Analysis
-
max time kernel
169s -
max time network
186s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
08-02-2022 22:02
Static task
static1
Behavioral task
behavioral1
Sample
8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe
Resource
win7-en-20211208
General
-
Target
8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe
-
Size
4.3MB
-
MD5
bdde08b2fb6638e9a34a069aa1a29f61
-
SHA1
8422f03e01dd55e6ef146a23fd745f172d0b94b7
-
SHA256
8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176
-
SHA512
5e0634490dc7398003d8d44859284d290e72672611f8b149edab3dac98f6eec93cc2fb4432c8e4bbc547a952ad0174de96707b289c970975ae47a286a930dccd
Malware Config
Extracted
danabot
1732
3
104.227.34.227:443
64.188.20.187:443
51.195.73.129:443
176.123.2.249:443
-
embedded_hash
6266E79288DFE2AE2C2DB47563C7F93A
-
type
main
Signatures
-
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 4668 created 4572 4668 WerFault.exe 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe -
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 36 4404 RUNDLL32.EXE 41 4404 RUNDLL32.EXE 51 4404 RUNDLL32.EXE 53 4404 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 4636 rundll32.exe 4636 rundll32.exe 4404 RUNDLL32.EXE 4404 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Windows directory 8 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\SoftwareDistribution\ReportingEvents.log svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe File opened for modification C:\Windows\WindowsUpdate.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.chk svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.edb svchost.exe File opened for modification C:\Windows\SoftwareDistribution\DataStore\DataStore.jfm svchost.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3444 4572 WerFault.exe 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 3444 WerFault.exe 3444 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 43 IoCs
Processes:
rundll32.exeRUNDLL32.EXEWerFault.exesvchost.exeTiWorker.exedescription pid process Token: SeDebugPrivilege 4636 rundll32.exe Token: SeDebugPrivilege 4404 RUNDLL32.EXE Token: SeRestorePrivilege 3444 WerFault.exe Token: SeBackupPrivilege 3444 WerFault.exe Token: SeShutdownPrivilege 3784 svchost.exe Token: SeCreatePagefilePrivilege 3784 svchost.exe Token: SeShutdownPrivilege 3784 svchost.exe Token: SeCreatePagefilePrivilege 3784 svchost.exe Token: SeShutdownPrivilege 3784 svchost.exe Token: SeCreatePagefilePrivilege 3784 svchost.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe Token: SeBackupPrivilege 4864 TiWorker.exe Token: SeRestorePrivilege 4864 TiWorker.exe Token: SeSecurityPrivilege 4864 TiWorker.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exerundll32.exeWerFault.exedescription pid process target process PID 4572 wrote to memory of 4636 4572 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe rundll32.exe PID 4572 wrote to memory of 4636 4572 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe rundll32.exe PID 4572 wrote to memory of 4636 4572 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe rundll32.exe PID 4636 wrote to memory of 4404 4636 rundll32.exe RUNDLL32.EXE PID 4636 wrote to memory of 4404 4636 rundll32.exe RUNDLL32.EXE PID 4636 wrote to memory of 4404 4636 rundll32.exe RUNDLL32.EXE PID 4668 wrote to memory of 4572 4668 WerFault.exe 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe PID 4668 wrote to memory of 4572 4668 WerFault.exe 8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe"C:\Users\Admin\AppData\Local\Temp\8215f0ace69bf69721bb6bf991cc87462db48b0e81851addb40d41492298e176.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\8215F0~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\8215F0~1.DLL,YAhY3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4572 -s 5442⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4572 -ip 45721⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\8215F0~1.DLLMD5
8ae60d14802fac0d5d8ddf4ab4e64cfd
SHA1f8023b26304a891897b57c10a1d0bdec4f9c0d6a
SHA256b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8
SHA5121201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677
-
C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dllMD5
8ae60d14802fac0d5d8ddf4ab4e64cfd
SHA1f8023b26304a891897b57c10a1d0bdec4f9c0d6a
SHA256b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8
SHA5121201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677
-
C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dllMD5
8ae60d14802fac0d5d8ddf4ab4e64cfd
SHA1f8023b26304a891897b57c10a1d0bdec4f9c0d6a
SHA256b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8
SHA5121201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677
-
C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dllMD5
8ae60d14802fac0d5d8ddf4ab4e64cfd
SHA1f8023b26304a891897b57c10a1d0bdec4f9c0d6a
SHA256b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8
SHA5121201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677
-
C:\Users\Admin\AppData\Local\Temp\8215F0~1.EXE.dllMD5
8ae60d14802fac0d5d8ddf4ab4e64cfd
SHA1f8023b26304a891897b57c10a1d0bdec4f9c0d6a
SHA256b5197c3bf67da872ba9d0b7366367c45790c4d5cc7be8b8109acee8d7f1152d8
SHA5121201a79794c7e50c3ed09c917a323bd43146a4b7c9884ccc522ab8d89abb2c893ad1f2ea683acdfa724793da764c62673a7809a95feec6c8e05a4e055e06b677
-
memory/3784-154-0x000001C37CF80000-0x000001C37CF90000-memory.dmpFilesize
64KB
-
memory/3784-156-0x000001C37E360000-0x000001C37E364000-memory.dmpFilesize
16KB
-
memory/3784-155-0x000001C37D760000-0x000001C37D770000-memory.dmpFilesize
64KB
-
memory/4404-145-0x00000000020D0000-0x000000000249B000-memory.dmpFilesize
3.8MB
-
memory/4404-153-0x00000000028E1000-0x0000000002F40000-memory.dmpFilesize
6.4MB
-
memory/4404-147-0x00000000028E0000-0x0000000002F40000-memory.dmpFilesize
6.4MB
-
memory/4404-148-0x0000000003150000-0x0000000003151000-memory.dmpFilesize
4KB
-
memory/4572-130-0x0000000002E70000-0x000000000323B000-memory.dmpFilesize
3.8MB
-
memory/4572-132-0x0000000000400000-0x00000000007E9000-memory.dmpFilesize
3.9MB
-
memory/4572-131-0x0000000003240000-0x000000000361D000-memory.dmpFilesize
3.9MB
-
memory/4636-138-0x0000000003D00000-0x0000000003D01000-memory.dmpFilesize
4KB
-
memory/4636-146-0x0000000003491000-0x0000000003AF0000-memory.dmpFilesize
6.4MB
-
memory/4636-137-0x0000000003490000-0x0000000003AF0000-memory.dmpFilesize
6.4MB
-
memory/4636-136-0x0000000002AC0000-0x0000000002E8B000-memory.dmpFilesize
3.8MB