Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-1703_x64
  • resource
    win10-20220812-en
  • resource tags

    arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
  • submitted
    23-09-2022 06:40

General

  • Target

    16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe

  • Size

    170KB

  • MD5

    1694a1aaab237984a204b338060bde49

  • SHA1

    0b7e55eda5e452041b792a61645602122b5437e7

  • SHA256

    16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee

  • SHA512

    f03a28c3f7942080914f23f2a4a6c014b6289316f122381e747e771b6a9d8fd75968ec83c1d1e1628bd0eb00b9e39d8b82cda2b3af09c469d343dd3a113b5aab

  • SSDEEP

    3072:yJBL8sV5z53hjNhf0F2e081eA/IyGiNBp7uJ/PkW4n:GLN7thjzfw2pvA/I05i

Malware Config

Extracted

Family

danabot

Attributes
  • embedded_hash

    6618C163D57D6441FCCA65D86C4D380D

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Deletes itself 1 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe
    "C:\Users\Admin\AppData\Local\Temp\16f52fc9149ef98bd6d8e220ca00451508c02a6e39600acd342dab9d8b5167ee.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:2692
  • C:\Users\Admin\AppData\Local\Temp\7D7D.exe
    C:\Users\Admin\AppData\Local\Temp\7D7D.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4064
    • C:\Windows\SysWOW64\appidtel.exe
      C:\Windows\system32\appidtel.exe
      2⤵
        PID:4104
      • C:\Windows\syswow64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        PID:1304
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4064 -s 620
        2⤵
        • Program crash
        PID:1732

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Discovery

    Query Registry

    1
    T1012

    Peripheral Device Discovery

    1
    T1120

    System Information Discovery

    1
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7D7D.exe
      Filesize

      1.3MB

      MD5

      10b0c3dfacb99f9f2ca02f9df4bc96db

      SHA1

      13a48798517d9b28961d49bf67f5764b46ca14b7

      SHA256

      1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f

      SHA512

      b4fc3b20a9f14c777b8d69ca65d02052a13d45a3ee42fc733bdaa299339ce9c4316534b303ce413a8f43efde7d11213067991b3f969c30fefdd884f571e0cb9f

    • C:\Users\Admin\AppData\Local\Temp\7D7D.exe
      Filesize

      1.3MB

      MD5

      10b0c3dfacb99f9f2ca02f9df4bc96db

      SHA1

      13a48798517d9b28961d49bf67f5764b46ca14b7

      SHA256

      1fad233d89ace9b3cb104d99c6d73613e768ff06da482097183880c5c716433f

      SHA512

      b4fc3b20a9f14c777b8d69ca65d02052a13d45a3ee42fc733bdaa299339ce9c4316534b303ce413a8f43efde7d11213067991b3f969c30fefdd884f571e0cb9f

    • memory/1304-221-0x0000000000000000-mapping.dmp
    • memory/1304-281-0x00000000007E0000-0x00000000007E3000-memory.dmp
      Filesize

      12KB

    • memory/1304-282-0x00000000007F0000-0x00000000007F3000-memory.dmp
      Filesize

      12KB

    • memory/1304-283-0x0000000000A00000-0x0000000000A03000-memory.dmp
      Filesize

      12KB

    • memory/1304-284-0x0000000000A10000-0x0000000000A13000-memory.dmp
      Filesize

      12KB

    • memory/2692-136-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-140-0x0000000000600000-0x00000000006AE000-memory.dmp
      Filesize

      696KB

    • memory/2692-122-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-123-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-124-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-125-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-126-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-127-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-128-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-129-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-131-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-132-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-133-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-134-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-135-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-120-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-137-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-138-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-139-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-121-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-141-0x00000000005E0000-0x00000000005E9000-memory.dmp
      Filesize

      36KB

    • memory/2692-142-0x0000000000400000-0x0000000000585000-memory.dmp
      Filesize

      1.5MB

    • memory/2692-143-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-144-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-145-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-146-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-147-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-148-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-149-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-151-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-150-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-152-0x0000000000400000-0x0000000000585000-memory.dmp
      Filesize

      1.5MB

    • memory/2692-119-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-118-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-117-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-116-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/2692-115-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-155-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-161-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-163-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-166-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-169-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-168-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-167-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-170-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-165-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-164-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-160-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-172-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-173-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-174-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-178-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-179-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-177-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-180-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-181-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-182-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-176-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-175-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-183-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-186-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-184-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-187-0x0000000002530000-0x000000000280B000-memory.dmp
      Filesize

      2.9MB

    • memory/4064-185-0x0000000002400000-0x0000000002528000-memory.dmp
      Filesize

      1.2MB

    • memory/4064-200-0x0000000000400000-0x00000000006E8000-memory.dmp
      Filesize

      2.9MB

    • memory/4064-201-0x0000000002530000-0x000000000280B000-memory.dmp
      Filesize

      2.9MB

    • memory/4064-202-0x0000000002400000-0x0000000002528000-memory.dmp
      Filesize

      1.2MB

    • memory/4064-215-0x0000000000400000-0x00000000006E8000-memory.dmp
      Filesize

      2.9MB

    • memory/4064-159-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-158-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-157-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-156-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4064-153-0x0000000000000000-mapping.dmp
    • memory/4104-189-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4104-190-0x0000000077C70000-0x0000000077DFE000-memory.dmp
      Filesize

      1.6MB

    • memory/4104-188-0x0000000000000000-mapping.dmp