Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10-1703_x64 -
resource
win10-20220901-en -
resource tags
arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system -
submitted
17/09/2022, 08:30
Static task
static1
General
-
Target
6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe
-
Size
291KB
-
MD5
045ec467d7df4abb4f5e95dbdfb37fef
-
SHA1
d0a3c83f9a4b194bc27db75412fb803f6100abf1
-
SHA256
6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322
-
SHA512
5a1e0ffd550faee0549e9387e44b93d1beecafe9d5406a7b4bfddcc5165c197dfb2b76367271c43fa0f521f695f6654426054e58eb0e3a336c091c05e6d844cd
-
SSDEEP
6144:a/MqLHC4IfAUYIe34TG30yIcOPCenigabwVf:a0qTCTvRe3crPti
Malware Config
Extracted
danabot
-
embedded_hash
A64A3A6ED13022027B84C77D31BE0C74
-
type
loader
Signatures
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
pid Process 2884 64F4.exe -
Deletes itself 1 IoCs
pid Process 3024 Process not Found -
Loads dropped DLL 1 IoCs
pid Process 4564 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3652 4564 WerFault.exe 67 -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI 6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3504 6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe 3504 6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found 3024 Process not Found -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3024 Process not Found -
Suspicious behavior: MapViewOfSection 1 IoCs
pid Process 3504 6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
description pid Process Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found Token: SeShutdownPrivilege 3024 Process not Found Token: SeCreatePagefilePrivilege 3024 Process not Found -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3024 wrote to memory of 2884 3024 Process not Found 66 PID 3024 wrote to memory of 2884 3024 Process not Found 66 PID 3024 wrote to memory of 2884 3024 Process not Found 66 PID 2884 wrote to memory of 4564 2884 64F4.exe 67 PID 2884 wrote to memory of 4564 2884 64F4.exe 67 PID 2884 wrote to memory of 4564 2884 64F4.exe 67
Processes
-
C:\Users\Admin\AppData\Local\Temp\6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe"C:\Users\Admin\AppData\Local\Temp\6937fe60697ed628fdee0a7cb4e6125e972062d86fe6b276b9cf0305b2a5d322.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3504
-
C:\Users\Admin\AppData\Local\Temp\64F4.exeC:\Users\Admin\AppData\Local\Temp\64F4.exe1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2884 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Etfrehti.dll,start C:\Users\Admin\AppData\Local\Temp\64F4.exe2⤵
- Loads dropped DLL
PID:4564 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4564 -s 6323⤵
- Program crash
PID:3652
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD55731031c67594f7560bc5e266ff1b54e
SHA13a7c6a8da1a1adc57855ac107ab207836cf5ef03
SHA256c22b9f4c985b1fecd3ec6286ca20293d54b3493781d393996f548d686633ce16
SHA512327f61dd81c9094501e55b94b787bb6f227bbf56779081c789218b75cfaf1ec8154c914b060c720710cc13e19726e529d900372957def90c9c6baa6ef0ebba2c
-
Filesize
1.9MB
MD55731031c67594f7560bc5e266ff1b54e
SHA13a7c6a8da1a1adc57855ac107ab207836cf5ef03
SHA256c22b9f4c985b1fecd3ec6286ca20293d54b3493781d393996f548d686633ce16
SHA512327f61dd81c9094501e55b94b787bb6f227bbf56779081c789218b75cfaf1ec8154c914b060c720710cc13e19726e529d900372957def90c9c6baa6ef0ebba2c
-
Filesize
2.5MB
MD5d7a66ca4622307cefbaf2d548edf21c1
SHA1d6e7396cf81fddc86bd9a6adb17dbec09fbd532d
SHA256c692330b06a1c232eafe7e68f867c6f339ca9545834010b0997e19f936ad0b5d
SHA5124d9e5fa064ea98af43d5fef363a69a593fdd0ae5f4b79db0794bd5b12e9ffd0c52bb53b7c7b08141f4a33ea7b786f2164504af3295ee9466477270e69b87f41c
-
Filesize
2.5MB
MD5d7a66ca4622307cefbaf2d548edf21c1
SHA1d6e7396cf81fddc86bd9a6adb17dbec09fbd532d
SHA256c692330b06a1c232eafe7e68f867c6f339ca9545834010b0997e19f936ad0b5d
SHA5124d9e5fa064ea98af43d5fef363a69a593fdd0ae5f4b79db0794bd5b12e9ffd0c52bb53b7c7b08141f4a33ea7b786f2164504af3295ee9466477270e69b87f41c