Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    141s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/09/2022, 11:36

General

  • Target

    f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe

  • Size

    2.5MB

  • MD5

    461d81930989dcd9d626d451ace5694c

  • SHA1

    66590511918d48e1c12da9183224a643c6a4feed

  • SHA256

    f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357

  • SHA512

    60dbc74e77cf3ab1bd6e1b04c94b40f36e2f05fceae9f608213c6e5e9f607746bedb274b2ee6dcaf75ecf0088507bc7f34b9ca755647815b46fcf66b26d019a4

  • SSDEEP

    49152:sJVBMGKmBBw1mNeegZayhchKpZWVoA7UHywFDbeJQthP19NAGguuxJbF/Ie07B:+VKG7xeFGE8lIHjxL17NAG27FQeo

Malware Config

Extracted

Family

danabot

C2

153.92.223.225:443

198.15.112.179:443

185.62.56.245:443

66.85.147.23:443

Attributes
  • embedded_hash

    61A1CB063216C13FFD2E15D7F3F515E2

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
  • Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 45 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe
    "C:\Users\Admin\AppData\Local\Temp\f17680b7837e63b0528301f437ab999c419b0274502f81252ce7470016dd5357.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1028
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll,start C:\Users\Admin\AppData\Local\Temp\F17680~1.EXE
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:3656
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        3⤵
        • Accesses Microsoft Outlook accounts
        • Accesses Microsoft Outlook profiles
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • outlook_office_path
        • outlook_win_path
        PID:2004
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1028 -s 508
      2⤵
      • Program crash
      PID:1396
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1028 -ip 1028
    1⤵
      PID:208

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\JavaDeployReg.log

      Filesize

      25KB

      MD5

      81afc5fdc60ea77324d4d8c4438e6510

      SHA1

      4b21359d6a24d7096bd1f5afe2c100cb06829352

      SHA256

      c3db936d22f55c93214a38a5cc2b7a042b298822db68af0b4a574df37a1820db

      SHA512

      87e49d7bcf9f7d383ccf98ec4125402749db4bf954b8dc7c64177dd1ed254916a5b9a03903ccc01f0fc6bf635dc8640d3f9961156cd23882896c9b23fb472dcc

    • C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll

      Filesize

      3.4MB

      MD5

      0a4be075ff7c43377937669f2e6c040a

      SHA1

      d097e78537fa7876757256583a47024bf0006fd6

      SHA256

      351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf

      SHA512

      cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c

    • C:\Users\Admin\AppData\Local\Temp\Pedeuesu.dll

      Filesize

      3.4MB

      MD5

      0a4be075ff7c43377937669f2e6c040a

      SHA1

      d097e78537fa7876757256583a47024bf0006fd6

      SHA256

      351342c60677616c25d8869362ba951102519c9df9761d049a55409fe51387bf

      SHA512

      cd9b365a889d36ab480ca1ab4f09351b84cff3f0ec26d6b0da5c82507435d9b9b84d835e17b1d41ac73815513dfa7082615719cf388c05f8f4abdf7d8e449e2c

    • C:\Users\Admin\AppData\Local\Temp\Tuturhssep.tmp

      Filesize

      3.1MB

      MD5

      383f37499db8755bc905cef05b7b3880

      SHA1

      2adcf085c023c2e5e26f0801a3c6f0979b3a83bb

      SHA256

      4ccd892db7a892251931d4fc98ae55009302ac65d39bdf4c0df11ccd819dc380

      SHA512

      9c70e1a2ffa1433abd143535aa482b37b56be93f98d30a64fade35c18ba185bffa9748b3ced10e8d369028dd7e5ed15dec60e68ea332dbcc60fb9727002873bc

    • C:\Users\Admin\AppData\Local\Temp\wctA1E8.tmp

      Filesize

      62KB

      MD5

      7185e716980842db27c3b3a88e1fe804

      SHA1

      e4615379cd4797629b4cc3da157f4d4a5412fb2b

      SHA256

      094754a618b102b7ad0800dd4c9c02c882cf2d1e7996ba864f422fa4312427e1

      SHA512

      dea331907f5f1de407ca07e24be7ad808fa43a0eef2d1b5009721f937ab2a8f77832e332d5ac3d9662e5b02ecaabbec0f4228af279fa6562be4dccb6c829246c

    • memory/1028-133-0x0000000002AA0000-0x0000000002D13000-memory.dmp

      Filesize

      2.4MB

    • memory/1028-134-0x0000000000400000-0x0000000000A1F000-memory.dmp

      Filesize

      6.1MB

    • memory/1028-132-0x0000000002853000-0x0000000002A93000-memory.dmp

      Filesize

      2.2MB

    • memory/1028-139-0x0000000000400000-0x0000000000A1F000-memory.dmp

      Filesize

      6.1MB

    • memory/2004-155-0x0000000002A10000-0x0000000003433000-memory.dmp

      Filesize

      10.1MB

    • memory/2004-151-0x0000000000600000-0x0000000000F04000-memory.dmp

      Filesize

      9.0MB

    • memory/2004-152-0x0000000002A10000-0x0000000003433000-memory.dmp

      Filesize

      10.1MB

    • memory/2004-147-0x0000000003500000-0x0000000003640000-memory.dmp

      Filesize

      1.2MB

    • memory/2004-146-0x0000000003500000-0x0000000003640000-memory.dmp

      Filesize

      1.2MB

    • memory/3656-138-0x0000000000400000-0x000000000077F000-memory.dmp

      Filesize

      3.5MB

    • memory/3656-144-0x0000000003E00000-0x0000000003F40000-memory.dmp

      Filesize

      1.2MB

    • memory/3656-143-0x0000000003E00000-0x0000000003F40000-memory.dmp

      Filesize

      1.2MB

    • memory/3656-142-0x0000000003310000-0x0000000003D33000-memory.dmp

      Filesize

      10.1MB

    • memory/3656-141-0x0000000003310000-0x0000000003D33000-memory.dmp

      Filesize

      10.1MB

    • memory/3656-140-0x0000000000400000-0x000000000077F000-memory.dmp

      Filesize

      3.5MB

    • memory/3656-153-0x0000000000400000-0x000000000077F000-memory.dmp

      Filesize

      3.5MB

    • memory/3656-154-0x0000000003310000-0x0000000003D33000-memory.dmp

      Filesize

      10.1MB