Analysis
-
max time kernel
150s -
max time network
169s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
01-02-2022 05:58
Static task
static1
Behavioral task
behavioral1
Sample
66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a.js
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a.js
Resource
win10v2004-en-20220112
General
-
Target
66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a.js
-
Size
1.4MB
-
MD5
58a4f4d720e37e8068e6ebf835f5e37c
-
SHA1
81b196c4175097a2bc639764e71454986060da66
-
SHA256
66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a
-
SHA512
737932aa10d7bdef164441348b21c9b041476ce111ef9ad820c666b03a949589c12baa8fe07ef6db9c0487f8300e765604b27f16abecc04a0a2bb847ca1cc7f6
Malware Config
Extracted
danabot
209.182.218.222
185.227.109.40
185.136.165.128
161.129.65.197
217.182.56.71
254.55.37.53
228.175.167.154
56.38.135.17
168.127.65.186
185.181.8.49
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll family_danabot C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll family_danabot C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll family_danabot -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 17 1656 rundll32.exe 44 1656 rundll32.exe 53 1656 rundll32.exe 54 1656 rundll32.exe 58 1656 rundll32.exe 61 1656 rundll32.exe 62 1656 rundll32.exe 63 1656 rundll32.exe -
Sets service image path in registry 2 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-790714498-1549421491-1643397139-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 4048 regsvr32.exe 1656 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies data under HKEY_USERS 41 IoCs
Processes:
WaaSMedicAgent.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs WaaSMedicAgent.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs WaaSMedicAgent.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeregsvr32.exeregsvr32.exedescription pid process target process PID 3620 wrote to memory of 1804 3620 wscript.exe regsvr32.exe PID 3620 wrote to memory of 1804 3620 wscript.exe regsvr32.exe PID 1804 wrote to memory of 4048 1804 regsvr32.exe regsvr32.exe PID 1804 wrote to memory of 4048 1804 regsvr32.exe regsvr32.exe PID 1804 wrote to memory of 4048 1804 regsvr32.exe regsvr32.exe PID 4048 wrote to memory of 1656 4048 regsvr32.exe rundll32.exe PID 4048 wrote to memory of 1656 4048 regsvr32.exe rundll32.exe PID 4048 wrote to memory of 1656 4048 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\66b7a497ff759634f91c4a6ae7c0b6fd90cd0c61076e4abc8d2f9166f343805a.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\lEDVIkQSVYhQAzRgNIlEfQ.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\\lEDVIkQSVYhQAzRgNIlEfQ.dll3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\System32\WaaSMedicAgent.exeC:\Windows\System32\WaaSMedicAgent.exe ea9b50f8abea418d0475e5587c03c1aa neWrerG0IkW2h9X5MLBNpw.0.1.0.0.01⤵
- Modifies data under HKEY_USERS
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dllMD5
edb09790e89ee476cfb7e66a1f7cad7b
SHA1f25e69a0447936ec278808bdfb942a4e7125c46c
SHA2560578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93
SHA512ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb
-
C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dllMD5
edb09790e89ee476cfb7e66a1f7cad7b
SHA1f25e69a0447936ec278808bdfb942a4e7125c46c
SHA2560578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93
SHA512ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb
-
C:\Users\Admin\AppData\Local\Temp\lEDVIkQSVYhQAzRgNIlEfQ.dllMD5
edb09790e89ee476cfb7e66a1f7cad7b
SHA1f25e69a0447936ec278808bdfb942a4e7125c46c
SHA2560578160ca0061e8b9b0e61ecb6b057babdeff7580d5a58e0724e7bb4e7e51d93
SHA512ebd154521917fb876736dcb62ce35517dcf5ccf513a8903544f681ac2d1adacff894dfe3615a1f005e65b8cb738ac47ab83ac85eaa16bfd897a1868e3d16aecb