Analysis
-
max time kernel
130s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
08-07-2022 14:33
Static task
static1
Behavioral task
behavioral1
Sample
be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe
Resource
win7-20220414-en
General
-
Target
be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe
-
Size
4.4MB
-
MD5
a10d4f80ed910baeb4fd603e7b121643
-
SHA1
3716da6b25cc95a7a17c4fc2a412db52043cc4b0
-
SHA256
be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624
-
SHA512
fa6d059476a193e9b85516df678d99139d0c73f00f38217ceef4f49d290b498385c735e0d8dbc49c618e4b62fa7dbf39a85a614505b7a8fca4136e16e0ac7b31
Malware Config
Extracted
danabot
1732
3
108.62.118.103:443
23.226.132.92:443
104.144.64.163:443
108.62.141.152:443
-
embedded_hash
49574F66CD0103BBD725C08A9805C2BE
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 5 3496 RUNDLL32.EXE 6 3496 RUNDLL32.EXE 16 3496 RUNDLL32.EXE 26 3496 RUNDLL32.EXE -
Processes:
resource yara_rule behavioral2/memory/4968-130-0x0000000000400000-0x0000000005158000-memory.dmp upx -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 744 rundll32.exe 744 rundll32.exe 3496 RUNDLL32.EXE 3496 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2384 4968 WerFault.exe be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 744 rundll32.exe Token: SeDebugPrivilege 3496 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exerundll32.exedescription pid process target process PID 4968 wrote to memory of 744 4968 be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe rundll32.exe PID 4968 wrote to memory of 744 4968 be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe rundll32.exe PID 4968 wrote to memory of 744 4968 be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe rundll32.exe PID 744 wrote to memory of 3496 744 rundll32.exe RUNDLL32.EXE PID 744 wrote to memory of 3496 744 rundll32.exe RUNDLL32.EXE PID 744 wrote to memory of 3496 744 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe"C:\Users\Admin\AppData\Local\Temp\be5050ecd867ea931bcecaafa8d10d6f8c83ab677be207a4a1332f063b3d8624.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BE5050~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\BE5050~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\BE5050~1.DLL,sFdZfI0=3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4968 -s 4482⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4968 -ip 49681⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\BE5050~1.DLLFilesize
3.7MB
MD53e80a67b80152a887124c085dcb6ddda
SHA1c91e8a53e484f4adf6a4aeaad6503fe866722ba6
SHA25624b412d6681877993f2dfb6ff7e115400e8f0bde7c51b81f24b7588abe263426
SHA5129967457202f585cdb749b24af97b5e444d2898d9437c1727e59db259b2b1fc460884d58eb2462c03a0c2cc88b41c72a10c4b7de58d9ec772de0fa1eb0cf25fde
-
C:\Users\Admin\AppData\Local\Temp\BE5050~1.EXE.dllFilesize
3.7MB
MD53e80a67b80152a887124c085dcb6ddda
SHA1c91e8a53e484f4adf6a4aeaad6503fe866722ba6
SHA25624b412d6681877993f2dfb6ff7e115400e8f0bde7c51b81f24b7588abe263426
SHA5129967457202f585cdb749b24af97b5e444d2898d9437c1727e59db259b2b1fc460884d58eb2462c03a0c2cc88b41c72a10c4b7de58d9ec772de0fa1eb0cf25fde
-
C:\Users\Admin\AppData\Local\Temp\BE5050~1.EXE.dllFilesize
3.7MB
MD53e80a67b80152a887124c085dcb6ddda
SHA1c91e8a53e484f4adf6a4aeaad6503fe866722ba6
SHA25624b412d6681877993f2dfb6ff7e115400e8f0bde7c51b81f24b7588abe263426
SHA5129967457202f585cdb749b24af97b5e444d2898d9437c1727e59db259b2b1fc460884d58eb2462c03a0c2cc88b41c72a10c4b7de58d9ec772de0fa1eb0cf25fde
-
C:\Users\Admin\AppData\Local\Temp\BE5050~1.EXE.dllFilesize
3.7MB
MD53e80a67b80152a887124c085dcb6ddda
SHA1c91e8a53e484f4adf6a4aeaad6503fe866722ba6
SHA25624b412d6681877993f2dfb6ff7e115400e8f0bde7c51b81f24b7588abe263426
SHA5129967457202f585cdb749b24af97b5e444d2898d9437c1727e59db259b2b1fc460884d58eb2462c03a0c2cc88b41c72a10c4b7de58d9ec772de0fa1eb0cf25fde
-
C:\Users\Admin\AppData\Local\Temp\BE5050~1.EXE.dllFilesize
3.7MB
MD53e80a67b80152a887124c085dcb6ddda
SHA1c91e8a53e484f4adf6a4aeaad6503fe866722ba6
SHA25624b412d6681877993f2dfb6ff7e115400e8f0bde7c51b81f24b7588abe263426
SHA5129967457202f585cdb749b24af97b5e444d2898d9437c1727e59db259b2b1fc460884d58eb2462c03a0c2cc88b41c72a10c4b7de58d9ec772de0fa1eb0cf25fde
-
memory/744-138-0x0000000002FC0000-0x0000000003620000-memory.dmpFilesize
6.4MB
-
memory/744-136-0x0000000002670000-0x0000000002A3B000-memory.dmpFilesize
3.8MB
-
memory/744-147-0x0000000002FC0000-0x0000000003620000-memory.dmpFilesize
6.4MB
-
memory/744-132-0x0000000000000000-mapping.dmp
-
memory/3496-143-0x0000000000000000-mapping.dmp
-
memory/3496-146-0x00000000026C0000-0x0000000002A8B000-memory.dmpFilesize
3.8MB
-
memory/3496-149-0x0000000003010000-0x0000000003670000-memory.dmpFilesize
6.4MB
-
memory/3496-155-0x0000000003010000-0x0000000003670000-memory.dmpFilesize
6.4MB
-
memory/3496-156-0x0000000003010000-0x0000000003670000-memory.dmpFilesize
6.4MB
-
memory/4968-130-0x0000000000400000-0x0000000005158000-memory.dmpFilesize
77.3MB
-
memory/4968-137-0x0000000000400000-0x0000000005158000-memory.dmpFilesize
77.3MB
-
memory/4968-131-0x0000000005B00000-0x0000000005EDD000-memory.dmpFilesize
3.9MB
-
memory/4968-148-0x0000000005734000-0x0000000005AFF000-memory.dmpFilesize
3.8MB
-
memory/4968-154-0x0000000000400000-0x0000000005158000-memory.dmpFilesize
77.3MB