Analysis
-
max time kernel
182s -
max time network
217s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 07:28
Static task
static1
Behavioral task
behavioral1
Sample
655c0dfc1dd7f64944b9db89ed027940ea0ab9779ff96ed8a5787b6a2a9a624f.dll
Resource
win7-20220414-en
General
-
Target
655c0dfc1dd7f64944b9db89ed027940ea0ab9779ff96ed8a5787b6a2a9a624f.dll
-
Size
644KB
-
MD5
68f559cfc1adb9f94158b41aa3f82735
-
SHA1
15a2f51821f8ed9b10918df3835e1b6103bac4c0
-
SHA256
655c0dfc1dd7f64944b9db89ed027940ea0ab9779ff96ed8a5787b6a2a9a624f
-
SHA512
817fc230e1b2baff9943a453006da503c8f9b21124a479f55463c1a1bfe735bbd1c50bff5c1897195da67a979fb54cf5fa0b152ff9a48e6d4d75d3a036125635
Malware Config
Extracted
danabot
223.192.199.114
49.67.84.119
160.155.15.40
195.123.246.209
14.226.99.211
149.154.159.213
178.87.198.190
95.213.57.186
18.215.181.189
239.255.46.113
Signatures
-
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 32 4976 rundll32.exe 36 4976 rundll32.exe 43 4976 rundll32.exe 53 4976 rundll32.exe 62 4976 rundll32.exe 64 4976 rundll32.exe 65 4976 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3532 3388 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2620 wrote to memory of 3388 2620 rundll32.exe rundll32.exe PID 2620 wrote to memory of 3388 2620 rundll32.exe rundll32.exe PID 2620 wrote to memory of 3388 2620 rundll32.exe rundll32.exe PID 3388 wrote to memory of 4976 3388 rundll32.exe rundll32.exe PID 3388 wrote to memory of 4976 3388 rundll32.exe rundll32.exe PID 3388 wrote to memory of 4976 3388 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\655c0dfc1dd7f64944b9db89ed027940ea0ab9779ff96ed8a5787b6a2a9a624f.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\655c0dfc1dd7f64944b9db89ed027940ea0ab9779ff96ed8a5787b6a2a9a624f.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\655c0dfc1dd7f64944b9db89ed027940ea0ab9779ff96ed8a5787b6a2a9a624f.dll,f03⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3388 -s 8363⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3388 -ip 33881⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3388-130-0x0000000000000000-mapping.dmp
-
memory/3388-131-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/3388-132-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/3388-133-0x0000000074920000-0x00000000749CC000-memory.dmpFilesize
688KB
-
memory/3388-134-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/3388-138-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/4976-137-0x0000000000000000-mapping.dmp
-
memory/4976-139-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/4976-141-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/4976-144-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB
-
memory/4976-145-0x0000000074920000-0x00000000752D1000-memory.dmpFilesize
9.7MB