Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 07:52
Static task
static1
Behavioral task
behavioral1
Sample
284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
Resource
win10v2004-20220414-en
General
-
Target
284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe
-
Size
1.0MB
-
MD5
ba55442cdf361e070f7ca8a07046cd38
-
SHA1
e61d143672c9bad99472aa885003a20574eddf32
-
SHA256
284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc
-
SHA512
a6e1669bf9a159d3d36aa24e7210854667c144f0f34c7d38fb6c2848d1687964c7d48d7760f99898eb4eb8d8eebf1be595890e80273c7d4326069c2a9d13feff
Malware Config
Extracted
danabot
100.0.0.0:5148
58.50.42.34:13886
26.18.10.2:5662
60.52.44.36:14400
-
embedded_hash
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
type
loader
Extracted
danabot
3829762824
0.0.233.180:63873
0.0.0.235:0
115.139.85.12:17803
51.201.138.10:3141
-
embedded_hash
s�t�e�m�.�I�d�e�n�t�i�t�y�M�o�d�
-
type
loader
Signatures
-
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 8 1548 rundll32.exe 9 1548 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exedescription pid process target process PID 1388 set thread context of 1592 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 2852 1388 WerFault.exe 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe 4756 1388 WerFault.exe 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe 4812 1388 WerFault.exe 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe 4588 1388 WerFault.exe 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exe284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 1592 rundll32.exe 1592 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 1592 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 1592 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exedescription pid process target process PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1548 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1592 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1592 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1592 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe PID 1388 wrote to memory of 1592 1388 284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe rundll32.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe"C:\Users\Admin\AppData\Local\Temp\284eb686af9cb14c8176f47708136a9643af1b5c5102b61737735c6a04bef4fc.exe"1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 6202⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 8722⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 9362⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 10162⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 1388 -ip 13881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 1388 -ip 13881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 1388 -ip 13881⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 1388 -ip 13881⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ouuorspuqqpf.tmpFilesize
3.1MB
MD589704d53dd9ad75a12c7e8c75f98c78e
SHA14515d539f7813726592c940386c5553185ea18b0
SHA2569a9aced19fc12d0d7542d37f4429196318d1a85c7843b6f6704c3a318f80319b
SHA5127a1a446e21dbcaf73371e234721dcdf21e485744d1814d74702de14a9c758b874a2cb166a20230df2604271bf3121b00498df7d85641c02dd81bc14335b3b75e
-
memory/1388-142-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-133-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1388-143-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-145-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-144-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-136-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1388-130-0x0000000002471000-0x0000000002553000-memory.dmpFilesize
904KB
-
memory/1388-138-0x0000000003130000-0x0000000003B8A000-memory.dmpFilesize
10.4MB
-
memory/1388-139-0x0000000003130000-0x0000000003B8A000-memory.dmpFilesize
10.4MB
-
memory/1388-140-0x0000000003130000-0x0000000003B8A000-memory.dmpFilesize
10.4MB
-
memory/1388-141-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-131-0x0000000002840000-0x0000000002A70000-memory.dmpFilesize
2.2MB
-
memory/1388-156-0x0000000003130000-0x0000000003B8A000-memory.dmpFilesize
10.4MB
-
memory/1388-132-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1388-134-0x0000000000400000-0x0000000000725000-memory.dmpFilesize
3.1MB
-
memory/1388-146-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-147-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1388-148-0x0000000003B90000-0x0000000003CD0000-memory.dmpFilesize
1.2MB
-
memory/1548-135-0x0000000000000000-mapping.dmp
-
memory/1592-149-0x0000000000000000-mapping.dmp
-
memory/1592-150-0x00000000029F0000-0x000000000344A000-memory.dmpFilesize
10.4MB
-
memory/1592-151-0x0000000000770000-0x00000000008B0000-memory.dmpFilesize
1.2MB
-
memory/1592-152-0x0000000000770000-0x00000000008B0000-memory.dmpFilesize
1.2MB
-
memory/1592-153-0x0000000000AA0000-0x00000000013DB000-memory.dmpFilesize
9.2MB
-
memory/1592-154-0x00000000029F0000-0x000000000344A000-memory.dmpFilesize
10.4MB
-
memory/1592-155-0x00000000029F0000-0x000000000344A000-memory.dmpFilesize
10.4MB