Analysis
-
max time kernel
71s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 08:07
Static task
static1
Behavioral task
behavioral1
Sample
172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe
Resource
win10v2004-20220414-en
General
-
Target
172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe
-
Size
1.0MB
-
MD5
eae5ee3121523c718094873f56b64bce
-
SHA1
adbc2b251f69f04086e4cf6af74544bcd025d5de
-
SHA256
172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d
-
SHA512
f27a60a5d3563a3c04ee2114cdf4526be5511acb9f81b0030024a30f3c81e75765844cd3047813050f4c56d8859ec6006a11a0c13c5091aa7a34d501d48f4e95
Malware Config
Extracted
danabot
100.0.0.0:5148
58.50.42.34:13886
26.18.10.2:5662
60.52.44.36:14400
-
embedded_hash
zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz
-
type
loader
Extracted
danabot
4256732557
232.119.65.131:35328
255.141.133.128:336
254.255.255.139:36097
21.216.173.203:65534
-
embedded_hash
��\���������\�����\�������~B�E
-
type
loader
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
rundll32.exeflow pid process 9 4116 rundll32.exe 11 4116 rundll32.exe 12 4116 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exedescription pid process target process PID 4344 set thread context of 5060 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 4 IoCs
Processes:
WerFault.exeWerFault.exeWerFault.exeWerFault.exepid pid_target process target process 1584 4344 WerFault.exe 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe 5112 4344 WerFault.exe 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe 2568 4344 WerFault.exe 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe 3696 4344 WerFault.exe 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe -
Checks processor information in registry 2 TTPs 37 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exe172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exedescription ioc process Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe -
Modifies registry class 1 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid process 5060 rundll32.exe 5060 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
rundll32.exedescription pid process Token: SeDebugPrivilege 5060 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
rundll32.exepid process 5060 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exedescription pid process target process PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 4116 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 5060 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 5060 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 5060 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe PID 4344 wrote to memory of 5060 4344 172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe rundll32.exe -
outlook_office_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
Processes:
rundll32.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe"C:\Users\Admin\AppData\Local\Temp\172b33e43cbb3ad6705549f5b3af1025e5632ca47d735ec9eb038e169b8e651d.exe"1⤵
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 6122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 9242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 9322⤵
- Program crash
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4344 -s 10402⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4344 -ip 43441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4344 -ip 43441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4344 -ip 43441⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4344 -ip 43441⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Ouuorspuqqpf.tmpFilesize
3.1MB
MD589704d53dd9ad75a12c7e8c75f98c78e
SHA14515d539f7813726592c940386c5553185ea18b0
SHA2569a9aced19fc12d0d7542d37f4429196318d1a85c7843b6f6704c3a318f80319b
SHA5127a1a446e21dbcaf73371e234721dcdf21e485744d1814d74702de14a9c758b874a2cb166a20230df2604271bf3121b00498df7d85641c02dd81bc14335b3b75e
-
memory/4116-135-0x0000000000000000-mapping.dmp
-
memory/4344-142-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-136-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/4344-145-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-132-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/4344-146-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-131-0x00000000026F0000-0x0000000002920000-memory.dmpFilesize
2.2MB
-
memory/4344-138-0x0000000003110000-0x0000000003B6A000-memory.dmpFilesize
10.4MB
-
memory/4344-143-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-141-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-140-0x0000000003110000-0x0000000003B6A000-memory.dmpFilesize
10.4MB
-
memory/4344-130-0x000000000246F000-0x0000000002551000-memory.dmpFilesize
904KB
-
memory/4344-144-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-134-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/4344-133-0x0000000000400000-0x0000000000728000-memory.dmpFilesize
3.2MB
-
memory/4344-139-0x0000000003110000-0x0000000003B6A000-memory.dmpFilesize
10.4MB
-
memory/4344-147-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-148-0x0000000003C80000-0x0000000003DC0000-memory.dmpFilesize
1.2MB
-
memory/4344-156-0x0000000003110000-0x0000000003B6A000-memory.dmpFilesize
10.4MB
-
memory/5060-150-0x00000000029A0000-0x00000000033FA000-memory.dmpFilesize
10.4MB
-
memory/5060-152-0x00000000034C0000-0x0000000003600000-memory.dmpFilesize
1.2MB
-
memory/5060-151-0x00000000034C0000-0x0000000003600000-memory.dmpFilesize
1.2MB
-
memory/5060-153-0x00000000004C0000-0x0000000000DFB000-memory.dmpFilesize
9.2MB
-
memory/5060-154-0x00000000029A0000-0x00000000033FA000-memory.dmpFilesize
10.4MB
-
memory/5060-155-0x00000000029A0000-0x00000000033FA000-memory.dmpFilesize
10.4MB
-
memory/5060-149-0x0000000000000000-mapping.dmp