Analysis
-
max time kernel
127s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
25-06-2022 15:48
Static task
static1
Behavioral task
behavioral1
Sample
C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
Resource
win7-20220414-en
General
-
Target
C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe
-
Size
4.4MB
-
MD5
2820526d4b78eb0f74e15f2755bf11a2
-
SHA1
282330102009652ba0a20de22617bf0cba352766
-
SHA256
c4ba15d516f167a6dbcba5de62b0adb3e6f928a9cf746e7eb1ed5eb8bc852db2
-
SHA512
fd0a9679cd82d5cb056d3dbd938877bf996bdee74bc8708f582e212d43305fdf75971cb1669e20d2f3c8e03be893f5c03b0b4577292b6a81486d1bb1e07fd44e
Malware Config
Extracted
danabot
1732
3
23.106.122.10:443
193.34.167.163:443
192.236.192.241:443
192.236.192.238:443
-
embedded_hash
CF4A570E177DE0D08BB5A391C595CBD7
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 3936 RUNDLL32.EXE 12 3936 RUNDLL32.EXE 17 3936 RUNDLL32.EXE 18 3936 RUNDLL32.EXE -
Processes:
resource yara_rule behavioral2/memory/3536-130-0x0000000000400000-0x0000000005154000-memory.dmp upx -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 4560 rundll32.exe 4560 rundll32.exe 3936 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3924 3536 WerFault.exe C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 4560 rundll32.exe Token: SeDebugPrivilege 3936 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exerundll32.exedescription pid process target process PID 3536 wrote to memory of 4560 3536 C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe rundll32.exe PID 3536 wrote to memory of 4560 3536 C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe rundll32.exe PID 3536 wrote to memory of 4560 3536 C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe rundll32.exe PID 4560 wrote to memory of 3936 4560 rundll32.exe RUNDLL32.EXE PID 4560 wrote to memory of 3936 4560 rundll32.exe RUNDLL32.EXE PID 4560 wrote to memory of 3936 4560 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe"C:\Users\Admin\AppData\Local\Temp\C4BA15D516F167A6DBCBA5DE62B0ADB3E6F928A9CF746.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLL,Zg9XfDb6ADD73⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3536 -s 3882⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 3536 -ip 35361⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.DLLFilesize
3.7MB
MD50564653f8803ae19550848a7ecdda706
SHA170b0f693dd490925e88a586e82bb61b8dd131348
SHA2569eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840
SHA512ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb
-
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE.dllFilesize
3.7MB
MD50564653f8803ae19550848a7ecdda706
SHA170b0f693dd490925e88a586e82bb61b8dd131348
SHA2569eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840
SHA512ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb
-
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE.dllFilesize
3.7MB
MD50564653f8803ae19550848a7ecdda706
SHA170b0f693dd490925e88a586e82bb61b8dd131348
SHA2569eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840
SHA512ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb
-
C:\Users\Admin\AppData\Local\Temp\C4BA15~1.EXE.dllFilesize
3.7MB
MD50564653f8803ae19550848a7ecdda706
SHA170b0f693dd490925e88a586e82bb61b8dd131348
SHA2569eff7da731aa0ef03714995ccb9e885ad10b29e337ade66504bade00d5087840
SHA512ae43a70551cb6f15d613e088ca4512e58714424a42e7ef59aadcfbfd56b3d1d008ca1ec5d0ded64faecb7528aba882c7c3c32357824e5b0b802653bdc4da04fb
-
memory/3536-144-0x0000000007005000-0x00000000073CF000-memory.dmpFilesize
3.8MB
-
memory/3536-137-0x0000000000400000-0x0000000005154000-memory.dmpFilesize
77.3MB
-
memory/3536-131-0x00000000073D0000-0x00000000077AD000-memory.dmpFilesize
3.9MB
-
memory/3536-130-0x0000000000400000-0x0000000005154000-memory.dmpFilesize
77.3MB
-
memory/3536-147-0x0000000000400000-0x0000000005154000-memory.dmpFilesize
77.3MB
-
memory/3936-139-0x0000000000000000-mapping.dmp
-
memory/3936-142-0x0000000003080000-0x00000000036DF000-memory.dmpFilesize
6.4MB
-
memory/3936-146-0x0000000003080000-0x00000000036DF000-memory.dmpFilesize
6.4MB
-
memory/3936-148-0x0000000003080000-0x00000000036DF000-memory.dmpFilesize
6.4MB
-
memory/4560-136-0x0000000002430000-0x00000000027FB000-memory.dmpFilesize
3.8MB
-
memory/4560-132-0x0000000000000000-mapping.dmp
-
memory/4560-138-0x0000000002B40000-0x000000000319F000-memory.dmpFilesize
6.4MB
-
memory/4560-141-0x0000000002B40000-0x000000000319F000-memory.dmpFilesize
6.4MB