Analysis
-
max time kernel
131s -
max time network
165s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
19-03-2022 11:28
Static task
static1
Behavioral task
behavioral1
Sample
276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll
Resource
win7-20220310-en
General
-
Target
276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll
-
Size
3.7MB
-
MD5
06ab0e5f5b6350856b78b42a487b9bc1
-
SHA1
f99e9e1b2b05a239f88090ce0a0366d57d5c1805
-
SHA256
276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd
-
SHA512
f29f6f2e70dabb88d92dc3f5a36c7a9710f8e2b1b4798c4b8c9cb21e48e1bb4be5ceb4939b4afc6cf846c77c9bfdd0b48f182d18c8a9ae17b0773e7f4efb640d
Malware Config
Extracted
danabot
1732
3
167.114.188.63:443
23.106.123.249:443
51.195.73.129:443
167.114.188.38:443
-
embedded_hash
E1D3580C52F82AF2B3596E20FB85D9F4
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 58 3648 RUNDLL32.EXE 63 3648 RUNDLL32.EXE 64 3648 RUNDLL32.EXE 65 3648 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1808 rundll32.exe Token: SeDebugPrivilege 3648 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2396 wrote to memory of 1808 2396 rundll32.exe rundll32.exe PID 2396 wrote to memory of 1808 2396 rundll32.exe rundll32.exe PID 2396 wrote to memory of 1808 2396 rundll32.exe rundll32.exe PID 1808 wrote to memory of 3648 1808 rundll32.exe RUNDLL32.EXE PID 1808 wrote to memory of 3648 1808 rundll32.exe RUNDLL32.EXE PID 1808 wrote to memory of 3648 1808 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\276acdc4dcceaf48ba99db546a3227e1d624bb93cf0c075480b1aba5967f95dd.dll,UB0z3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1808-134-0x0000000003350000-0x00000000039AF000-memory.dmpFilesize
6.4MB
-
memory/1808-135-0x0000000003350000-0x00000000039AF000-memory.dmpFilesize
6.4MB
-
memory/3648-138-0x0000000002FF0000-0x000000000364F000-memory.dmpFilesize
6.4MB
-
memory/3648-141-0x0000000002FF0000-0x000000000364F000-memory.dmpFilesize
6.4MB