Analysis
-
max time kernel
160s -
max time network
167s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220113 -
submitted
20-03-2022 03:48
Static task
static1
Behavioral task
behavioral1
Sample
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe
Resource
win7-20220310-en
General
-
Target
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe
-
Size
4.3MB
-
MD5
1111538ef73e921248d56f181c4fbdbf
-
SHA1
a9923340f8f24a8efde9ec0b7ca8d57de2bd2245
-
SHA256
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323
-
SHA512
00426648bebed8fab7f511d1ec2e5266cf0645c040274654ae396ffdefd94de48c44609f2d312159447ed8ba7a3cfab69ba3210f8716e0edd1170d4e203d7a67
Malware Config
Extracted
danabot
1732
3
23.226.132.92:443
176.123.6.168:443
108.62.141.152:443
192.241.101.68:443
-
embedded_hash
DE420A65BFC5F29167A85A5199065A0E
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 15 4800 RUNDLL32.EXE 23 4800 RUNDLL32.EXE 29 4800 RUNDLL32.EXE 32 4800 RUNDLL32.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2756 rundll32.exe 4800 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2756 rundll32.exe Token: SeDebugPrivilege 4800 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exerundll32.exedescription pid process target process PID 2112 wrote to memory of 2756 2112 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 2112 wrote to memory of 2756 2112 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 2112 wrote to memory of 2756 2112 6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe rundll32.exe PID 2756 wrote to memory of 4800 2756 rundll32.exe RUNDLL32.EXE PID 2756 wrote to memory of 4800 2756 rundll32.exe RUNDLL32.EXE PID 2756 wrote to memory of 4800 2756 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe"C:\Users\Admin\AppData\Local\Temp\6e58348774321603f60fe0a6c9d2036c231ea67ca42ec8b8e2eff3175cea1323.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLL,QyQffDZ1A1A=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\6E5834~1.DLLMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE.dllMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
C:\Users\Admin\AppData\Local\Temp\6E5834~1.EXE.dllMD5
276adad6bea4d7bc2f37806c10bb5ef7
SHA126fad6ab56567053fba5e061b5d183341bf8b924
SHA256ae6331f496ec5e72d883b5cd3459de4f35397207a2397b49d6c65e259908c579
SHA512684e52d7d2051e4c83e3b9fe996c54dadca74951e4c8458501a895da39039aa06c477d0bcaa3a1aa75e0b62acde1144328af85d6a224187a0bdc709fab885a07
-
memory/2112-130-0x00000000069B0000-0x0000000006D7A000-memory.dmpFilesize
3.8MB
-
memory/2112-131-0x0000000006D80000-0x000000000715C000-memory.dmpFilesize
3.9MB
-
memory/2112-132-0x0000000000400000-0x0000000004B6C000-memory.dmpFilesize
71.4MB
-
memory/2756-135-0x0000000002F10000-0x000000000356F000-memory.dmpFilesize
6.4MB
-
memory/2756-136-0x0000000002F10000-0x000000000356F000-memory.dmpFilesize
6.4MB
-
memory/4800-140-0x0000000002F70000-0x00000000035CF000-memory.dmpFilesize
6.4MB
-
memory/4800-143-0x0000000002F70000-0x00000000035CF000-memory.dmpFilesize
6.4MB