Analysis
-
max time kernel
155s -
max time network
179s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 09:34
Behavioral task
behavioral1
Sample
8c9c56a08b9cc58d1cc57309695ef07ce367a8a7bfac2485328919a954ea7f2c.dll
Resource
win7-20220718-en
windows7-x64
3 signatures
150 seconds
General
-
Target
8c9c56a08b9cc58d1cc57309695ef07ce367a8a7bfac2485328919a954ea7f2c.dll
-
Size
1.4MB
-
MD5
6b448c6851f3235c9b3d0c24353c480f
-
SHA1
f01bfd3a21a887bc85eb6b02baf28f7640513d03
-
SHA256
8c9c56a08b9cc58d1cc57309695ef07ce367a8a7bfac2485328919a954ea7f2c
-
SHA512
663df12c36a4817da30f88072d1195bbbd1b37a4023f0de67b62d0d4deef15bcbb4c2a025648186a22573dba3cd5480701925f0f30cddafff89c053790dffbf3
Malware Config
Extracted
Family
danabot
C2
243.127.43.6
64.126.175.2
130.15.230.152
74.99.136.192
244.14.226.35
95.179.168.37
51.129.76.8
151.210.85.159
45.76.123.177
75.57.14.121
rsa_pubkey.plain
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2852 4380 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid Process procid_target PID 4460 wrote to memory of 4380 4460 rundll32.exe 83 PID 4460 wrote to memory of 4380 4460 rundll32.exe 83 PID 4460 wrote to memory of 4380 4460 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8c9c56a08b9cc58d1cc57309695ef07ce367a8a7bfac2485328919a954ea7f2c.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4460 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\8c9c56a08b9cc58d1cc57309695ef07ce367a8a7bfac2485328919a954ea7f2c.dll,#12⤵PID:4380
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4380 -s 7803⤵
- Program crash
PID:2852
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4380 -ip 43801⤵PID:3872