Analysis
-
max time kernel
137s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
26-06-2022 03:16
Static task
static1
Behavioral task
behavioral1
Sample
3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe
Resource
win7-20220414-en
General
-
Target
3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe
-
Size
5.9MB
-
MD5
0345d4c916d2c9616725311f373a076d
-
SHA1
c89e3b9fb34f2a01883fa89b2fa9cc251a369cca
-
SHA256
3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a
-
SHA512
3ac77c8503a8128e434117b124809df04317fad58ecd91170a27cf69fa126f955eb9a93977eef0c00a3d1909e6c5f547a687ae8d36af0b3023a5304414902db3
Malware Config
Extracted
danabot
1827
3
192.3.26.107:443
193.34.167.88:443
134.119.186.216:443
192.210.198.12:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 13 2352 RUNDLL32.EXE 14 2352 RUNDLL32.EXE 22 2352 RUNDLL32.EXE 29 2352 RUNDLL32.EXE -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2220 rundll32.exe 2352 RUNDLL32.EXE 2352 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1040 3856 WerFault.exe 3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2220 rundll32.exe Token: SeDebugPrivilege 2352 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exerundll32.exedescription pid process target process PID 3856 wrote to memory of 2220 3856 3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe rundll32.exe PID 3856 wrote to memory of 2220 3856 3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe rundll32.exe PID 3856 wrote to memory of 2220 3856 3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe rundll32.exe PID 2220 wrote to memory of 2352 2220 rundll32.exe RUNDLL32.EXE PID 2220 wrote to memory of 2352 2220 rundll32.exe RUNDLL32.EXE PID 2220 wrote to memory of 2352 2220 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe"C:\Users\Admin\AppData\Local\Temp\3636bb4d7a81b707d75b8bae453b36392e899e04b03c31d6f472d9ba087be90a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3636BB~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3636BB~1.DLL,Ywhb3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3856 -s 5082⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3856 -ip 38561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\3636BB~1.DLLFilesize
5.7MB
MD5c9e2087ec59746669cb39f5b14e2eed3
SHA1df33f8f05ea0625be4a38e5c128962e81958a360
SHA256e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff
SHA512ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726
-
C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE.dllFilesize
5.7MB
MD5c9e2087ec59746669cb39f5b14e2eed3
SHA1df33f8f05ea0625be4a38e5c128962e81958a360
SHA256e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff
SHA512ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726
-
C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE.dllFilesize
5.7MB
MD5c9e2087ec59746669cb39f5b14e2eed3
SHA1df33f8f05ea0625be4a38e5c128962e81958a360
SHA256e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff
SHA512ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726
-
C:\Users\Admin\AppData\Local\Temp\3636BB~1.EXE.dllFilesize
5.7MB
MD5c9e2087ec59746669cb39f5b14e2eed3
SHA1df33f8f05ea0625be4a38e5c128962e81958a360
SHA256e98012ba641630a46d46c0d2070151fbe2e9a4598a6402222c32784a564582ff
SHA512ab5e86083108db558954a3ef405deaa22b645b5e6c660665d3aca0e9712e24455ebacbf9e4f2c1e45a61c4f18513c3390f4cb1ed621b8826ac89f8ed6f561726
-
memory/2220-136-0x0000000003260000-0x00000000038C0000-memory.dmpFilesize
6.4MB
-
memory/2220-133-0x0000000000000000-mapping.dmp
-
memory/2220-143-0x0000000003260000-0x00000000038C0000-memory.dmpFilesize
6.4MB
-
memory/2352-139-0x0000000000000000-mapping.dmp
-
memory/2352-142-0x0000000002750000-0x0000000002D0A000-memory.dmpFilesize
5.7MB
-
memory/2352-144-0x0000000003360000-0x00000000039C0000-memory.dmpFilesize
6.4MB
-
memory/2352-145-0x0000000003360000-0x00000000039C0000-memory.dmpFilesize
6.4MB
-
memory/2352-148-0x0000000003360000-0x00000000039C0000-memory.dmpFilesize
6.4MB
-
memory/3856-131-0x0000000002910000-0x0000000003005000-memory.dmpFilesize
7.0MB
-
memory/3856-130-0x0000000002348000-0x0000000002903000-memory.dmpFilesize
5.7MB
-
memory/3856-132-0x0000000000400000-0x0000000001D29000-memory.dmpFilesize
25.2MB
-
memory/3856-146-0x0000000002910000-0x0000000003005000-memory.dmpFilesize
7.0MB
-
memory/3856-147-0x0000000000400000-0x0000000001D29000-memory.dmpFilesize
25.2MB