Analysis
-
max time kernel
4294209s -
max time network
128s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
19-03-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll
Resource
win7-20220310-en
General
-
Target
276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll
-
Size
3.7MB
-
MD5
06ab0e5f5b6350856b78b42a487b9bc1
-
SHA1
f99e9e1b2b05a239f88090ce0a0366d57d5c1805
-
SHA256
276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd
-
SHA512
f29f6f2e70dabb88d92dc3f5a36c7a9710f8e2b1b4798c4b8c9cb21e48e1bb4be5ceb4939b4afc6cf846c77c9bfdd0b48f182d18c8a9ae17b0773e7f4efb640d
Malware Config
Extracted
danabot
1732
3
167.114.188.63:443
23.106.123.249:443
51.195.73.129:443
167.114.188.38:443
-
embedded_hash
E1D3580C52F82AF2B3596E20FB85D9F4
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1588 RUNDLL32.EXE 3 1588 RUNDLL32.EXE 4 1588 RUNDLL32.EXE 5 1588 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318MUB20\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YXYDN81Q\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1248 rundll32.exe Token: SeDebugPrivilege 1588 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1572 wrote to memory of 1248 1572 rundll32.exe rundll32.exe PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE PID 1248 wrote to memory of 1588 1248 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll,d0wrjBzSAA==3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1248-54-0x0000000076361000-0x0000000076363000-memory.dmpFilesize
8KB
-
memory/1248-55-0x00000000022B0000-0x000000000267B000-memory.dmpFilesize
3.8MB
-
memory/1248-56-0x0000000002950000-0x0000000002FAF000-memory.dmpFilesize
6.4MB
-
memory/1248-57-0x0000000002950000-0x0000000002FAF000-memory.dmpFilesize
6.4MB
-
memory/1248-58-0x0000000002FC0000-0x0000000002FC1000-memory.dmpFilesize
4KB
-
memory/1588-60-0x0000000000880000-0x0000000000C4B000-memory.dmpFilesize
3.8MB
-
memory/1588-61-0x0000000002580000-0x0000000002BDF000-memory.dmpFilesize
6.4MB
-
memory/1588-62-0x0000000000E90000-0x0000000000E91000-memory.dmpFilesize
4KB
-
memory/1588-63-0x0000000002580000-0x0000000002BDF000-memory.dmpFilesize
6.4MB