Analysis
-
max time kernel
4294188s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20220311-en -
submitted
20-03-2022 01:18
Static task
static1
Behavioral task
behavioral1
Sample
78cb5d4011de6debecdeb09d5004bcb2fc06e43e66a0dab113caa94972d3d6fc.dll
Resource
win7-20220311-en
General
-
Target
78cb5d4011de6debecdeb09d5004bcb2fc06e43e66a0dab113caa94972d3d6fc.dll
-
Size
3.7MB
-
MD5
0d509e2a7e135a73ee1c1dff6d33c17e
-
SHA1
4a071bb0f6a7c617066a1b9a49757e345c463b92
-
SHA256
78cb5d4011de6debecdeb09d5004bcb2fc06e43e66a0dab113caa94972d3d6fc
-
SHA512
e258ffe2e12ca86e1360e8284a7f8f96d9866ebc432911aa6f9d330265d7a8a6f790b9019aa4798642a595213bde2c7533f458b1e94559addc86d2e9f3c3b433
Malware Config
Extracted
danabot
1732
3
167.114.188.63:443
64.188.20.187:443
192.241.101.68:443
51.195.73.129:443
-
embedded_hash
E1D3580C52F82AF2B3596E20FB85D9F4
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1972 RUNDLL32.EXE 3 1972 RUNDLL32.EXE 4 1972 RUNDLL32.EXE 5 1972 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCDJSRLN\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1884 rundll32.exe Token: SeDebugPrivilege 1972 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1876 wrote to memory of 1884 1876 rundll32.exe rundll32.exe PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE PID 1884 wrote to memory of 1972 1884 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78cb5d4011de6debecdeb09d5004bcb2fc06e43e66a0dab113caa94972d3d6fc.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\78cb5d4011de6debecdeb09d5004bcb2fc06e43e66a0dab113caa94972d3d6fc.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\78cb5d4011de6debecdeb09d5004bcb2fc06e43e66a0dab113caa94972d3d6fc.dll,mz5dTA==3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1884-54-0x00000000763D1000-0x00000000763D3000-memory.dmpFilesize
8KB
-
memory/1884-55-0x0000000000910000-0x0000000000CDC000-memory.dmpFilesize
3.8MB
-
memory/1884-56-0x0000000002550000-0x0000000002BAF000-memory.dmpFilesize
6.4MB
-
memory/1884-57-0x0000000000DE0000-0x0000000000DE1000-memory.dmpFilesize
4KB
-
memory/1884-60-0x0000000002550000-0x0000000002BAF000-memory.dmpFilesize
6.4MB
-
memory/1972-59-0x0000000002280000-0x000000000264C000-memory.dmpFilesize
3.8MB
-
memory/1972-61-0x0000000002920000-0x0000000002F7F000-memory.dmpFilesize
6.4MB
-
memory/1972-62-0x0000000002F90000-0x0000000002F91000-memory.dmpFilesize
4KB
-
memory/1972-63-0x0000000002920000-0x0000000002F7F000-memory.dmpFilesize
6.4MB