Analysis
-
max time kernel
4294187s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20220310-en -
submitted
31-03-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll
Resource
win7-20220310-en
General
-
Target
3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll
-
Size
3.7MB
-
MD5
d0b45cacfd3dc46aaa82085a1ef52774
-
SHA1
55b6fd06a14cf58aa9cc462a2e7c614b4121d986
-
SHA256
3362bd012ef7c6f173d8d16d17769b49e611744ad254844fd29817bbdd4d437b
-
SHA512
c704258aa1e76b5205d2603953421b48e3a1761eb3faa1a84f56f8433e7d02877e98a5f2caaa4444f8a0c163b125bde9ffbe557a39d8b63602105891c37f9312
Malware Config
Extracted
danabot
1755
3
193.34.167.163:443
134.119.186.198:443
78.138.98.136:443
104.168.156.222:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1952 RUNDLL32.EXE 3 1952 RUNDLL32.EXE 4 1952 RUNDLL32.EXE 5 1952 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 6 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9WQZNFH4\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\QVSMV6J0\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\9Z3MD1WX\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1920 rundll32.exe Token: SeDebugPrivilege 1952 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1908 wrote to memory of 1920 1908 rundll32.exe rundll32.exe PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE PID 1920 wrote to memory of 1952 1920 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll,qVxNjBzkAiD83⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1920-54-0x0000000000000000-mapping.dmp
-
memory/1920-55-0x0000000075441000-0x0000000075443000-memory.dmpFilesize
8KB
-
memory/1920-56-0x0000000001ED0000-0x000000000229B000-memory.dmpFilesize
3.8MB
-
memory/1920-57-0x00000000026B0000-0x0000000002D0E000-memory.dmpFilesize
6.4MB
-
memory/1920-58-0x0000000002E60000-0x0000000002E61000-memory.dmpFilesize
4KB
-
memory/1920-59-0x00000000026B0000-0x0000000002D0E000-memory.dmpFilesize
6.4MB
-
memory/1952-60-0x0000000000000000-mapping.dmp
-
memory/1952-62-0x00000000020B0000-0x000000000247B000-memory.dmpFilesize
3.8MB
-
memory/1952-63-0x0000000002750000-0x0000000002DAE000-memory.dmpFilesize
6.4MB
-
memory/1952-64-0x0000000002DC0000-0x0000000002DC1000-memory.dmpFilesize
4KB
-
memory/1952-65-0x0000000002750000-0x0000000002DAE000-memory.dmpFilesize
6.4MB