
1.6MB
-
memory/2480-117-0x0000000000400000-0x00000000005EA000-memory.dmpFilesize
1.9MB
-
memory/3404-118-0x0000000000000000-mapping.dmp