Analysis

  • max time kernel
    144s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    11-01-2022 15:34

General

  • Target

    57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll

  • Size

    14MB

  • MD5

    cbac8f0600345f5fdc38a4c9f41e21f3

  • SHA1

    606f627a922e4a22cc139474866559dabea1f0d5

  • SHA256

    57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05

  • SHA512

    54a7dcf07f2cc56bb6c0c69472a5d24cc3338650b93af959261f8b878ef9729ab2dbdebf654506271ab0d2d3dc88742e9039b97a607d4060702d17b978f7b109

Malware Config

Extracted

Family

danabot

Version

2108

Botnet

4

C2

192.119.110.4:443

103.175.16.113:443

Attributes
  • embedded_hash

    422236FD601D11EE82825A484D26DD6F

  • type

    main

rsa_privkey.plain
rsa_pubkey.plain

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 3 IoCs
  • Sets DLL path for service in the registry 2 TTPs
  • Sets service image path in registry 2 TTPs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 15 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1472
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,#1
      2⤵
      • Checks processor information in registry
      PID:1724
  • C:\Windows\SysWOW64\svchost.exe
    C:\Windows\SysWOW64\svchost.exe -k LocalService
    1⤵
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:544
    • C:\Windows\SysWOW64\RUNDLL32.EXE
      C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,OgsvODY1
      2⤵
      • Blocklisted process makes network request
      • Enumerates connected drives
      • Drops file in System32 directory
      • Checks processor information in registry
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\SysWOW64\RUNDLL32.EXE
        C:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\57e9894749242755d8b3620e1ae3a6137f63ebdc1b951cd0fe197a97d13dde05.dll,YwdbRnY=
        3⤵
        • Suspicious use of SetThreadContext
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\system32\rundll32.exe
          C:\Windows\system32\rundll32.exe C:\Windows\system32\shell32.dll,#61 7295
          4⤵
          • Drops file in System32 directory
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:532
          • C:\Windows\system32\ctfmon.exe
            ctfmon.exe
            5⤵
              PID:1352

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    2
    T1060

    Defense Evasion

    Modify Registry

    3
    T1112

    Install Root Certificate

    1
    T1130

    Credential Access

    Credentials in Files

    1
    T1081

    Discovery

    Query Registry

    3
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    3
    T1082

    Collection

    Data from Local System

    1
    T1005

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/532-73-0x0000000000190000-0x0000000000341000-memory.dmp
      Filesize

      1MB

    • memory/532-81-0x0000000000190000-0x0000000000341000-memory.dmp
      Filesize

      1MB

    • memory/532-82-0x0000000001DD0000-0x0000000001F92000-memory.dmp
      Filesize

      1MB

    • memory/532-80-0x000007FEFC451000-0x000007FEFC453000-memory.dmp
      Filesize

      8KB

    • memory/532-78-0x00000000FFFF3CEC-mapping.dmp
    • memory/544-57-0x00000000021D0000-0x00000000031D1000-memory.dmp
      Filesize

      16MB

    • memory/544-59-0x00000000032B0000-0x00000000032B1000-memory.dmp
      Filesize

      4KB

    • memory/768-60-0x0000000000000000-mapping.dmp
    • memory/768-62-0x0000000001F70000-0x0000000002F71000-memory.dmp
      Filesize

      16MB

    • memory/1352-83-0x0000000000000000-mapping.dmp
    • memory/1680-69-0x0000000000B20000-0x0000000000C60000-memory.dmp
      Filesize

      1MB

    • memory/1680-77-0x0000000000B20000-0x0000000000C60000-memory.dmp
      Filesize

      1MB

    • memory/1680-64-0x0000000000000000-mapping.dmp
    • memory/1680-70-0x0000000000B20000-0x0000000000C60000-memory.dmp
      Filesize

      1MB

    • memory/1680-72-0x0000000000B20000-0x0000000000C60000-memory.dmp
      Filesize

      1MB

    • memory/1680-67-0x0000000003310000-0x0000000003311000-memory.dmp
      Filesize

      4KB

    • memory/1680-74-0x0000000000B20000-0x0000000000C60000-memory.dmp
      Filesize

      1MB

    • memory/1680-68-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

    • memory/1680-76-0x0000000000B20000-0x0000000000C60000-memory.dmp
      Filesize

      1MB

    • memory/1680-75-0x00000000003A0000-0x00000000003A1000-memory.dmp
      Filesize

      4KB

    • memory/1680-66-0x00000000022F0000-0x00000000032F1000-memory.dmp
      Filesize

      16MB

    • memory/1724-53-0x0000000000000000-mapping.dmp
    • memory/1724-56-0x0000000003230000-0x0000000003231000-memory.dmp
      Filesize

      4KB

    • memory/1724-55-0x0000000002210000-0x0000000003211000-memory.dmp
      Filesize

      16MB

    • memory/1724-54-0x0000000076491000-0x0000000076493000-memory.dmp
      Filesize

      8KB