Analysis
-
max time kernel
135s -
max time network
124s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
09-01-2022 15:48
Static task
static1
Behavioral task
behavioral1
Sample
warrant.exe
Resource
win7-en-20211208
General
-
Target
warrant.exe
-
Size
1.1MB
-
MD5
63d9b309582fbf651840182519c04f18
-
SHA1
742539d685093f276242b1ca3fae82c0d20cad6a
-
SHA256
8409da61f57fbdf4ad602f4065afaca1f98fce73277cd54163f8b3e39c03c8e3
-
SHA512
c057b485f700071434df12cc27054936ecd904b4c302130c04f8317a0145f6e3c93ae556275b6d97bcddcbd7a26a1c22a112f9eb177c75fcc50cfb9cf1639385
Malware Config
Extracted
danabot
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 \Users\Admin\AppData\Local\Temp\warrant.exe.dll DanabotLoader2021 -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3416 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
warrant.exedescription pid process target process PID 3160 wrote to memory of 3416 3160 warrant.exe rundll32.exe PID 3160 wrote to memory of 3416 3160 warrant.exe rundll32.exe PID 3160 wrote to memory of 3416 3160 warrant.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\warrant.exe"C:\Users\Admin\AppData\Local\Temp\warrant.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\warrant.exe.dll,z C:\Users\Admin\AppData\Local\Temp\warrant.exe2⤵
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
15023780c189185181500bb6a8129036
SHA14e6affdc79faf7f5e3af7a16bbd713be7c67e905
SHA25673f6c7930ace82734a5d8c562a59fec91d7acbfbbe92c32e9661253bf8998be6
SHA51251e0d052f212404073a94d9a966ecbd937cd855e7ef6f647f7fc56eca6392128524e501100e5730e004f852e3715a29a48e6f6f2b0b2593d95952eb0b8d87eb3
-
\Users\Admin\AppData\Local\Temp\warrant.exe.dllMD5
15023780c189185181500bb6a8129036
SHA14e6affdc79faf7f5e3af7a16bbd713be7c67e905
SHA25673f6c7930ace82734a5d8c562a59fec91d7acbfbbe92c32e9661253bf8998be6
SHA51251e0d052f212404073a94d9a966ecbd937cd855e7ef6f647f7fc56eca6392128524e501100e5730e004f852e3715a29a48e6f6f2b0b2593d95952eb0b8d87eb3
-
memory/3160-116-0x0000000004BA0000-0x0000000004C9A000-memory.dmpFilesize
1000KB
-
memory/3160-115-0x0000000004AB0000-0x0000000004B93000-memory.dmpFilesize
908KB
-
memory/3160-117-0x0000000000400000-0x0000000002C59000-memory.dmpFilesize
40.3MB
-
memory/3416-118-0x0000000000000000-mapping.dmp