Analysis
-
max time kernel
152s -
max time network
157s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
12-06-2022 06:48
Behavioral task
behavioral1
Sample
21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll
Resource
win7-20220414-en
windows7_x64
0 signatures
0 seconds
General
-
Target
21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll
-
Size
507KB
-
MD5
79baa6436ed9504491aef41aa6f27a71
-
SHA1
99a7bfe4263ae5c1b4db5dab6ded5a02843bb12a
-
SHA256
21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70
-
SHA512
c7e41359104fda345055f5ed0877da39334a62a598d2c97f38e846f25914afe1c8c0e542a97eba4ec3b9cf3d394bdbff0e0169b395e9a4da9e461cfbb0bdc452
Malware Config
Extracted
Family
danabot
C2
178.24.124.43
36.133.59.144
14.163.25.64
185.92.222.238
49.63.85.120
192.71.249.51
82.153.140.44
142.12.60.159
149.143.255.24
209.79.97.165
rsa_pubkey.plain
Signatures
-
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 1 1568 rundll32.exe 2 1568 rundll32.exe 5 1568 rundll32.exe 9 1568 rundll32.exe 10 1568 rundll32.exe 13 1568 rundll32.exe 14 1568 rundll32.exe 17 1568 rundll32.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1096 wrote to memory of 1912 1096 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe PID 1912 wrote to memory of 1568 1912 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\21f9c4c9a6873f9e0b106cf66196f36df8c1d9bcc263c36a52dc76436eabaa70.dll,f03⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1568-57-0x0000000000000000-mapping.dmp
-
memory/1568-59-0x0000000000300000-0x000000000038C000-memory.dmpFilesize
560KB
-
memory/1912-54-0x0000000000000000-mapping.dmp
-
memory/1912-55-0x00000000768D1000-0x00000000768D3000-memory.dmpFilesize
8KB
-
memory/1912-56-0x00000000002A0000-0x000000000032C000-memory.dmpFilesize
560KB