Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
06-01-2022 13:19
Behavioral task
behavioral1
Sample
dana2_main_module.dll
Resource
win7-en-20211208
General
-
Target
dana2_main_module.dll
-
Size
14.9MB
-
MD5
ccc1cb042ebb862832cc9f593c83a840
-
SHA1
ffdb2747bbfca03ea0b469a11926957f79a6fe18
-
SHA256
4fa6dcec96075d9e5a69d728d69b1e32fd59be3598742221a3704505fc073935
-
SHA512
4ddeed3a27ecb84905f79281bb2c27089351bc09266090acfaa0082eefdaeabcb95eb0657d824b9da4ce9787679c123107b92ad1007ca3c5def132468e37d4e2
Malware Config
Extracted
danabot
2108
4
142.11.244.223:443
192.236.194.72:443
192.119.110.4:443
-
embedded_hash
8357B947FCA843DB2D85EC29EDCDEF3C
-
type
main
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 2 564 RUNDLL32.EXE -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat RUNDLL32.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\pkcs11.txt rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\cert9.db rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1776 set thread context of 1380 1776 RUNDLL32.EXE 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\41E954AF471573FEF7C10A11CDAC5B51E19618E4 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\41E954AF471573FEF7C10A11CDAC5B51E19618E4\Blob = 03000000010000001400000041e954af471573fef7c10a11cdac5b51e19618e420000000010000007a02000030820276308201dfa0030201020208501ccca323eb3a76300d06092a864886f70d01010b050030613120301e06035504030c17446967694365727420476c6f62616c2052706f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b3009060355040613025553301e170d3230303130373133313932355a170d3234303130363133313932355a30613120301e06035504030c17446967694365727420476c6f62616c2052706f7420434131193017060355040b0c107777772e64696769636572742e636f6d31153013060355040a0c0c446967694365727420496e63310b300906035504061302555330819f300d06092a864886f70d010101050003818d0030818902818100d9545a139aaf3d0c9a3524c69588524079ea7af53b1d0cd722634d7ea27dc5b4c6ba6f3416c8e058469458772805fb39383efc13fd8929c1f1ee8c4fbba3e737de838046a835117a03683eb4e5893ae5ba87e2e9b40e168de915fba8716ba5f570c0404e4b4d36ef09437ca40baed1136a33007dd05d6689822f5e2444779be90203010001a3373035300f0603551d130101ff040530030101ff30220603551d11041b30198217446967694365727420476c6f62616c2052706f74204341300d06092a864886f70d01010b050003818100c275d1a7acd2d7b82fa746556b054759cf51d9b855e0e0ce7158461adf2874e37a586fe2011de3629f018cdae6ba6c9d2ab8998ef2bd8efa15340facf3a4d4fcc2d0ce22892f886024e6961dd6d3cdf26c8c4bf8d3b9858334bfa1d9f09aa251d067b4d87eab97aaf5d268baf49fd106d89504800ee2254bf1af9287473b048f RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
pid Process 564 RUNDLL32.EXE 564 RUNDLL32.EXE 564 RUNDLL32.EXE 564 RUNDLL32.EXE 520 svchost.exe 1776 RUNDLL32.EXE 520 svchost.exe 520 svchost.exe 520 svchost.exe 520 svchost.exe 520 svchost.exe 520 svchost.exe 520 svchost.exe 520 svchost.exe 520 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 564 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 1380 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 600 wrote to memory of 944 600 rundll32.exe 27 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 520 wrote to memory of 564 520 svchost.exe 29 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 564 wrote to memory of 1776 564 RUNDLL32.EXE 31 PID 1776 wrote to memory of 1380 1776 RUNDLL32.EXE 32 PID 1776 wrote to memory of 1380 1776 RUNDLL32.EXE 32 PID 1776 wrote to memory of 1380 1776 RUNDLL32.EXE 32 PID 1776 wrote to memory of 1380 1776 RUNDLL32.EXE 32 PID 1776 wrote to memory of 1380 1776 RUNDLL32.EXE 32 PID 1380 wrote to memory of 2028 1380 rundll32.exe 33 PID 1380 wrote to memory of 2028 1380 rundll32.exe 33 PID 1380 wrote to memory of 2028 1380 rundll32.exe 33
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dana2_main_module.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:600 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dana2_main_module.dll,#12⤵
- Checks processor information in registry
PID:944
-
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:520 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\dana2_main_module.dll,hmAmT0FwUg==2⤵
- Blocklisted process makes network request
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:564 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\dana2_main_module.dll,lWIyTDhqNw==3⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1776 -
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 72954⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Windows\system32\ctfmon.exectfmon.exe5⤵PID:2028
-
-
-
-