Analysis
-
max time kernel
151s -
max time network
143s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-01-2022 15:38
Static task
static1
Behavioral task
behavioral1
Sample
61dae93d780db_Sun139.exe
Resource
win7-en-20211208
General
-
Target
61dae93d780db_Sun139.exe
-
Size
293KB
-
MD5
c817d8a9ea3ed03f247e2f0a000a675a
-
SHA1
4194929b5a02524e1e24179014fa13e95a93ee1a
-
SHA256
ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439
-
SHA512
08369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618
Malware Config
Extracted
smokeloader
2020
http://nahbleiben.at/upload/
http://noblecreativeaz.com/upload/
http://tvqaq.cn/upload/
http://recmaster.ru/upload/
http://sovels.ru/upload/
Extracted
danabot
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 6 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\F597.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\F597.exe.dll DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\23FB.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\23FB.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\23FB.exe.dll DanabotLoader2021 behavioral2/memory/596-142-0x00000000040C0000-0x000000000420E000-memory.dmp DanabotLoader2021 -
SmokeLoader
Modular backdoor trojan in use since 2014.
-
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
suricata: ET MALWARE Terse alphanumeric executable downloader high likelihood of being hostile
-
Downloads MZ/PE file
-
Executes dropped EXE 3 IoCs
Processes:
wjtrcacF597.exe23FB.exepid process 1488 wjtrcac 2832 F597.exe 1500 23FB.exe -
Deletes itself 1 IoCs
Processes:
pid process 3036 -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exerundll32.exepid process 604 rundll32.exe 596 rundll32.exe 596 rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 6 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
61dae93d780db_Sun139.exewjtrcacdescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 61dae93d780db_Sun139.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 61dae93d780db_Sun139.exe Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 61dae93d780db_Sun139.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjtrcac Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjtrcac Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI wjtrcac -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
61dae93d780db_Sun139.exepid process 2652 61dae93d780db_Sun139.exe 2652 61dae93d780db_Sun139.exe 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 3036 -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
pid process 3036 -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
61dae93d780db_Sun139.exewjtrcacpid process 2652 61dae93d780db_Sun139.exe 1488 wjtrcac -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
F597.exe23FB.exedescription pid process target process PID 3036 wrote to memory of 2832 3036 F597.exe PID 3036 wrote to memory of 2832 3036 F597.exe PID 3036 wrote to memory of 2832 3036 F597.exe PID 3036 wrote to memory of 1500 3036 23FB.exe PID 3036 wrote to memory of 1500 3036 23FB.exe PID 3036 wrote to memory of 1500 3036 23FB.exe PID 2832 wrote to memory of 604 2832 F597.exe rundll32.exe PID 2832 wrote to memory of 604 2832 F597.exe rundll32.exe PID 2832 wrote to memory of 604 2832 F597.exe rundll32.exe PID 1500 wrote to memory of 596 1500 23FB.exe rundll32.exe PID 1500 wrote to memory of 596 1500 23FB.exe rundll32.exe PID 1500 wrote to memory of 596 1500 23FB.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\61dae93d780db_Sun139.exe"C:\Users\Admin\AppData\Local\Temp\61dae93d780db_Sun139.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Roaming\wjtrcacC:\Users\Admin\AppData\Roaming\wjtrcac1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\F597.exeC:\Users\Admin\AppData\Local\Temp\F597.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F597.exe.dll,z C:\Users\Admin\AppData\Local\Temp\F597.exe2⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\23FB.exeC:\Users\Admin\AppData\Local\Temp\23FB.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\23FB.exe.dll,z C:\Users\Admin\AppData\Local\Temp\23FB.exe2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\23FB.exeMD5
63d9b309582fbf651840182519c04f18
SHA1742539d685093f276242b1ca3fae82c0d20cad6a
SHA2568409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
SHA512c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
-
C:\Users\Admin\AppData\Local\Temp\23FB.exeMD5
63d9b309582fbf651840182519c04f18
SHA1742539d685093f276242b1ca3fae82c0d20cad6a
SHA2568409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
SHA512c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
-
C:\Users\Admin\AppData\Local\Temp\23FB.exe.dllMD5
58a55db0fa9585087864cf3902f983ed
SHA1f9e94abf3cbd41a6caa673a6aff6e15c0fda9e12
SHA256cc4a3c45d3f4d41ae0ddc71155ce0a13b13279e7818d7c3f52b0572b45c93067
SHA51232e0fd8c17f3d97f1db826daf6c073b3061e2c73aef178a7b5e88ae3021f7e190301f4fe4c1e9d35aed4ed8ddb0aab42130a8538d8ad4b3824703250263a1fe8
-
C:\Users\Admin\AppData\Local\Temp\F597.exeMD5
63d9b309582fbf651840182519c04f18
SHA1742539d685093f276242b1ca3fae82c0d20cad6a
SHA2568409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
SHA512c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
-
C:\Users\Admin\AppData\Local\Temp\F597.exeMD5
63d9b309582fbf651840182519c04f18
SHA1742539d685093f276242b1ca3fae82c0d20cad6a
SHA2568409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
SHA512c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
-
C:\Users\Admin\AppData\Local\Temp\F597.exe.dllMD5
d724cb47096211598dfbd042714ecef6
SHA1ca42315bbd5a18771d7dac4ec7e01f23423e4c3b
SHA256b0d99b0f0f68bda2b36c3929a3c712f4a53b850ed68618ebd2120d3ae23a4d07
SHA512a14ac53c9c07c602306e2b0b465999ca7eaa136a75366446eb7c8c6ee279a066cf842a412cbd99cc54e90a4fd7566969fd63205d1fdd4af66fed1d504aa1b52a
-
C:\Users\Admin\AppData\Roaming\wjtrcacMD5
c817d8a9ea3ed03f247e2f0a000a675a
SHA14194929b5a02524e1e24179014fa13e95a93ee1a
SHA256ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439
SHA51208369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618
-
C:\Users\Admin\AppData\Roaming\wjtrcacMD5
c817d8a9ea3ed03f247e2f0a000a675a
SHA14194929b5a02524e1e24179014fa13e95a93ee1a
SHA256ca8990349224f84d04c36c55bf71b11376e8c9008909680bcc63519b3f1c1439
SHA51208369b4303d481e42a7923fcf7606fef1379060fd65ecd0e224af48f396370e58421e9247471327f44e27166479c0944a57d37312888d42f532bbd661378a618
-
\Users\Admin\AppData\Local\Temp\23FB.exe.dllMD5
58a55db0fa9585087864cf3902f983ed
SHA1f9e94abf3cbd41a6caa673a6aff6e15c0fda9e12
SHA256cc4a3c45d3f4d41ae0ddc71155ce0a13b13279e7818d7c3f52b0572b45c93067
SHA51232e0fd8c17f3d97f1db826daf6c073b3061e2c73aef178a7b5e88ae3021f7e190301f4fe4c1e9d35aed4ed8ddb0aab42130a8538d8ad4b3824703250263a1fe8
-
\Users\Admin\AppData\Local\Temp\23FB.exe.dllMD5
58a55db0fa9585087864cf3902f983ed
SHA1f9e94abf3cbd41a6caa673a6aff6e15c0fda9e12
SHA256cc4a3c45d3f4d41ae0ddc71155ce0a13b13279e7818d7c3f52b0572b45c93067
SHA51232e0fd8c17f3d97f1db826daf6c073b3061e2c73aef178a7b5e88ae3021f7e190301f4fe4c1e9d35aed4ed8ddb0aab42130a8538d8ad4b3824703250263a1fe8
-
\Users\Admin\AppData\Local\Temp\F597.exe.dllMD5
d724cb47096211598dfbd042714ecef6
SHA1ca42315bbd5a18771d7dac4ec7e01f23423e4c3b
SHA256b0d99b0f0f68bda2b36c3929a3c712f4a53b850ed68618ebd2120d3ae23a4d07
SHA512a14ac53c9c07c602306e2b0b465999ca7eaa136a75366446eb7c8c6ee279a066cf842a412cbd99cc54e90a4fd7566969fd63205d1fdd4af66fed1d504aa1b52a
-
memory/596-138-0x0000000000000000-mapping.dmp
-
memory/596-142-0x00000000040C0000-0x000000000420E000-memory.dmpFilesize
1.3MB
-
memory/604-135-0x0000000000000000-mapping.dmp
-
memory/1488-122-0x0000000004760000-0x0000000004769000-memory.dmpFilesize
36KB
-
memory/1488-123-0x0000000000400000-0x0000000002B7E000-memory.dmpFilesize
39.5MB
-
memory/1488-121-0x0000000004750000-0x0000000004758000-memory.dmpFilesize
32KB
-
memory/1500-131-0x0000000000000000-mapping.dmp
-
memory/1500-134-0x0000000000400000-0x0000000002C59000-memory.dmpFilesize
40.3MB
-
memory/2652-115-0x0000000002B80000-0x0000000002C2E000-memory.dmpFilesize
696KB
-
memory/2652-117-0x0000000000400000-0x0000000002B7E000-memory.dmpFilesize
39.5MB
-
memory/2652-116-0x0000000002B80000-0x0000000002C2E000-memory.dmpFilesize
696KB
-
memory/2832-129-0x0000000004AA0000-0x0000000004B9A000-memory.dmpFilesize
1000KB
-
memory/2832-125-0x0000000000000000-mapping.dmp
-
memory/2832-130-0x0000000000400000-0x0000000002C59000-memory.dmpFilesize
40.3MB
-
memory/2832-128-0x00000000049B0000-0x0000000004A93000-memory.dmpFilesize
908KB
-
memory/3036-124-0x00000000030F0000-0x0000000003106000-memory.dmpFilesize
88KB
-
memory/3036-118-0x0000000001120000-0x0000000001136000-memory.dmpFilesize
88KB