Analysis
-
max time kernel
178s -
max time network
184s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
24-05-2022 03:35
Behavioral task
behavioral1
Sample
b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll
Resource
win10v2004-20220414-en
General
-
Target
b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll
-
Size
671KB
-
MD5
109e2f5c7ce023d6b0eb6b4f049eb547
-
SHA1
a7a9f41567bff15b0622930da7cbe5d33fb8f2d8
-
SHA256
b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d
-
SHA512
13cb3ed3a6648857e6a1320021e45be33bbdd3119ab6bde1a53d93791ffa8c357f98614f74f4f365144b956d625b828c0aaff7fc9c8fdbb4d2d088aeeca69f52
Malware Config
Extracted
danabot
224.233.78.25
56.240.227.37
96.59.105.177
253.78.52.99
149.154.159.213
89.217.209.119
195.123.220.45
177.223.102.4
6.164.247.12
250.48.199.39
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 2 1164 rundll32.exe 3 1164 rundll32.exe 4 1164 rundll32.exe 5 1164 rundll32.exe 6 1164 rundll32.exe 7 1164 rundll32.exe 8 1164 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1176 1600 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1600 1464 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1164 1600 rundll32.exe rundll32.exe PID 1600 wrote to memory of 1176 1600 rundll32.exe WerFault.exe PID 1600 wrote to memory of 1176 1600 rundll32.exe WerFault.exe PID 1600 wrote to memory of 1176 1600 rundll32.exe WerFault.exe PID 1600 wrote to memory of 1176 1600 rundll32.exe WerFault.exe
Processes
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1600 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 3722⤵
- Program crash
PID:1176 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll,f02⤵
- Blocklisted process makes network request
PID:1164
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\b0ea572735d5ed53cab38cbb61682355fcc951df7e411a532f56f236a3ad5f3d.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1464
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1164-57-0x0000000000000000-mapping.dmp
-
memory/1176-60-0x0000000000000000-mapping.dmp
-
memory/1600-54-0x0000000000000000-mapping.dmp
-
memory/1600-55-0x0000000076721000-0x0000000076723000-memory.dmpFilesize
8KB
-
memory/1600-56-0x0000000000240000-0x00000000002F4000-memory.dmpFilesize
720KB