Analysis
-
max time kernel
145s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
09-06-2022 08:50
Behavioral task
behavioral1
Sample
1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll
-
Size
642KB
-
MD5
9260c247e415b9120e17ac270d5f4f79
-
SHA1
6b7ade23f53d64be0a13d843449c3ea62d65d83b
-
SHA256
1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5
-
SHA512
678a8f39370199d18ab6d3a04e347e4c90650e786f3670515d116ccff61f111690be978d3e7cecb4406df377507f98444a710c981b89de6a558f7e6101f4f3b3
Malware Config
Extracted
Family
danabot
C2
110.26.68.209
16.78.162.184
94.10.25.120
185.82.178.8
21.221.79.29
149.154.159.213
137.20.10.198
48.204.112.181
151.236.14.84
224.150.141.17
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 1 1664 rundll32.exe 2 1664 rundll32.exe 4 1664 rundll32.exe 5 1664 rundll32.exe 8 1664 rundll32.exe 9 1664 rundll32.exe 12 1664 rundll32.exe 13 1664 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 996 908 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 1800 wrote to memory of 908 1800 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 1664 908 rundll32.exe rundll32.exe PID 908 wrote to memory of 996 908 rundll32.exe WerFault.exe PID 908 wrote to memory of 996 908 rundll32.exe WerFault.exe PID 908 wrote to memory of 996 908 rundll32.exe WerFault.exe PID 908 wrote to memory of 996 908 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 908 -s 3723⤵
- Program crash
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/908-54-0x0000000000000000-mapping.dmp
-
memory/908-55-0x0000000074E91000-0x0000000074E93000-memory.dmpFilesize
8KB
-
memory/908-56-0x0000000000260000-0x000000000030D000-memory.dmpFilesize
692KB
-
memory/996-60-0x0000000000000000-mapping.dmp
-
memory/1664-57-0x0000000000000000-mapping.dmp
-
memory/1664-59-0x00000000002E0000-0x000000000038D000-memory.dmpFilesize
692KB