Analysis
-
max time kernel
129s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
26-06-2022 17:52
Static task
static1
Behavioral task
behavioral1
Sample
D5755ED76CF2ACCD1E0A164877E72A9C568375AB9800F.dll
Resource
win7-20220414-en
General
-
Target
D5755ED76CF2ACCD1E0A164877E72A9C568375AB9800F.dll
-
Size
5.7MB
-
MD5
2c64ac9bca9c9d43dcd511ec119db8d0
-
SHA1
7a2bdb27333baaef59309cca8acda19969e019cd
-
SHA256
d5755ed76cf2accd1e0a164877e72a9c568375ab9800f931342ff9ac2d94263f
-
SHA512
66a95ad6a8510ef47b3449e95ce4fbc89610cdfde5348cb31599cff9956fe256d1a014a5c372c2fdc7e9a0254955104fb22c5455de7f747a250f25973adb0ad9
Malware Config
Extracted
danabot
1765
3
192.236.146.203:443
192.236.162.42:443
192.3.26.98:443
142.44.224.16:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 1 928 RUNDLL32.EXE 2 928 RUNDLL32.EXE 3 928 RUNDLL32.EXE 4 928 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1724 rundll32.exe Token: SeDebugPrivilege 928 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1464 wrote to memory of 1724 1464 rundll32.exe rundll32.exe PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE PID 1724 wrote to memory of 928 1724 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\D5755ED76CF2ACCD1E0A164877E72A9C568375AB9800F.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\D5755ED76CF2ACCD1E0A164877E72A9C568375AB9800F.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\D5755ED76CF2ACCD1E0A164877E72A9C568375AB9800F.dll,rFJaTJ8c3⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/928-58-0x0000000000000000-mapping.dmp
-
memory/928-60-0x0000000001CA0000-0x000000000225C000-memory.dmpFilesize
5.7MB
-
memory/928-62-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/928-63-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/928-64-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/1724-54-0x0000000000000000-mapping.dmp
-
memory/1724-55-0x0000000075381000-0x0000000075383000-memory.dmpFilesize
8KB
-
memory/1724-56-0x0000000001F80000-0x000000000253C000-memory.dmpFilesize
5.7MB
-
memory/1724-57-0x00000000029B0000-0x0000000003012000-memory.dmpFilesize
6.4MB
-
memory/1724-61-0x00000000029B0000-0x0000000003012000-memory.dmpFilesize
6.4MB