Analysis
-
max time kernel
149s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 22:12
Static task
static1
Behavioral task
behavioral1
Sample
95abee4d159f541d81c84f6eb33a9bba7b5d1d7293e89857390b15498e138e51.js
Resource
win7-20220414-en
General
-
Target
95abee4d159f541d81c84f6eb33a9bba7b5d1d7293e89857390b15498e138e51.js
-
Size
1.1MB
-
MD5
fe9946e628607b7d1f5b975bdd863000
-
SHA1
91fec6fb060ecb82fad71200cd75d11c8a610e40
-
SHA256
95abee4d159f541d81c84f6eb33a9bba7b5d1d7293e89857390b15498e138e51
-
SHA512
8882ef3f7629dd0372e4d03f9098c323544f7e38758ccccb0e66e3f3bccf8b90e4672a76a606c5938603d9190899894916975b1ca3ba0eaa067ed57968f682cc
Malware Config
Extracted
danabot
89.144.25.243
14.123.141.112
91.121.17.109
97.144.123.166
89.144.25.104
37.96.21.198
26.18.85.30
88.132.191.2
106.9.214.152
161.145.156.168
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dll family_danabot C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dll family_danabot C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dll family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 7 1804 rundll32.exe 30 1804 rundll32.exe 33 1804 rundll32.exe 36 1804 rundll32.exe 39 1804 rundll32.exe 40 1804 rundll32.exe 41 1804 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation wscript.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 4744 regsvr32.exe 1804 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
wscript.exeregsvr32.exeregsvr32.exedescription pid process target process PID 4832 wrote to memory of 4640 4832 wscript.exe regsvr32.exe PID 4832 wrote to memory of 4640 4832 wscript.exe regsvr32.exe PID 4640 wrote to memory of 4744 4640 regsvr32.exe regsvr32.exe PID 4640 wrote to memory of 4744 4640 regsvr32.exe regsvr32.exe PID 4640 wrote to memory of 4744 4640 regsvr32.exe regsvr32.exe PID 4744 wrote to memory of 1804 4744 regsvr32.exe rundll32.exe PID 4744 wrote to memory of 1804 4744 regsvr32.exe rundll32.exe PID 4744 wrote to memory of 1804 4744 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\95abee4d159f541d81c84f6eb33a9bba7b5d1d7293e89857390b15498e138e51.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\IdkVEIfkVWId.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\\IdkVEIfkVWId.dll3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dllFilesize
284KB
MD57f73b06d9a8810e735bafaab1c5cc7a5
SHA18e46c8f4a78e510c30558a25846fa3819c101f3b
SHA2567a218d6ea68caee18ad95c861d057baf0b44d593fe59e2231ed1f0916df5f1d6
SHA5123cd5253f696f54fd025981af21536888f729730246275111159e0c54036a556fa57c6af27ac156bf19f79a381de776384a5ef88472acb9496956bbad932ef9c9
-
C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dllFilesize
284KB
MD57f73b06d9a8810e735bafaab1c5cc7a5
SHA18e46c8f4a78e510c30558a25846fa3819c101f3b
SHA2567a218d6ea68caee18ad95c861d057baf0b44d593fe59e2231ed1f0916df5f1d6
SHA5123cd5253f696f54fd025981af21536888f729730246275111159e0c54036a556fa57c6af27ac156bf19f79a381de776384a5ef88472acb9496956bbad932ef9c9
-
C:\Users\Admin\AppData\Local\Temp\IdkVEIfkVWId.dllFilesize
284KB
MD57f73b06d9a8810e735bafaab1c5cc7a5
SHA18e46c8f4a78e510c30558a25846fa3819c101f3b
SHA2567a218d6ea68caee18ad95c861d057baf0b44d593fe59e2231ed1f0916df5f1d6
SHA5123cd5253f696f54fd025981af21536888f729730246275111159e0c54036a556fa57c6af27ac156bf19f79a381de776384a5ef88472acb9496956bbad932ef9c9
-
memory/1804-134-0x0000000000000000-mapping.dmp
-
memory/4640-130-0x0000000000000000-mapping.dmp
-
memory/4744-132-0x0000000000000000-mapping.dmp