Analysis
-
max time kernel
4294192s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
19-03-2022 06:58
Static task
static1
Behavioral task
behavioral1
Sample
a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe
Resource
win7-20220311-en
General
-
Target
a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe
-
Size
4.4MB
-
MD5
758479c598ae9f73822b944914063868
-
SHA1
b06e935e4e660733e049995f299fc84dcf6daf90
-
SHA256
a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992
-
SHA512
cbf6fb876246e6e999fa6c68db887077c27e9e71dc17cecb7bd38db51e3b0fe0788ad6315893af52a609f0ba6b7bbb0d62be0825007c210a6c46c62336db0ddd
Malware Config
Extracted
danabot
1732
3
23.226.132.92:443
176.123.6.168:443
108.62.141.152:443
192.241.101.68:443
-
embedded_hash
DE420A65BFC5F29167A85A5199065A0E
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1388 RUNDLL32.EXE 3 1388 RUNDLL32.EXE 4 1388 RUNDLL32.EXE 5 1388 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1772 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe 1772 rundll32.exe 1388 RUNDLL32.EXE 1388 RUNDLL32.EXE 1388 RUNDLL32.EXE 1388 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 3 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\GMEWETP4\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1772 rundll32.exe Token: SeDebugPrivilege 1388 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exerundll32.exedescription pid process target process PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1936 wrote to memory of 1772 1936 a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe rundll32.exe PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE PID 1772 wrote to memory of 1388 1772 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe"C:\Users\Admin\AppData\Local\Temp\a213c607bbace81a31e12bb7871cc6acda265b5c19f61593e49d9a3124ccb992.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A213C6~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\A213C6~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A213C6~1.DLL,jEpC3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\A213C6~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
memory/1388-77-0x0000000002760000-0x0000000002DBF000-memory.dmpFilesize
6.4MB
-
memory/1388-75-0x0000000002760000-0x0000000002DBF000-memory.dmpFilesize
6.4MB
-
memory/1388-76-0x0000000002E10000-0x0000000002E11000-memory.dmpFilesize
4KB
-
memory/1772-65-0x0000000001F80000-0x000000000234B000-memory.dmpFilesize
3.8MB
-
memory/1772-67-0x0000000002D50000-0x0000000002D51000-memory.dmpFilesize
4KB
-
memory/1772-66-0x0000000002620000-0x0000000002C7F000-memory.dmpFilesize
6.4MB
-
memory/1772-69-0x0000000002620000-0x0000000002C7F000-memory.dmpFilesize
6.4MB
-
memory/1936-56-0x0000000005AE0000-0x0000000005EBC000-memory.dmpFilesize
3.9MB
-
memory/1936-55-0x0000000005710000-0x0000000005ADA000-memory.dmpFilesize
3.8MB
-
memory/1936-58-0x0000000000400000-0x000000000552B000-memory.dmpFilesize
81.2MB
-
memory/1936-54-0x0000000005710000-0x0000000005ADA000-memory.dmpFilesize
3.8MB
-
memory/1936-57-0x00000000759B1000-0x00000000759B3000-memory.dmpFilesize
8KB