Resubmissions
19-02-2022 18:44
220219-xdz2fachfn 1031-01-2022 07:14
220131-h2552agegp 1029-01-2022 08:45
220129-knq53agfcl 10Analysis
-
max time kernel
1195s -
max time network
1213s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
19-02-2022 18:44
Static task
static1
Behavioral task
behavioral1
Sample
a07a26961fcd37fbbbe292225e069243.exe
Resource
win7-en-20211208
General
-
Target
a07a26961fcd37fbbbe292225e069243.exe
-
Size
1.2MB
-
MD5
a07a26961fcd37fbbbe292225e069243
-
SHA1
d4f3c4d7045865e52284544c1957cf3786902404
-
SHA256
8b73e5a9e4093166d04fcee33db13db39dacbb6a2bb8282282e1ab9558fddc86
-
SHA512
81fe9aa924055f4a039cd662d4244bbf9a48b6698fbb6bffd891cd59d55a613e67011bcc3ad2420f9d7bf4d2447abdccbf4caff086ab2ae7331e6aa3191fd769
Malware Config
Extracted
danabot
4
5.253.84.124:443
103.175.16.114:443
193.34.166.107:443
-
embedded_hash
422236FD601D11EE82825A484D26DD6F
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll DanabotLoader2021 -
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
Processes:
WerFault.exedescription pid process target process PID 2968 created 1860 2968 WerFault.exe a07a26961fcd37fbbbe292225e069243.exe -
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 70 1124 rundll32.exe 72 1124 rundll32.exe 74 1124 rundll32.exe 77 1124 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1124 rundll32.exe -
Drops file in Windows directory 3 IoCs
Processes:
svchost.exeTiWorker.exedescription ioc process File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\DeliveryOptimization\State\keyValueLKG.dat svchost.exe File opened for modification C:\Windows\Logs\CBS\CBS.log TiWorker.exe File opened for modification C:\Windows\WinSxS\pending.xml TiWorker.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3576 1860 WerFault.exe a07a26961fcd37fbbbe292225e069243.exe -
Checks processor information in registry 2 TTPs 5 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
WerFault.exeMusNotifyIcon.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString WerFault.exe Key opened \Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0 MusNotifyIcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz MusNotifyIcon.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz WerFault.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
WerFault.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS WerFault.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU WerFault.exe -
Modifies data under HKEY_USERS 53 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.006555" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CacheSizeBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkUsageBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Settings svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLinkLocalBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadRatePct = "100" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyInternetBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCdnBytes = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\GeoVersion_EndpointFullUri = "https://geover.prod.do.dsp.mp.microsoft.com/geoversion" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyLanBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4348" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateBkBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrCnt = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\InternetConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownlinkBps = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyGroupBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\BkDownloadRatePct = "45" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4332" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "6.944504" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CDNConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\GroupConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3876" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LANConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PeerInfoCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyCacheHostBytes = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthID = "2" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DownloadMode_BackCompat = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\LinkLocalConnectionCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "4112" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\DownloadMonthlyRateFrBps = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\KVFileExpirationTime = "132899464154683397" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UploadCount = "0" svchost.exe Key created \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\FrDownloadRatePct = "90" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkUsageBps = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\Geo_EndpointFullUri = "https://geo.prod.do.dsp.mp.microsoft.com/geo" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\SwarmCount = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MonthlyUploadRestriction = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\PriorityDownloadPendingCount = "0" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\NormalDownloadCount = "0" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "4.666803" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\CPUpct = "0.000000" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\MemoryUsageKB = "3992" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Config\DODownloadMode = "1" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\DeliveryOptimization\Usage\UplinkBps = "0" svchost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
WerFault.exepid process 3576 WerFault.exe 3576 WerFault.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
TiWorker.exedescription pid process Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe Token: SeRestorePrivilege 860 TiWorker.exe Token: SeSecurityPrivilege 860 TiWorker.exe Token: SeBackupPrivilege 860 TiWorker.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
a07a26961fcd37fbbbe292225e069243.exeWerFault.exedescription pid process target process PID 1860 wrote to memory of 1124 1860 a07a26961fcd37fbbbe292225e069243.exe rundll32.exe PID 1860 wrote to memory of 1124 1860 a07a26961fcd37fbbbe292225e069243.exe rundll32.exe PID 1860 wrote to memory of 1124 1860 a07a26961fcd37fbbbe292225e069243.exe rundll32.exe PID 2968 wrote to memory of 1860 2968 WerFault.exe a07a26961fcd37fbbbe292225e069243.exe PID 2968 wrote to memory of 1860 2968 WerFault.exe a07a26961fcd37fbbbe292225e069243.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe"C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dll,z C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 5082⤵
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\MusNotifyIcon.exe%systemroot%\system32\MusNotifyIcon.exe NotifyTrayIcon 131⤵
- Checks processor information in registry
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
-
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.1220_none_7e21bc567c7ed16b\TiWorker.exe -Embedding1⤵
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 1860 -ip 18601⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Suspicious use of WriteProcessMemory
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
73252c213130138f163fb7e6024db45e
SHA1ba206893ee7bcfbf2cfe93109e759c9e9e22a40f
SHA256861b4a00a44fbe759736f3a408a6aa5916c66ab12dda858f1c2e873ca43ebdb0
SHA51249dc2ebc001b7c62a8abc9686149f610fd79b3c2adf46dd8be971e97ac8b48b8745b5bec38c4724c23f93d90004a8fea5cec979650bee1d4fffe2b8c0c2c89ca
-
C:\Users\Admin\AppData\Local\Temp\a07a26961fcd37fbbbe292225e069243.exe.dllMD5
73252c213130138f163fb7e6024db45e
SHA1ba206893ee7bcfbf2cfe93109e759c9e9e22a40f
SHA256861b4a00a44fbe759736f3a408a6aa5916c66ab12dda858f1c2e873ca43ebdb0
SHA51249dc2ebc001b7c62a8abc9686149f610fd79b3c2adf46dd8be971e97ac8b48b8745b5bec38c4724c23f93d90004a8fea5cec979650bee1d4fffe2b8c0c2c89ca
-
memory/1860-130-0x0000000002326000-0x000000000240A000-memory.dmpFilesize
912KB
-
memory/1860-131-0x0000000002410000-0x000000000250B000-memory.dmpFilesize
1004KB
-
memory/1860-132-0x0000000000400000-0x0000000000508000-memory.dmpFilesize
1.0MB