Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10/09/2022, 11:36
Static task
static1
General
-
Target
f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe
-
Size
2.5MB
-
MD5
461d81930989dcd9d626d451ace5694c
-
SHA1
66590511918d48e1c12da9183224a643c6a4feed
-
SHA256
f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357
-
SHA512
60dbc74e77cf3ab1bd6e1b04c94b40f36e2f05fceae9f608213c6e5e9f607746bedb274b2ee6dcaf75ecf0088507bc7f34b9ca755647815b46fcf66b26d019a4
-
SSDEEP
49152:sJVBMGKmBBw1mNeegZayhchKpZWVoA7UHywFDbeJQthP19NAGguuxJbF/Ie07B:+VKG7xeFGE8lIHjxL17NAG27FQeo
Malware Config
Extracted
danabot
153.92.223.225:443
198.15.112.179:443
185.62.56.245:443
66.85.147.23:443
-
embedded_hash
61A1CB063216C13FFD2E15D7F3F515E2
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
flow pid Process 20 3656 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 3656 rundll32.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts rundll32.exe -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3656 set thread context of 2004 3656 rundll32.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1396 1028 WerFault.exe 82 -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2004 rundll32.exe 2004 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2004 rundll32.exe Token: SeDebugPrivilege 2004 rundll32.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2004 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1028 wrote to memory of 3656 1028 f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe 89 PID 1028 wrote to memory of 3656 1028 f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe 89 PID 1028 wrote to memory of 3656 1028 f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe 89 PID 3656 wrote to memory of 2004 3656 rundll32.exe 94 PID 3656 wrote to memory of 2004 3656 rundll32.exe 94 PID 3656 wrote to memory of 2004 3656 rundll32.exe 94 PID 3656 wrote to memory of 2004 3656 rundll32.exe 94 -
outlook_office_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe -
outlook_win_path 1 IoCs
description ioc Process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe"C:\Users\Admin\AppData\Local\Temp\f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1028 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll,start C:\Users\Admin\AppData\Local\Temp\F17680~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3656 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#613⤵
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- outlook_office_path
- outlook_win_path
PID:2004
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 5082⤵
- Program crash
PID:1396
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1028 -ip 10281⤵PID:208
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
25KB
MD581afc5fdc60ea77324d4d8c4438e6510
SHA14b21359d6a24d7096bd1f5afe2c100cb06829352
SHA256c3db936d22f55c93214a38a5cc2b7a042b298822db68af0b4a574df37a1820db
SHA51287e49d7bcf9f7d383ccf98ec4125402749db4bf954b8dc7c64177dd1ed254916a5b9a03903ccc01f0fc6bf635dc8640d3f9961156cd23882896c9b23fb472dcc
-
Filesize
3.4MB
MD50a4be075ff7c43377937669f2e6c040a
SHA1d097e78537fa7876757256583a47024bf0006fd6
SHA256351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf
SHA512cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c
-
Filesize
3.4MB
MD50a4be075ff7c43377937669f2e6c040a
SHA1d097e78537fa7876757256583a47024bf0006fd6
SHA256351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf
SHA512cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c
-
Filesize
3.1MB
MD5383f37499db8755bc905cef05b7b3880
SHA12adcf085c023c2e5e26f0801a3c6f0979b3a83bb
SHA2564ccd892db7a892251931d4fc98ae55009302ac65d39bdf4c0df11ccd819dc380
SHA5129c70e1a2ffa1433abd143535aa482b37b56be93f98d30a64fade35c18ba185bffa9748b3ced10e8d369028dd7e5ed15dec60e68ea332dbcc60fb9727002873bc
-
Filesize
62KB
MD57185e716980842db27c3b3a88e1fe804
SHA1e4615379cd4797629b4cc3da157f4d4a5412fb2b
SHA256094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1
SHA512dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c