Analysis
-
max time kernel
4294191s -
max time network
132s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
20-03-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe
Resource
win7-20220310-en
General
-
Target
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe
-
Size
4.3MB
-
MD5
1111538ef73e921248d56f181c4fbdbf
-
SHA1
a9923340f8f24a8efde9ec0b7ca8d57de2bd2245
-
SHA256
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323
-
SHA512
00426648bebed8fab7f511d1ec2e5266cf0645c040274654ae396ffdefd94de48c44609f2d312159447ed8ba7a3cfab69ba3210f8716e0edd1170d4e203d7a67
Malware Config
Extracted
danabot
1732
3
23.226.132.92:443
176.123.6.168:443
108.62.141.152:443
192.241.101.68:443
-
embedded_hash
DE420A65BFC5F29167A85A5199065A0E
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1328 RUNDLL32.EXE 3 1328 RUNDLL32.EXE 4 1328 RUNDLL32.EXE 5 1328 RUNDLL32.EXE -
Deletes itself 1 IoCs
Processes:
rundll32.exepid process 1940 rundll32.exe -
Loads dropped DLL 8 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1940 rundll32.exe 1328 RUNDLL32.EXE 1328 RUNDLL32.EXE 1328 RUNDLL32.EXE 1328 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9Z3MD1WX\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\6GA0X34V\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1940 rundll32.exe Token: SeDebugPrivilege 1328 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exerundll32.exedescription pid process target process PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1740 wrote to memory of 1940 1740 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE PID 1940 wrote to memory of 1328 1940 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe"C:\Users\Admin\AppData\Local\Temp\6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL,OS8KjBzlAg==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
memory/1328-73-0x0000000001E60000-0x000000000222B000-memory.dmpFilesize
3.8MB
-
memory/1328-76-0x0000000002640000-0x0000000002C9F000-memory.dmpFilesize
6.4MB
-
memory/1328-75-0x0000000002E30000-0x0000000002E31000-memory.dmpFilesize
4KB
-
memory/1328-74-0x0000000002640000-0x0000000002C9F000-memory.dmpFilesize
6.4MB
-
memory/1740-55-0x0000000006970000-0x0000000006D4C000-memory.dmpFilesize
3.9MB
-
memory/1740-54-0x00000000065A0000-0x000000000696A000-memory.dmpFilesize
3.8MB
-
memory/1740-56-0x0000000000400000-0x0000000004B6C000-memory.dmpFilesize
71.4MB
-
memory/1740-57-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/1940-67-0x0000000002C20000-0x0000000002C21000-memory.dmpFilesize
4KB
-
memory/1940-66-0x00000000025B0000-0x0000000002C0F000-memory.dmpFilesize
6.4MB
-
memory/1940-65-0x00000000025B0000-0x0000000002C0F000-memory.dmpFilesize
6.4MB
-
memory/1940-64-0x0000000001F10000-0x00000000022DB000-memory.dmpFilesize
3.8MB