Analysis
-
max time kernel
140s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
30-06-2022 19:39
Static task
static1
Behavioral task
behavioral1
Sample
a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe
Resource
win7-20220414-en
General
-
Target
a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe
-
Size
4.4MB
-
MD5
364526dd099a238f2351e994be7a912c
-
SHA1
d8f39848296c18372421bba022bd62a688adcd0c
-
SHA256
a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a
-
SHA512
67ab390b2635c36f180659401f4877bc72600bc27b53c46b06ca9f08eb82e5a3449069a9c6463e43d7803e3741ce86569c97c822f018405b54599981286512ed
Malware Config
Extracted
danabot
1732
3
23.226.132.92:443
108.62.141.152:443
192.241.101.68:443
23.106.123.249:443
-
embedded_hash
49574F66CD0103BBD725C08A9805C2BE
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 14 4968 RUNDLL32.EXE 28 4968 RUNDLL32.EXE 30 4968 RUNDLL32.EXE 34 4968 RUNDLL32.EXE -
Processes:
resource yara_rule behavioral2/memory/4552-130-0x0000000000400000-0x0000000004B72000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 2988 rundll32.exe 2988 rundll32.exe 4968 RUNDLL32.EXE 4968 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2988 rundll32.exe Token: SeDebugPrivilege 4968 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exerundll32.exedescription pid process target process PID 4552 wrote to memory of 2988 4552 a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe rundll32.exe PID 4552 wrote to memory of 2988 4552 a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe rundll32.exe PID 4552 wrote to memory of 2988 4552 a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe rundll32.exe PID 2988 wrote to memory of 4968 2988 rundll32.exe RUNDLL32.EXE PID 2988 wrote to memory of 4968 2988 rundll32.exe RUNDLL32.EXE PID 2988 wrote to memory of 4968 2988 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe"C:\Users\Admin\AppData\Local\Temp\a2676038aeee24af09b0464a1244f34f95dcf2cb4cb883753ef66a0e9213e47a.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\A26760~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\A26760~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\A26760~1.DLL,ql5MfDZOA3j33⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\A26760~1.DLLFilesize
3.7MB
MD504861df2bb720d75b1b1b1a9a788de85
SHA18b27c0b60879d36e2b065122c55e60b9d77cad20
SHA256610d9efe1adbf0c6f928eea7188d1c345cedf842dc2117d078b28e84594b1a29
SHA5129f921e18e0bc128c592dae4335123ef44433590ed3910eb4972a445825ddde26e25953d91babd154918e2cf604e393ff5fc805e8be23f6eacb71077ce2f841b3
-
C:\Users\Admin\AppData\Local\Temp\A26760~1.EXE.dllFilesize
3.7MB
MD504861df2bb720d75b1b1b1a9a788de85
SHA18b27c0b60879d36e2b065122c55e60b9d77cad20
SHA256610d9efe1adbf0c6f928eea7188d1c345cedf842dc2117d078b28e84594b1a29
SHA5129f921e18e0bc128c592dae4335123ef44433590ed3910eb4972a445825ddde26e25953d91babd154918e2cf604e393ff5fc805e8be23f6eacb71077ce2f841b3
-
C:\Users\Admin\AppData\Local\Temp\A26760~1.EXE.dllFilesize
3.7MB
MD504861df2bb720d75b1b1b1a9a788de85
SHA18b27c0b60879d36e2b065122c55e60b9d77cad20
SHA256610d9efe1adbf0c6f928eea7188d1c345cedf842dc2117d078b28e84594b1a29
SHA5129f921e18e0bc128c592dae4335123ef44433590ed3910eb4972a445825ddde26e25953d91babd154918e2cf604e393ff5fc805e8be23f6eacb71077ce2f841b3
-
C:\Users\Admin\AppData\Local\Temp\A26760~1.EXE.dllFilesize
3.7MB
MD504861df2bb720d75b1b1b1a9a788de85
SHA18b27c0b60879d36e2b065122c55e60b9d77cad20
SHA256610d9efe1adbf0c6f928eea7188d1c345cedf842dc2117d078b28e84594b1a29
SHA5129f921e18e0bc128c592dae4335123ef44433590ed3910eb4972a445825ddde26e25953d91babd154918e2cf604e393ff5fc805e8be23f6eacb71077ce2f841b3
-
C:\Users\Admin\AppData\Local\Temp\A26760~1.EXE.dllFilesize
3.7MB
MD504861df2bb720d75b1b1b1a9a788de85
SHA18b27c0b60879d36e2b065122c55e60b9d77cad20
SHA256610d9efe1adbf0c6f928eea7188d1c345cedf842dc2117d078b28e84594b1a29
SHA5129f921e18e0bc128c592dae4335123ef44433590ed3910eb4972a445825ddde26e25953d91babd154918e2cf604e393ff5fc805e8be23f6eacb71077ce2f841b3
-
memory/2988-138-0x0000000002CA0000-0x00000000032FF000-memory.dmpFilesize
6.4MB
-
memory/2988-137-0x0000000002350000-0x000000000271B000-memory.dmpFilesize
3.8MB
-
memory/2988-133-0x0000000000000000-mapping.dmp
-
memory/2988-148-0x0000000002CA0000-0x00000000032FF000-memory.dmpFilesize
6.4MB
-
memory/4552-141-0x0000000000400000-0x0000000004B72000-memory.dmpFilesize
71.4MB
-
memory/4552-132-0x0000000005780000-0x0000000005B5C000-memory.dmpFilesize
3.9MB
-
memory/4552-131-0x00000000053B0000-0x000000000577A000-memory.dmpFilesize
3.8MB
-
memory/4552-130-0x0000000000400000-0x0000000004B72000-memory.dmpFilesize
71.4MB
-
memory/4552-150-0x0000000000400000-0x0000000004B72000-memory.dmpFilesize
71.4MB
-
memory/4968-147-0x00000000024B0000-0x000000000287B000-memory.dmpFilesize
3.8MB
-
memory/4968-144-0x0000000000000000-mapping.dmp
-
memory/4968-149-0x0000000002E40000-0x000000000349F000-memory.dmpFilesize
6.4MB
-
memory/4968-151-0x0000000002E40000-0x000000000349F000-memory.dmpFilesize
6.4MB
-
memory/4968-152-0x0000000002E40000-0x000000000349F000-memory.dmpFilesize
6.4MB