Analysis
-
max time kernel
162s -
max time network
181s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
16-05-2022 21:34
Static task
static1
Behavioral task
behavioral1
Sample
001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe
Resource
win7-20220414-en
General
-
Target
001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe
-
Size
4.9MB
-
MD5
b3ac1bb9077189033e3d426090d86155
-
SHA1
dae9827f34d94179aa956c12012b3472c8a74fb3
-
SHA256
001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af
-
SHA512
6cf5cc1ad10096e00405a5fc675300db67405f326839107c5656442e1173c5cdb13a0efaaf3a54b875695e1381b7402682d9421125e76cba82b5f65751572f12
Malware Config
Extracted
danabot
1732
3
23.226.132.92:443
23.106.123.249:443
108.62.141.152:443
104.144.64.163:443
-
embedded_hash
49574F66CD0103BBD725C08A9805C2BE
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 6 4080 RUNDLL32.EXE 25 4080 RUNDLL32.EXE 31 4080 RUNDLL32.EXE 35 4080 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 5000 rundll32.exe 5000 rundll32.exe 4080 RUNDLL32.EXE 4080 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4220 2000 WerFault.exe 001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 5000 rundll32.exe Token: SeDebugPrivilege 4080 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exerundll32.exedescription pid process target process PID 2000 wrote to memory of 5000 2000 001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe rundll32.exe PID 2000 wrote to memory of 5000 2000 001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe rundll32.exe PID 2000 wrote to memory of 5000 2000 001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe rundll32.exe PID 5000 wrote to memory of 4080 5000 rundll32.exe RUNDLL32.EXE PID 5000 wrote to memory of 4080 5000 rundll32.exe RUNDLL32.EXE PID 5000 wrote to memory of 4080 5000 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe"C:\Users\Admin\AppData\Local\Temp\001b027326f1f5c85828de1a2d2795a6ad5648a75b4c837ffa453202e7c980af.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\001B02~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\001B02~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\001B02~1.DLL,qkxefDZwAxj63⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2000 -s 5402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 2000 -ip 20001⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\001B02~1.DLLFilesize
3.7MB
MD5f26f748189e89ba787e8a68284689617
SHA148ec327fadb4065f3d0e37f76201344971e1468f
SHA2569b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef
SHA51234758cba4e046d076a88bd7926bb2422ad2dcbd5e62d2d3c42089329e572644115b86c67cd09e58c95d8d297f44e6476c6e9974aff39c0060cb7b13eaa8f961b
-
C:\Users\Admin\AppData\Local\Temp\001B02~1.EXE.dllFilesize
3.7MB
MD5f26f748189e89ba787e8a68284689617
SHA148ec327fadb4065f3d0e37f76201344971e1468f
SHA2569b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef
SHA51234758cba4e046d076a88bd7926bb2422ad2dcbd5e62d2d3c42089329e572644115b86c67cd09e58c95d8d297f44e6476c6e9974aff39c0060cb7b13eaa8f961b
-
C:\Users\Admin\AppData\Local\Temp\001B02~1.EXE.dllFilesize
3.7MB
MD5f26f748189e89ba787e8a68284689617
SHA148ec327fadb4065f3d0e37f76201344971e1468f
SHA2569b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef
SHA51234758cba4e046d076a88bd7926bb2422ad2dcbd5e62d2d3c42089329e572644115b86c67cd09e58c95d8d297f44e6476c6e9974aff39c0060cb7b13eaa8f961b
-
C:\Users\Admin\AppData\Local\Temp\001B02~1.EXE.dllFilesize
3.7MB
MD5f26f748189e89ba787e8a68284689617
SHA148ec327fadb4065f3d0e37f76201344971e1468f
SHA2569b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef
SHA51234758cba4e046d076a88bd7926bb2422ad2dcbd5e62d2d3c42089329e572644115b86c67cd09e58c95d8d297f44e6476c6e9974aff39c0060cb7b13eaa8f961b
-
C:\Users\Admin\AppData\Local\Temp\001B02~1.EXE.dllFilesize
3.7MB
MD5f26f748189e89ba787e8a68284689617
SHA148ec327fadb4065f3d0e37f76201344971e1468f
SHA2569b1ae4317956215ba51e7d37a5f082626628f33f8ae868d969e9b56682c276ef
SHA51234758cba4e046d076a88bd7926bb2422ad2dcbd5e62d2d3c42089329e572644115b86c67cd09e58c95d8d297f44e6476c6e9974aff39c0060cb7b13eaa8f961b
-
memory/2000-133-0x00000000050E0000-0x00000000054AB000-memory.dmpFilesize
3.8MB
-
memory/2000-137-0x00000000054B0000-0x000000000588D000-memory.dmpFilesize
3.9MB
-
memory/2000-130-0x0000000000400000-0x0000000004B69000-memory.dmpFilesize
71.4MB
-
memory/2000-143-0x0000000000400000-0x0000000004B69000-memory.dmpFilesize
71.4MB
-
memory/4080-145-0x00000000029E0000-0x000000000303F000-memory.dmpFilesize
6.4MB
-
memory/4080-139-0x0000000000000000-mapping.dmp
-
memory/4080-142-0x00000000022D0000-0x000000000269B000-memory.dmpFilesize
3.8MB
-
memory/4080-146-0x00000000029E0000-0x000000000303F000-memory.dmpFilesize
6.4MB
-
memory/5000-138-0x0000000002EC0000-0x000000000351F000-memory.dmpFilesize
6.4MB
-
memory/5000-144-0x0000000002EC0000-0x000000000351F000-memory.dmpFilesize
6.4MB
-
memory/5000-136-0x00000000026B0000-0x0000000002A7B000-memory.dmpFilesize
3.8MB
-
memory/5000-131-0x0000000000000000-mapping.dmp