Analysis
-
max time kernel
143s -
max time network
115s -
platform
windows10-2004_x64 -
resource
win10v2004-20220715-en -
resource tags
arch:x64arch:x86image:win10v2004-20220715-enlocale:en-usos:windows10-2004-x64system -
submitted
16-07-2022 21:06
Static task
static1
Behavioral task
behavioral1
Sample
9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe
Resource
win7-20220715-en
General
-
Target
9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe
-
Size
6.0MB
-
MD5
5c0be4a5273dec6b3ebb180a90f337f2
-
SHA1
3a82216a89310aa7b4cee1e58a3af7e16c0cce19
-
SHA256
9d68e9449bcf593abfd4562466a7cc2d35b1c33868e3bcf0e47bda4d9fc78403
-
SHA512
4e922ede66f69d3eb3f6baac3db20b0675df36ec60fd1d940c80e772b5fa28f8d85c68f9e1aa4d89a552d802ade54f762004f0e0eb2ed4b4f8dee8b6cbd0becc
Malware Config
Extracted
danabot
1765
3
192.3.26.98:443
192.3.26.107:443
192.161.48.5:443
192.236.146.203:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
-
type
main
Signatures
-
suricata: ET MALWARE Danabot Key Exchange Request
suricata: ET MALWARE Danabot Key Exchange Request
-
Blocklisted process makes network request 4 IoCs
flow pid Process 2 2716 RUNDLL32.EXE 3 2716 RUNDLL32.EXE 4 2716 RUNDLL32.EXE 6 2716 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
pid Process 2392 rundll32.exe 2392 rundll32.exe 2716 RUNDLL32.EXE 2716 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2696 1876 WerFault.exe 78 -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2392 rundll32.exe Token: SeDebugPrivilege 2716 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 1876 wrote to memory of 2392 1876 9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe 79 PID 1876 wrote to memory of 2392 1876 9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe 79 PID 1876 wrote to memory of 2392 1876 9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe 79 PID 2392 wrote to memory of 2716 2392 rundll32.exe 82 PID 2392 wrote to memory of 2716 2392 rundll32.exe 82 PID 2392 wrote to memory of 2716 2392 rundll32.exe 82
Processes
-
C:\Users\Admin\AppData\Local\Temp\9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe"C:\Users\Admin\AppData\Local\Temp\9D68E9449BCF593ABFD4562466A7CC2D35B1C33868E3B.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1876 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\9D68E9~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\9D68E9~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\9D68E9~1.DLL,h1cwTA==3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:2716
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1876 -s 5082⤵
- Program crash
PID:2696
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1876 -ip 18761⤵PID:4544
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
5.7MB
MD5946d12b008eea3bd68748539717f5cdf
SHA1f95d564aeba95034a10ac512636a6d674d5caee6
SHA25698419ef86ab46a5216a5c1f8da708ad554c71474438bd232f6dc15a9415d361d
SHA5122a50a0918fa597f386aa1ecbf927fcc5b69c79c9d934575f1cb7bc7117d2aca07845e0b9485c0800ecc96f4a055467d81b92e069517cae5d58a947f1ee6a0b28
-
Filesize
5.7MB
MD5946d12b008eea3bd68748539717f5cdf
SHA1f95d564aeba95034a10ac512636a6d674d5caee6
SHA25698419ef86ab46a5216a5c1f8da708ad554c71474438bd232f6dc15a9415d361d
SHA5122a50a0918fa597f386aa1ecbf927fcc5b69c79c9d934575f1cb7bc7117d2aca07845e0b9485c0800ecc96f4a055467d81b92e069517cae5d58a947f1ee6a0b28
-
Filesize
5.7MB
MD5946d12b008eea3bd68748539717f5cdf
SHA1f95d564aeba95034a10ac512636a6d674d5caee6
SHA25698419ef86ab46a5216a5c1f8da708ad554c71474438bd232f6dc15a9415d361d
SHA5122a50a0918fa597f386aa1ecbf927fcc5b69c79c9d934575f1cb7bc7117d2aca07845e0b9485c0800ecc96f4a055467d81b92e069517cae5d58a947f1ee6a0b28
-
Filesize
5.7MB
MD5946d12b008eea3bd68748539717f5cdf
SHA1f95d564aeba95034a10ac512636a6d674d5caee6
SHA25698419ef86ab46a5216a5c1f8da708ad554c71474438bd232f6dc15a9415d361d
SHA5122a50a0918fa597f386aa1ecbf927fcc5b69c79c9d934575f1cb7bc7117d2aca07845e0b9485c0800ecc96f4a055467d81b92e069517cae5d58a947f1ee6a0b28
-
Filesize
5.7MB
MD5946d12b008eea3bd68748539717f5cdf
SHA1f95d564aeba95034a10ac512636a6d674d5caee6
SHA25698419ef86ab46a5216a5c1f8da708ad554c71474438bd232f6dc15a9415d361d
SHA5122a50a0918fa597f386aa1ecbf927fcc5b69c79c9d934575f1cb7bc7117d2aca07845e0b9485c0800ecc96f4a055467d81b92e069517cae5d58a947f1ee6a0b28