Analysis
-
max time kernel
4294185s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220223-en -
submitted
09-03-2022 15:45
Static task
static1
Behavioral task
behavioral1
Sample
2312225289f2153e9a45dbd2b4ace49b8f47d458c92c21a4f4bff8f175aecc8d.dll
Resource
win7-20220223-en
General
-
Target
2312225289f2153e9a45dbd2b4ace49b8f47d458c92c21a4f4bff8f175aecc8d.dll
-
Size
3.7MB
-
MD5
143c5ed31f480133357f132ee8b1299a
-
SHA1
38ca8876390aee7b2bfc83b7ffc81a4ef915f1f3
-
SHA256
2312225289f2153e9a45dbd2b4ace49b8f47d458c92c21a4f4bff8f175aecc8d
-
SHA512
519cf9bad04ca10f3d3eae968e9765d45edb36f2884843195806780fd991d177ba15ba868741fdafa4cc016388fffbd1b83a66af6e9b1ebf931a889db3f7bb7f
Malware Config
Extracted
danabot
1732
3
64.188.20.187:443
23.254.215.116:443
176.123.2.249:443
-
embedded_hash
1A5FA2708377AC3D9D838807A75CBA8F
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 892 RUNDLL32.EXE 3 892 RUNDLL32.EXE 4 892 RUNDLL32.EXE 5 892 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 5 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AGWPI80M\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\KV8PQJCO\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\AZW6OKHO\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2044 rundll32.exe Token: SeDebugPrivilege 892 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 1208 wrote to memory of 2044 1208 rundll32.exe rundll32.exe PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE PID 2044 wrote to memory of 892 2044 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2312225289f2153e9a45dbd2b4ace49b8f47d458c92c21a4f4bff8f175aecc8d.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\2312225289f2153e9a45dbd2b4ace49b8f47d458c92c21a4f4bff8f175aecc8d.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\2312225289f2153e9a45dbd2b4ace49b8f47d458c92c21a4f4bff8f175aecc8d.dll,cEMt3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/892-59-0x0000000001F10000-0x00000000022DA000-memory.dmpFilesize
3.8MB
-
memory/892-61-0x00000000026B0000-0x0000000002D0E000-memory.dmpFilesize
6.4MB
-
memory/892-62-0x0000000002F20000-0x0000000002F21000-memory.dmpFilesize
4KB
-
memory/892-63-0x00000000026B0000-0x0000000002D0E000-memory.dmpFilesize
6.4MB
-
memory/2044-54-0x00000000753E1000-0x00000000753E3000-memory.dmpFilesize
8KB
-
memory/2044-55-0x0000000001EC0000-0x000000000228A000-memory.dmpFilesize
3.8MB
-
memory/2044-56-0x0000000002560000-0x0000000002BBE000-memory.dmpFilesize
6.4MB
-
memory/2044-57-0x0000000002D10000-0x0000000002D11000-memory.dmpFilesize
4KB
-
memory/2044-60-0x0000000002560000-0x0000000002BBE000-memory.dmpFilesize
6.4MB