Analysis
-
max time kernel
127s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
06-03-2022 22:22
Static task
static1
Behavioral task
behavioral1
Sample
95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe
Resource
win7-20220223-en
General
-
Target
95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe
-
Size
3.9MB
-
MD5
cdb7cedd0d9adb7c036b49f4ff2eb5c4
-
SHA1
fc4a2c47085d30633bcd220d821455d333bee647
-
SHA256
95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85
-
SHA512
6bd6231e90097e0a5c0e8fa36175f9f7c5a6dd41f4e53ea6ae87ac3234bba8ee6b975c802c05228d4f09c7f0e04c43773f7814b8324529e58b9946b28a01c43c
Malware Config
Extracted
danabot
1732
3
23.106.123.249:443
51.195.73.129:443
167.114.188.38:443
23.226.132.92:443
-
embedded_hash
E1D3580C52F82AF2B3596E20FB85D9F4
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 12 4144 RUNDLL32.EXE 13 4144 RUNDLL32.EXE 14 4144 RUNDLL32.EXE 20 4144 RUNDLL32.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 4116 rundll32.exe 4144 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 4116 rundll32.exe Token: SeDebugPrivilege 4144 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exerundll32.exedescription pid process target process PID 3264 wrote to memory of 4116 3264 95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe rundll32.exe PID 3264 wrote to memory of 4116 3264 95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe rundll32.exe PID 3264 wrote to memory of 4116 3264 95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe rundll32.exe PID 4116 wrote to memory of 4144 4116 rundll32.exe RUNDLL32.EXE PID 4116 wrote to memory of 4144 4116 rundll32.exe RUNDLL32.EXE PID 4116 wrote to memory of 4144 4116 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe"C:\Users\Admin\AppData\Local\Temp\95c27d002213104e4029df6f785dba30a0fd7fc7bf1aeb27e15f669edbc27d85.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\95C27D~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\95C27D~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\95C27D~1.DLL,gDFPfDaeA7g=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\95C27D~1.DLLMD5
84089cd89e88deb295ef14f03796bba5
SHA103db542899d89cccd873143ab00cd43039318fbe
SHA256f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77
SHA512c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9
-
C:\Users\Admin\AppData\Local\Temp\95C27D~1.EXE.dllMD5
84089cd89e88deb295ef14f03796bba5
SHA103db542899d89cccd873143ab00cd43039318fbe
SHA256f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77
SHA512c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9
-
C:\Users\Admin\AppData\Local\Temp\95C27D~1.EXE.dllMD5
84089cd89e88deb295ef14f03796bba5
SHA103db542899d89cccd873143ab00cd43039318fbe
SHA256f7a256bf58cc242cd34bdfa710febc15aa9991824124b4a42ff7196cbc92db77
SHA512c76b1160a1413c63c37ab065c249dcbd3f3fe8b10b45b2084eaeb676574673dac41e17a0cc0dd643b400ef4f953d19fe209b36310fc406834ba92aabe90682b9
-
memory/4116-132-0x00000000031A0000-0x00000000037FF000-memory.dmpFilesize
6.4MB
-
memory/4116-133-0x00000000031A0000-0x00000000037FF000-memory.dmpFilesize
6.4MB
-
memory/4144-141-0x0000000003070000-0x00000000036CF000-memory.dmpFilesize
6.4MB
-
memory/4144-145-0x0000000003070000-0x00000000036CF000-memory.dmpFilesize
6.4MB