Analysis
-
max time kernel
129s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
01-07-2022 13:15
Static task
static1
Behavioral task
behavioral1
Sample
00192038_00192.scr
Resource
win7-20220414-en
General
-
Target
00192038_00192.scr
-
Size
453KB
-
MD5
aa0ceac2adff012dc0ba93e1c5bb72ab
-
SHA1
31ff6c14bf11786d3084cf569669a0af457d1084
-
SHA256
864b7f9f0446958428151bdffbfeb3ce566a1b82ca87b4abeb8e75e1e36f39ac
-
SHA512
36200bb05b1dc97b0e6bc17a0add145fa3600f18e701ed568f28c09a19c15e7a4820f37161831450d50ab7be9f232da2fdac5b6f70c069cd0e1003af0570e6e0
Malware Config
Extracted
danabot
55.213.39.105
41.170.199.149
192.71.249.51
234.55.93.177
154.247.212.176
160.246.140.43
217.228.238.7
238.44.175.155
180.62.77.191
178.209.51.211
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\001920~1.DLL family_danabot C:\Users\Admin\AppData\Local\Temp\00192038_00192.dll family_danabot C:\Users\Admin\AppData\Local\Temp\00192038_00192.dll family_danabot -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 10 3468 rundll32.exe 18 3468 rundll32.exe 26 3468 rundll32.exe 33 3468 rundll32.exe 34 3468 rundll32.exe 37 3468 rundll32.exe 39 3468 rundll32.exe 40 3468 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 3968 regsvr32.exe 3468 rundll32.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
00192038_00192.scrregsvr32.exedescription pid process target process PID 4888 wrote to memory of 3968 4888 00192038_00192.scr regsvr32.exe PID 4888 wrote to memory of 3968 4888 00192038_00192.scr regsvr32.exe PID 4888 wrote to memory of 3968 4888 00192038_00192.scr regsvr32.exe PID 3968 wrote to memory of 3468 3968 regsvr32.exe rundll32.exe PID 3968 wrote to memory of 3468 3968 regsvr32.exe rundll32.exe PID 3968 wrote to memory of 3468 3968 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\00192038_00192.scr"C:\Users\Admin\AppData\Local\Temp\00192038_00192.scr" /S1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\001920~1.DLL f1 C:\Users\Admin\AppData\Local\Temp\001920~1.SCR@48882⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\001920~1.DLL,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\00192038_00192.dllFilesize
288KB
MD5f161a41af3babee854e89792622ed9a7
SHA15af57ea20b26485014b8e9e6e3282f5d703f3d22
SHA256eec053407b16764bcf5b0931373099ceb4d85b18750b5cc6428fbd7ebbd33c21
SHA51282e9d797a61bc17d071e67826f2cdbb3dc2a30d6f29222eee025dda9ba57bcd49fef9b392441d4293e18c3ddfe264405706fb388ad6bf47de72a3ce26d3cd481
-
C:\Users\Admin\AppData\Local\Temp\00192038_00192.dllFilesize
288KB
MD5f161a41af3babee854e89792622ed9a7
SHA15af57ea20b26485014b8e9e6e3282f5d703f3d22
SHA256eec053407b16764bcf5b0931373099ceb4d85b18750b5cc6428fbd7ebbd33c21
SHA51282e9d797a61bc17d071e67826f2cdbb3dc2a30d6f29222eee025dda9ba57bcd49fef9b392441d4293e18c3ddfe264405706fb388ad6bf47de72a3ce26d3cd481
-
C:\Users\Admin\AppData\Local\Temp\001920~1.DLLFilesize
288KB
MD5f161a41af3babee854e89792622ed9a7
SHA15af57ea20b26485014b8e9e6e3282f5d703f3d22
SHA256eec053407b16764bcf5b0931373099ceb4d85b18750b5cc6428fbd7ebbd33c21
SHA51282e9d797a61bc17d071e67826f2cdbb3dc2a30d6f29222eee025dda9ba57bcd49fef9b392441d4293e18c3ddfe264405706fb388ad6bf47de72a3ce26d3cd481
-
memory/3468-133-0x0000000000000000-mapping.dmp
-
memory/3968-130-0x0000000000000000-mapping.dmp