Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
03-07-2022 07:17
Static task
static1
Behavioral task
behavioral1
Sample
CRA_INV_2019_479426239721/CRA_INV_2019_479426239721.vbs
Resource
win7-20220414-en
General
-
Target
CRA_INV_2019_479426239721/CRA_INV_2019_479426239721.vbs
-
Size
24.2MB
-
MD5
3818ef620d826c62136f450c32429ae5
-
SHA1
1297b772ec42586ce1c6db624e8948cbe265710d
-
SHA256
38c668144becb1199196394ad78df6694c86597a283aea61bd036dc1da2eef62
-
SHA512
9789441d9a76f62213ce9889422241c6732ec21ab4ddfff4b596136d327d393c03f8c2f0973b07fd88c7d21c1149d1418d3c153b6b802562ad4b9035ebe78c00
Malware Config
Extracted
danabot
181.63.44.194
207.148.83.108
45.77.40.71
87.115.138.169
24.229.48.7
116.111.206.27
45.196.143.203
218.65.3.199
131.59.110.186
113.81.97.96
Signatures
-
Process spawned unexpected child process 1 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
regsvr32.exedescription pid pid_target process target process Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1272 1924 regsvr32.exe -
Blocklisted process makes network request 2 IoCs
Processes:
rundll32.exeflow pid process 2 1252 rundll32.exe 3 1252 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 928 regsvr32.exe 1252 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
WScript.exepid process 2004 WScript.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 1272 wrote to memory of 928 1272 regsvr32.exe regsvr32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe PID 928 wrote to memory of 1252 928 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\CRA_INV_2019_479426239721\CRA_INV_2019_479426239721.vbs"1⤵
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txt,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txtFilesize
1.1MB
MD5f8cf63fb5f35fb0a72aeffcf1dc27aef
SHA1bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb
SHA256dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9
SHA512f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f
-
\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txtFilesize
1.1MB
MD5f8cf63fb5f35fb0a72aeffcf1dc27aef
SHA1bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb
SHA256dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9
SHA512f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f
-
\Users\Admin\AppData\Local\Temp\hFbQyDeRQ.txtFilesize
1.1MB
MD5f8cf63fb5f35fb0a72aeffcf1dc27aef
SHA1bcf27f65d35c4ce37f0f6af6ca3f2215fbef34eb
SHA256dca1194d8f8691d90bb209e4b9baae53da4d107169bda9b1d8c4a99a6316b5b9
SHA512f30acf1e157b70df459ef4d133bc680c9a7f48ddd532c29fa9d27c8eb16e976f6baf4d2f701d40a8875929267f8147dc25ee960b8b7eccc20da59eeca814dc4f
-
memory/928-63-0x0000000001E60000-0x0000000001FCA000-memory.dmpFilesize
1.4MB
-
memory/928-57-0x0000000076191000-0x0000000076193000-memory.dmpFilesize
8KB
-
memory/928-59-0x0000000001E60000-0x000000000288A000-memory.dmpFilesize
10.2MB
-
memory/928-61-0x0000000001E60000-0x000000000288A000-memory.dmpFilesize
10.2MB
-
memory/928-62-0x0000000001E60000-0x000000000288A000-memory.dmpFilesize
10.2MB
-
memory/928-56-0x0000000000000000-mapping.dmp
-
memory/928-64-0x0000000001E60000-0x000000000288A000-memory.dmpFilesize
10.2MB
-
memory/1252-67-0x0000000000000000-mapping.dmp
-
memory/1252-70-0x0000000002020000-0x0000000002A4A000-memory.dmpFilesize
10.2MB
-
memory/1252-72-0x0000000002020000-0x0000000002A4A000-memory.dmpFilesize
10.2MB
-
memory/1252-73-0x0000000002020000-0x000000000218A000-memory.dmpFilesize
1.4MB
-
memory/1252-74-0x0000000002020000-0x0000000002A4A000-memory.dmpFilesize
10.2MB
-
memory/1252-77-0x0000000002020000-0x0000000002A4A000-memory.dmpFilesize
10.2MB
-
memory/1272-54-0x000007FEFBA41000-0x000007FEFBA43000-memory.dmpFilesize
8KB