Analysis
-
max time kernel
137s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
30-07-2022 22:19
Static task
static1
Behavioral task
behavioral1
Sample
7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2.vbs
Resource
win7-20220715-en
General
-
Target
7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2.vbs
-
Size
1.4MB
-
MD5
1ef8b148b1b51343c3150d5dad342d3e
-
SHA1
3d554440983f890cda93149bc4cbfdfad9ac6f3e
-
SHA256
7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2
-
SHA512
bedcea3dd21f8772932ac96c26297e7b4823492679af39b0d9d640592d0648f192c7fe78aedf816e5c2acc75c71989a7605d9daf0193a9d2cd099dcc71e3d692
Malware Config
Extracted
danabot
185.43.196.194
170.36.230.93
25.125.161.14
152.163.122.91
252.243.36.124
94.2.203.24
95.179.186.57
58.41.130.190
89.144.25.104
182.54.114.216
Signatures
-
Danabot x86 payload 4 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY family_danabot C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY family_danabot C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY family_danabot C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY family_danabot -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 20 1328 rundll32.exe 21 1328 rundll32.exe 45 1328 rundll32.exe 56 1328 rundll32.exe 69 1328 rundll32.exe 71 1328 rundll32.exe 73 1328 rundll32.exe 74 1328 rundll32.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
WScript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation WScript.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exerundll32.exepid process 4472 regsvr32.exe 4472 regsvr32.exe 1328 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
regsvr32.exerundll32.exepid process 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 4472 regsvr32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe 1328 rundll32.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
WScript.exeregsvr32.exeregsvr32.exedescription pid process target process PID 4936 wrote to memory of 364 4936 WScript.exe regsvr32.exe PID 4936 wrote to memory of 364 4936 WScript.exe regsvr32.exe PID 364 wrote to memory of 4472 364 regsvr32.exe regsvr32.exe PID 364 wrote to memory of 4472 364 regsvr32.exe regsvr32.exe PID 364 wrote to memory of 4472 364 regsvr32.exe regsvr32.exe PID 4472 wrote to memory of 1328 4472 regsvr32.exe rundll32.exe PID 4472 wrote to memory of 1328 4472 regsvr32.exe rundll32.exe PID 4472 wrote to memory of 1328 4472 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7b50c5555749ee419657fb8d40a9a1c6e2f103df413ddd53eadd22917ca15ad2.vbs"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\jMoOIm.dllHRasUY2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\\jMoOIm.dllHRasUY3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUY,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUYFilesize
460KB
MD58cfa24ff327f06f81438f02181c5b790
SHA1ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e
SHA2566023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f
SHA512ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19
-
C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUYFilesize
460KB
MD58cfa24ff327f06f81438f02181c5b790
SHA1ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e
SHA2566023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f
SHA512ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19
-
C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUYFilesize
460KB
MD58cfa24ff327f06f81438f02181c5b790
SHA1ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e
SHA2566023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f
SHA512ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19
-
C:\Users\Admin\AppData\Local\Temp\jMoOIm.dllHRasUYFilesize
460KB
MD58cfa24ff327f06f81438f02181c5b790
SHA1ccdf5f2aa6d6f920e468b89f1d45ce1cb758ff5e
SHA2566023fd184fb320359e014eb62c4ca4d673c390c58331bc3a4c1fdc49cc4ba55f
SHA512ae2da82a1c8efb4795f4c7396e52f6bb41d3b772fad5bb98287845d186d1d052d5f7532b46966e72b517dafbd5fea7e9f4b56f8dd6c76905c5b442f6f71b6e19
-
memory/364-130-0x0000000000000000-mapping.dmp
-
memory/1328-136-0x0000000000000000-mapping.dmp
-
memory/4472-132-0x0000000000000000-mapping.dmp
-
memory/4472-135-0x0000000000770000-0x00000000007F0000-memory.dmpFilesize
512KB