Analysis
-
max time kernel
182s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
09-06-2022 08:50
Behavioral task
behavioral1
Sample
1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll
-
Size
642KB
-
MD5
9260c247e415b9120e17ac270d5f4f79
-
SHA1
6b7ade23f53d64be0a13d843449c3ea62d65d83b
-
SHA256
1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5
-
SHA512
678a8f39370199d18ab6d3a04e347e4c90650e786f3670515d116ccff61f111690be978d3e7cecb4406df377507f98444a710c981b89de6a558f7e6101f4f3b3
Malware Config
Extracted
Family
danabot
C2
110.26.68.209
16.78.162.184
94.10.25.120
185.82.178.8
21.221.79.29
149.154.159.213
137.20.10.198
48.204.112.181
151.236.14.84
224.150.141.17
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 12 2884 rundll32.exe 26 2884 rundll32.exe 39 2884 rundll32.exe 48 2884 rundll32.exe 58 2884 rundll32.exe 62 2884 rundll32.exe 64 2884 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5048 3800 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 3032 wrote to memory of 3800 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 3800 3032 rundll32.exe rundll32.exe PID 3032 wrote to memory of 3800 3032 rundll32.exe rundll32.exe PID 3800 wrote to memory of 2884 3800 rundll32.exe rundll32.exe PID 3800 wrote to memory of 2884 3800 rundll32.exe rundll32.exe PID 3800 wrote to memory of 2884 3800 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1502f73d89c9e0e0fbede3da1eb85a065e1954e2b3095c768cfb189e85df3ec5.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3800 -s 8163⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3800 -ip 38001⤵