Analysis
-
max time kernel
134s -
max time network
63s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
16-07-2022 17:51
Static task
static1
Behavioral task
behavioral1
Sample
3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe
Resource
win7-20220414-en
General
-
Target
3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe
-
Size
5.9MB
-
MD5
0148d6c2e66d6bbe2fba2d3a8519062d
-
SHA1
065ec47b9e8d70f1b9bcf8059243821015cc2d5e
-
SHA256
3db3fa9c6911d2585a4de4aee63a9755639f20ebdd7322ace60326b2ea04cb23
-
SHA512
27644be3d4a9055dd9bab7011e218b02a7a9d4ea8dc38c00f66fca75578d2903744571c1c39a83a2985e4d6d45460ceeda8b7234180a2a0e7676b6d9821e25f2
Malware Config
Extracted
danabot
1765
3
142.44.224.16:443
193.34.167.88:443
192.236.146.203:443
192.3.26.107:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
flow pid Process 1 2032 RUNDLL32.EXE 2 2032 RUNDLL32.EXE 4 2032 RUNDLL32.EXE 5 2032 RUNDLL32.EXE -
Deletes itself 1 IoCs
pid Process 1652 rundll32.exe -
Loads dropped DLL 8 IoCs
pid Process 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 1652 rundll32.exe 2032 RUNDLL32.EXE 2032 RUNDLL32.EXE 2032 RUNDLL32.EXE 2032 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\VCRELHVT\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T2CDOEA4\desktop.ini RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 22 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 1652 rundll32.exe Token: SeDebugPrivilege 2032 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
description pid Process procid_target PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1648 wrote to memory of 1652 1648 3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe 28 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29 PID 1652 wrote to memory of 2032 1652 rundll32.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe"C:\Users\Admin\AppData\Local\Temp\3DB3FA9C6911D2585A4DE4AEE63A9755639F20EBDD732.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1648 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\3DB3FA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\3DB3FA~1.EXE2⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3DB3FA~1.DLL,h1A3jBwVAw==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99
-
Filesize
5.7MB
MD527476ae2e576ed5f5102f2cdb44c4d8d
SHA16fa2208dbb8774ee23cab68af3bdf8a33b3794b0
SHA25675c35683cfe80bed6a866d22be0a7cafeb5216097eaf404f02ce838029312c0b
SHA5127d2290a070fb63b08e42c42ed33681be5393310c0fc0de9906b02518e21ec1c66d89b5581180e47f96d194088a3def66fbeca87ece500fa24da08029fd575d99