Analysis
-
max time kernel
144s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220310-en -
submitted
31-03-2022 10:42
Static task
static1
Behavioral task
behavioral1
Sample
3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll
Resource
win7-20220310-en
General
-
Target
3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll
-
Size
3.7MB
-
MD5
d0b45cacfd3dc46aaa82085a1ef52774
-
SHA1
55b6fd06a14cf58aa9cc462a2e7c614b4121d986
-
SHA256
3362bd012ef7c6f173d8d16d17769b49e611744ad254844fd29817bbdd4d437b
-
SHA512
c704258aa1e76b5205d2603953421b48e3a1761eb3faa1a84f56f8433e7d02877e98a5f2caaa4444f8a0c163b125bde9ffbe557a39d8b63602105891c37f9312
Malware Config
Extracted
danabot
1755
3
193.34.167.163:443
134.119.186.198:443
78.138.98.136:443
104.168.156.222:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 26 1360 RUNDLL32.EXE 41 1360 RUNDLL32.EXE 47 1360 RUNDLL32.EXE 74 1360 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Modifies data under HKEY_USERS 6 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceTicket = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000280965c5aedc4e40fa55767c6cd99bcbe47419e0abadae34375a8472aa58674f000000000e8000000002000020000000afe7c1f18d2daa7841da5628a914b5c718951735c6d01bf9fe3e8bc0dbf58ad4100d0000726850c9dfe930a381d6ef3c0f92aa3b8729013871396d43a6be43ad56102e7c4f59c6d5651cf2f8d5d74843f0a7d7131aeec6441e675e7edb4c2da1836460432e9690b3c9f2016b7b1f8c9c9b95c23e31b83d2e40cca21c6553e9056e13c8fb1b9791a5a0363dbe681774f9bb94679102694e31d38fd0658c416dbde8406faa63c78cdc8eb15c0b430f71e6de925f1f8d75f42f80bd6ef55aa64a63c978428fd3d11236864d07ab098325ad3e5d9df6a2a4f1a75240a85a36f082cac5b468f5cf5562bee91f5f242de58357014d2cea1a38281111f0d6a09a29aaf58ad9b64e0fae285a7fb0a5adaa3fd48c1e7f2722d1b5d3b2e927851868522a6c1257f457b56b49126c2fe7d863ab33556408e92ae35943ccfaeac16a49b661260e20dcebe1d5809097cb86a22b65a42bde2a4728fe375324dd1654c70a198e0f1c540c33955299084f63983670b881de3c837f84d79ea008af8d4ce22bfde5a70cb0ad7a70dd51d6ffd79a3439aa9c0b31c9e2a97596f2492f47794a332426a277cece1d782d2403dcab9e900706fb1f10dfc7c60768be5e0404a471a843b7881715c9ab56fdfb52979215165152a0ef7e25c8f5fab99757cfff715044eca1185a13b0eb2d85111f6a34649d006a446f83a11f6edd2ad979cd8cd850706dda18b078aff7718e7125eedbaba4221acd458dc785457f397c3e109921ece8fc5b771aede579b03db0cf86a8de89ef6223b0810edabf82f52f4a8a60a0147ae0beb791d74b3c90cbd5e535a4929cc30b9923d0c881ef9601c49b61ed19e021861cb7548608d365b588be94bbeba1fd1c9e1237b78e1c2941fcc991c9c9545badd2325b2c24adb52aea926e1fda00b5768dc54a2fd6acad6dba6cfc6d3e20861206467e5f8a04b1a1c81e481b3df163d8977f4e18f3da0815462335ccb859d3cd46941d53d7d5eeb55833d64c5cdcbef85894b84370a837f97bb814c5e987c8f70d47d5f83a93970101ad73be564721c23b609cf768f91b2abfa747e0f691c02cb43636951af71f5b794c1b086f9c4a563657d12556c6c51327fba26bbfc6ec1f10bfe7deb649862e65f7c2b0bef99096138e247f1961611091df699e543b8663c299042ba494235fa5adc8bb5f0b9257e950a90233558e01d42fda1e1d97c7b252a6c9c7ce4f4f72ab1860b36e13abd04acf2a1d3905c9f537addd18a640dd8c38c7e5a36838e94c7c0b07dea74ef4eb3a421e66c3c82306cc1a6a93434424d352295ed2880e8583d59629ace6aa801b4d422336ee14f11338d4f4e676cce551bd157dcacd89d0a89b04821da13cbc781bf811d6cc4e8da8a129a4d05feb6ac1390a4dd634321450ea3c3e94c8ac87c99037f1416d9de9f1530ae0fa4ef1e2bcaf8413936f54cf311e145c5188497487b2969d1b41b404312559c3acbc72ce7bba42347fb0cc72990768cc048e64dc50fcabb293473cd60abd4bfe07f4a7f2e66928c23de612c4b018cab9b6a3feb9d85e9c1d82dc3359a1258b8edb9b40469f0dcdca6c75ff165aaac30135ce9d18f98b3a4b496440662d4d12352e408fdd4c94eda1f25f586f245208d1f13ab664c2b75dbc93be54f8bfca7a6da018ebdd31d68b283ab2060b100f396e2261cb2c2ff7e33d7277e4e8dcd1c5cc1ba4f2c038ae1c76ae5c52e27b94a6c3c205464831ea00a572bbf90674ccedb78ed5ecf5368c5e49bc9fd0f3aba70d454c9c2d881e4aa64b6aabaccac17ec3b30d1581e58877f3d629f929c8191032a74b125c25c3b9bc7b0bd836e6af8c291ca553ff8948ab2cf9afb04b1633d1cbeef3464beae4ec5856cc90566dd35820df2d3e59c6282721b9235b3500bfebc1e71e5283955997274e83fe504f337d6e71d9414d05305680f468d038aca15ee7dffed65f28567db46936ef762f161758c180583913d72cb1f175cc16b5ec0d53fa3a3d587d9dced2c0513e2e2ea64fcdcd469e840bc77dd2acf6d17628e7506b112031ded32dbd5671bdadf1ee561f02f17013a64de20b7cf074e352d0ec2f41716a94dba83686d1092bde351d99f2b163cb80da1e68f6430250dba7fd2f9c99176417f7c2037a8200c92d1959ca4f9c907deba8171a2eaf39cbf753456bd2b9b437fb01749314fef0d47c37d482d54b06640f49065d3e70a73d647895f997b9e8f9073d7de55a6075f3f64ce738828b64261da1ce10ec15048b62cd21817da96678ce2be98da5e81e08e390e130de287327ff4c32f6b273b8a577ba0f4f34ca39451334454c0720552e552391ad407cf5761cb65b43ae5c3a62218de42d81856100b96151366312bdfa1edddfa7e6613bc0d1e5df6b510c3670b745210aae28d84af6428b4f5fec730515ea6dbc37c597ad1447fa1c5f511587bc0c0de9aeab5baf3b95ef8165c23c40d7c97910232481af3e0b5a54091497cc9d61303b4f56e70307152460e44da3f3769de553affe29c1c4ca9346249f6e9e36975196f3fdcbf889a624e747c71d9955802d2bc3d5e4e119ed44ab113fedce27428536b0795912e31241d3350d3a12e30b9ed5fa1957ffebf8c1a8fca8d04f3e564ed3cf2b095053f4095ae72fafb81122d9aa0b9fd7d6fe35d72fce2e0f5f3a4b47900ce1d1517b62aa57922a347bc6a2ec9e5beb9f1854bdc25f5dfef5375cdadeb8e4e5c5dec92ce328ccfc586b4a86d24acd939f8da2880a2bb219a70ae2e6b0bc049b5b3281c1e00f3f9983557531d9261fd69e4a64d49218174fb9ae735b8043a2b5438319a2523e4ca69c719988e195fcad799e5f14ac5fb0dda07b402c415c52b695f1e4ed62a573a3c9b8665c897357246e3774fda8d00f1186053b9e564b0be69d9cc08449e22b5ef790f4826106089d0e7688bc5b3a91d01745a5ae53521a39047cf720249738cf36c53900d9db73dfc407c4508babcc5fe9ddaa87023242582bb0e53c56dbcb737c51d8ec038da3ba3c0f613d8a70e738175576e4ae395e21fba1a03889778d93e16a55e9e9fa9625d5cb6c9ed86793599833778f22cbb40ba9b9d863f7904bf3079667b64f9729050d45388e838e1469f372021256dc02a54171beeff39e8dd17e2b9eca8af6d190e2198762c06d1af2b2af23fef7de3cd8994f3363f600e1937c6d7f909ca7bcfd7b7cd4a3c3f4f5170efdd2da5a1c384f08a3f841a3b64a9e3c2c54171ca35e881c850815c44eb4ed79138456e86bfd667bc147a3ee5d89c7d252937ebcc0184b5b9cd322fc1c4284171b2d92087cef76dba39df56907f051dc9cf578ba236a26fd76797e77c168abadb191ebc7fc8ada929a1a2f7f0970e002ae31693a9121157437886db263de2f90a9c8146b6a5949bde06d57b37b8cf99f03f2d7adf01cc94123aba94b8f2fa8bd66f4f73eca43b85d65357ee7bef08c6054a5d2a6a9f602e0cab90d67ef592f71a6706b4e429cb589a72c915a1bd18607871bd8798e4c760fd37302c191c27b24c3db3ee415f7af2833e8874a7538e0723d0699d0b16adb59b270a0d09f413c26d12e4360d9052670762cf847874b750d76fb00268e507f3331e33b366207848d777bc944682e1f971873117915af9d25a70f289262e456a529c684b62110b6c4b8a56203a8625f6428dc1e8d177944720ec1168e4bcc6649bf3d4cd28fcb689362a03794586819113c8b1dd173d95538ac85bbb8f1402b0ca3bf47832f209a62cbd0b2d97bb7f793ca3d158bf9b117d4d0ad1a069bd34e4fa0e036a47587e04d8460e4c1366ad931f3c650b6fb7a4733beb8e93c1d52de0f2487c8963b7d85a1ee5cea7372890e8db4275a6fa27f412e039c7f3146a9af0244e58298910325360b489bb3d24d5fc40f1b51d205049f6e095a18a80ca95e829200fd7752887f77108aa17579fe454ac65326f97f03453a0bb912a901e4185b40ee096963e880bf79b8cef66a70588f6dd40fe3cd2af94b977cc25bd4d1788ca05564f86e3e1010b734295c4f14635335f3cbaea3c7a6ef7e85d26fac40b75efdd8dead3088cefc88c81c6319256870101cb860e09f82321078d22d9d99a49954ab6a3018b3fefd3deb85742b792835ff04e15f6184f700ecddd6a4ea66cdaf421854ec1efcb5a18e1e9744a3e77aecab852e7fdb6124c52324c0aa9c7e15613dcbfdb173b23b90266573dc96547e928abc0742d76299b4e5253c81f62d116d931561cd6346041f1937ed7f6496e936de6a0a3e9e784197ec252a010e2ade47add5c3b57865a6e0ddc4106ba3ad48b52b597165da698d878f803e5365c859cfad096e25b697ca365edeb160b085a7a8879e43d4b33388d18ba79dea9badfa026bd818be43dd190b9fbbcd36537498dbadfd7e41217fae3e8eb2af3d707bdafe842c1651c45d7e628800a1e4ffbde555ff8777f3921f985d640fcdead12b7bc2296e57b6479e10185b2602a786894decb11264df9339f1bea580d93e78e11488339db51ae49a697f5742fe16965b3efc32335bd243fd818e6bd7427ef2ba34204554b7a9f0aa5c49108b6588c087be176654aa28dd03a958a811a38abf414549186ba6f31fcb4fe2630a8cd0d25f99c4c97d0a776162bfb78d04d3b1f05ffce7731c4ce33ec7d18491b452c78b45d9d3032d69496b4b5e4759f117b737ef82f80ca46c1638ba2b8eb081afac241a63465850bc6cd741282c07c5aa90e9c719813d75cbb9610043667ba30a220e1e06f0a8c7d85371ced9a883aa13400000008274d2e91070af719c8a6c0d56b55e511bdaf653f78847347b04175a19f97153dfadc3c1404f86e498b9f625866d4319ea12c330ea6ee9e8ded1d21c65a3e273 svchost.exe Set value (str) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\DeviceId = "001800082590F9DC" svchost.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5}\ApplicationFlags = "1" svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Property svchost.exe Set value (data) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\IdentityCRL\Immersive\production\Property\001800082590F9DC = 0100000001000000d08c9ddf0115d1118c7a00c04fc297eb01000000d79ef4adb8e2df4e96c16fb9ef12577e00000000020000000000106600000001000020000000e69324334b4c2169af8e1634fe6d59f4afe742e3b331d7a347bf94bf27bcc68a000000000e80000000020000200000004395b077919cddf31664d1b1ca976a8d78471336af33486fd3f1a8968e1b74e6800000007b7747dfd09ebffa581b6b4b2dcfc8ff79bd1f4859f27409d078ec9a770fedd67e27f0df9eb4d269fc5c60819abc3166087d7ae34a7e6e2a4feb83c55ab066f5e63c18cee33d6ccae78c1f907da8efe6d945e90697930c4a962229a18198a5c61c8bdae13df533f481b20321051be83d43ced3b448ed1fea2ed3639403ba6a9140000000758ef15fc79ac20ffa076f0fe9e32a730a67c273852a3eb3cb386db89374249df58fb1c7be643dd88acbcf9b1e5ada52b1ed7f32e1902f2aaaaf4cced387351a svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\IdentityCRL\Immersive\production\Token\{D6D5A677-0872-4AB0-9442-BB792FCE85C5} svchost.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 3552 rundll32.exe Token: SeDebugPrivilege 1360 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3448 wrote to memory of 3552 3448 rundll32.exe rundll32.exe PID 3448 wrote to memory of 3552 3448 rundll32.exe rundll32.exe PID 3448 wrote to memory of 3552 3448 rundll32.exe rundll32.exe PID 3552 wrote to memory of 1360 3552 rundll32.exe RUNDLL32.EXE PID 3552 wrote to memory of 1360 3552 rundll32.exe RUNDLL32.EXE PID 3552 wrote to memory of 1360 3552 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3362BD012EF7C6F173D8D16D17769B49E611744AD2548.dll,WxpBZA==3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s camsvc1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1360-143-0x0000000000000000-mapping.dmp
-
memory/1360-144-0x0000000002120000-0x00000000024EB000-memory.dmpFilesize
3.8MB
-
memory/1360-145-0x0000000002970000-0x0000000002FCE000-memory.dmpFilesize
6.4MB
-
memory/1360-146-0x0000000003120000-0x0000000003121000-memory.dmpFilesize
4KB
-
memory/1360-151-0x0000000002970000-0x0000000002FCE000-memory.dmpFilesize
6.4MB
-
memory/3552-134-0x0000000000000000-mapping.dmp
-
memory/3552-135-0x0000000001F20000-0x00000000022EB000-memory.dmpFilesize
3.8MB
-
memory/3552-136-0x00000000028F0000-0x0000000002F4E000-memory.dmpFilesize
6.4MB
-
memory/3552-137-0x0000000003160000-0x0000000003161000-memory.dmpFilesize
4KB
-
memory/3552-141-0x00000000028F0000-0x0000000002F4E000-memory.dmpFilesize
6.4MB