Analysis
-
max time kernel
144s -
max time network
119s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
11-01-2022 15:34
Behavioral task
behavioral1
Sample
57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll
Resource
win7-en-20211208
General
-
Target
57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll
-
Size
14MB
-
MD5
cbac8f0600345f5fdc38a4c9f41e21f3
-
SHA1
606f627a922e4a22cc139474866559dabea1f0d5
-
SHA256
57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05
-
SHA512
54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109
Malware Config
Extracted
danabot
2108
4
192.119.110.4:443
103.175.16.113:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
main
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 768 RUNDLL32.EXE 7 768 RUNDLL32.EXE 10 768 RUNDLL32.EXE -
Sets DLL path for service in the registry 2 TTPs
-
Sets service image path in registry 2 TTPs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
RUNDLL32.EXEdescription ioc process File opened (read-only) \??\B: RUNDLL32.EXE File opened (read-only) \??\E: RUNDLL32.EXE File opened (read-only) \??\G: RUNDLL32.EXE File opened (read-only) \??\H: RUNDLL32.EXE File opened (read-only) \??\I: RUNDLL32.EXE File opened (read-only) \??\M: RUNDLL32.EXE File opened (read-only) \??\P: RUNDLL32.EXE File opened (read-only) \??\S: RUNDLL32.EXE File opened (read-only) \??\U: RUNDLL32.EXE File opened (read-only) \??\O: RUNDLL32.EXE File opened (read-only) \??\X: RUNDLL32.EXE File opened (read-only) \??\J: RUNDLL32.EXE File opened (read-only) \??\T: RUNDLL32.EXE File opened (read-only) \??\Z: RUNDLL32.EXE File opened (read-only) \??\A: RUNDLL32.EXE File opened (read-only) \??\F: RUNDLL32.EXE File opened (read-only) \??\K: RUNDLL32.EXE File opened (read-only) \??\L: RUNDLL32.EXE File opened (read-only) \??\N: RUNDLL32.EXE File opened (read-only) \??\Q: RUNDLL32.EXE File opened (read-only) \??\R: RUNDLL32.EXE File opened (read-only) \??\V: RUNDLL32.EXE File opened (read-only) \??\W: RUNDLL32.EXE File opened (read-only) \??\Y: RUNDLL32.EXE -
Drops file in System32 directory 3 IoCs
Processes:
RUNDLL32.EXErundll32.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat RUNDLL32.EXE File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\pkcs11.txt rundll32.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Roaming\Mozilla\Firefox\Profiles\cert9.db rundll32.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process target process PID 1680 set thread context of 532 1680 RUNDLL32.EXE rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 64 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXEdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 svchost.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 svchost.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE -
Processes:
RUNDLL32.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\367741F623154970EFB9C3D2C9C872206FEF8459 RUNDLL32.EXE Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\367741F623154970EFB9C3D2C9C872206FEF8459\Blob = 030000000100000014000000367741f623154970efb9c3d2c9c872206fef845920000000010000009f0200003082029b30820204a0030201020208364d23b329967880300d06092a864886f70d01010b05003074311f301d06035504030c1654686177746520546a6d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c65301e170d3230303131323135333431385a170d3234303131313135333431385a3074311f301d06035504030c1654686177746520546a6d657374616d70696e67204341311d301b060355040b0c145468617774652043657274696669636174696f6e310f300d060355040a0c06546861777465310b3009060355040613025a413114301206035504070c0b44757262616e76696c6c6530819f300d06092a864886f70d010101050003818d0030818902818100da5a02c229909db7b8a58bf719d65880e658346da712353f3a8061e196599e08a41448231027cfdb114a4d7c4f8daed03d71596a99a5f1cfd5e98913f663f8a09b0853e15e2b52ca8efb2930a1cb67beaa658d998b1087ea8857990b35e9860b4925285ab5cd9d7f4417a9c6d6d49baa5ef2db88d934b1e19af2f1d5104e9f970203010001a3363034300f0603551d130101ff040530030101ff30210603551d11041a3018821654686177746520546a6d657374616d70696e67204341300d06092a864886f70d01010b05000381810022e4f31fc205b903d37a7bbc1d84411a2d36da996e62ed28a54e2b003d7a8791050e20a90ebd41a5bf08076e31bc6fdb0b18fbaab0d74197fcae71fb8f9415447cb84aed5f5007269cb29cf5e79f73df68ecbf84c9a072835bbf1be1843396462a6e277f3ecc5090c120cdd5455cb87afdae5ff7f0881beb13806bf4b70ff0e9 RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 15 IoCs
Processes:
svchost.exeRUNDLL32.EXERUNDLL32.EXEpid process 544 svchost.exe 768 RUNDLL32.EXE 768 RUNDLL32.EXE 768 RUNDLL32.EXE 768 RUNDLL32.EXE 544 svchost.exe 544 svchost.exe 1680 RUNDLL32.EXE 544 svchost.exe 544 svchost.exe 544 svchost.exe 544 svchost.exe 544 svchost.exe 544 svchost.exe 544 svchost.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
RUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 768 RUNDLL32.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 532 rundll32.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
rundll32.exesvchost.exeRUNDLL32.EXERUNDLL32.EXErundll32.exedescription pid process target process PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 1472 wrote to memory of 1724 1472 rundll32.exe rundll32.exe PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 544 wrote to memory of 768 544 svchost.exe RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 768 wrote to memory of 1680 768 RUNDLL32.EXE RUNDLL32.EXE PID 1680 wrote to memory of 532 1680 RUNDLL32.EXE rundll32.exe PID 1680 wrote to memory of 532 1680 RUNDLL32.EXE rundll32.exe PID 1680 wrote to memory of 532 1680 RUNDLL32.EXE rundll32.exe PID 1680 wrote to memory of 532 1680 RUNDLL32.EXE rundll32.exe PID 1680 wrote to memory of 532 1680 RUNDLL32.EXE rundll32.exe PID 532 wrote to memory of 1352 532 rundll32.exe ctfmon.exe PID 532 wrote to memory of 1352 532 rundll32.exe ctfmon.exe PID 532 wrote to memory of 1352 532 rundll32.exe ctfmon.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#12⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\svchost.exeC:\Windows\SysWOW64\svchost.exe -k LocalService1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,OgsvODY12⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,YwdbRnY=3⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 72954⤵
- Drops file in System32 directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ctfmon.exectfmon.exe5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/532-73-0x0000000000190000-0x0000000000341000-memory.dmpFilesize
1MB
-
memory/532-81-0x0000000000190000-0x0000000000341000-memory.dmpFilesize
1MB
-
memory/532-82-0x0000000001DD0000-0x0000000001F92000-memory.dmpFilesize
1MB
-
memory/532-80-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB
-
memory/532-78-0x00000000FFFF3CEC-mapping.dmp
-
memory/544-57-0x00000000021D0000-0x00000000031D1000-memory.dmpFilesize
16MB
-
memory/544-59-0x00000000032B0000-0x00000000032B1000-memory.dmpFilesize
4KB
-
memory/768-60-0x0000000000000000-mapping.dmp
-
memory/768-62-0x0000000001F70000-0x0000000002F71000-memory.dmpFilesize
16MB
-
memory/1352-83-0x0000000000000000-mapping.dmp
-
memory/1680-69-0x0000000000B20000-0x0000000000C60000-memory.dmpFilesize
1MB
-
memory/1680-77-0x0000000000B20000-0x0000000000C60000-memory.dmpFilesize
1MB
-
memory/1680-64-0x0000000000000000-mapping.dmp
-
memory/1680-70-0x0000000000B20000-0x0000000000C60000-memory.dmpFilesize
1MB
-
memory/1680-72-0x0000000000B20000-0x0000000000C60000-memory.dmpFilesize
1MB
-
memory/1680-67-0x0000000003310000-0x0000000003311000-memory.dmpFilesize
4KB
-
memory/1680-74-0x0000000000B20000-0x0000000000C60000-memory.dmpFilesize
1MB
-
memory/1680-68-0x0000000000140000-0x0000000000141000-memory.dmpFilesize
4KB
-
memory/1680-76-0x0000000000B20000-0x0000000000C60000-memory.dmpFilesize
1MB
-
memory/1680-75-0x00000000003A0000-0x00000000003A1000-memory.dmpFilesize
4KB
-
memory/1680-66-0x00000000022F0000-0x00000000032F1000-memory.dmpFilesize
16MB
-
memory/1724-53-0x0000000000000000-mapping.dmp
-
memory/1724-56-0x0000000003230000-0x0000000003231000-memory.dmpFilesize
4KB
-
memory/1724-55-0x0000000002210000-0x0000000003211000-memory.dmpFilesize
16MB
-
memory/1724-54-0x0000000076491000-0x0000000076493000-memory.dmpFilesize
8KB