Analysis
-
max time kernel
1s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
13-09-2022 20:34
Behavioral task
behavioral1
Sample
c8f1ec2ef618dfcd254f5a9e397b70644b3ba070f0c327bae20a3054df0021c0.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
c8f1ec2ef618dfcd254f5a9e397b70644b3ba070f0c327bae20a3054df0021c0.dll
Resource
win10v2004-20220901-en
General
-
Target
c8f1ec2ef618dfcd254f5a9e397b70644b3ba070f0c327bae20a3054df0021c0.dll
-
Size
6.4MB
-
MD5
37280de8b448ed3a4358120a40b42872
-
SHA1
b05209c3bcaac611763369416a18c4b8406c4fa1
-
SHA256
c8f1ec2ef618dfcd254f5a9e397b70644b3ba070f0c327bae20a3054df0021c0
-
SHA512
807ba5962fd16b0700121f70a948257e8602a2b7f15f74e871253fc8571e36900915eeecdddab2a3c26364ab9369b2c4386fbb7e2f3135641ef8f1df4784d74c
-
SSDEEP
98304:zG5fSXz5F5x+3rUQ4Qljsq75Pm9tli8VSP6W:zKfSlLsVPm9tlJW
Malware Config
Extracted
danabot
1765
3
192.236.146.203:443
192.161.48.5:443
192.236.162.42:443
192.3.26.98:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
-
type
main
Signatures
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1608 1208 WerFault.exe rundll32.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1752 wrote to memory of 1208 1752 rundll32.exe rundll32.exe PID 1208 wrote to memory of 1608 1208 rundll32.exe WerFault.exe PID 1208 wrote to memory of 1608 1208 rundll32.exe WerFault.exe PID 1208 wrote to memory of 1608 1208 rundll32.exe WerFault.exe PID 1208 wrote to memory of 1608 1208 rundll32.exe WerFault.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8f1ec2ef618dfcd254f5a9e397b70644b3ba070f0c327bae20a3054df0021c0.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\c8f1ec2ef618dfcd254f5a9e397b70644b3ba070f0c327bae20a3054df0021c0.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1208 -s 2643⤵
- Program crash