Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-10-2022 14:05
Static task
static1
Behavioral task
behavioral1
Sample
malware_smoke_809594919.exe
Resource
win7-20220901-en
windows7-x64
3 signatures
150 seconds
General
-
Target
malware_smoke_809594919.exe
-
Size
1011KB
-
MD5
37d8178ae059b50a0a8f3029aec04dd4
-
SHA1
ae023282071e3f7dfb66cb2f9023e0878716c29a
-
SHA256
3f2fa8fca7ba420f027c34c8b64201fa533ca9ddd5c29770d1ae6887543236bb
-
SHA512
3fb90a11985ac0eea58d57344e095b62c678325961605372fa3f0db2393140128ccd2dac25202e0a345a0ee5b59a559a5a74eb81e753a264a7c1e0a2e7b1f63d
-
SSDEEP
24576:Vp9jw0ccQSjBeJ90i7KV7rSKNq43UfuaUHOavdLL:+fcru2QKV7rSR4gYL
Malware Config
Extracted
Family
danabot
Botnet
5
C2
23.254.133.7:443
213.227.155.102:443
Attributes
-
embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
-
type
loader
Signatures
-
Blocklisted process makes network request 48 IoCs
Processes:
rundll32.exeflow pid process 2 1688 rundll32.exe 4 1688 rundll32.exe 5 1688 rundll32.exe 6 1688 rundll32.exe 7 1688 rundll32.exe 8 1688 rundll32.exe 9 1688 rundll32.exe 10 1688 rundll32.exe 11 1688 rundll32.exe 12 1688 rundll32.exe 13 1688 rundll32.exe 14 1688 rundll32.exe 15 1688 rundll32.exe 17 1688 rundll32.exe 18 1688 rundll32.exe 19 1688 rundll32.exe 20 1688 rundll32.exe 21 1688 rundll32.exe 22 1688 rundll32.exe 23 1688 rundll32.exe 24 1688 rundll32.exe 25 1688 rundll32.exe 26 1688 rundll32.exe 27 1688 rundll32.exe 28 1688 rundll32.exe 29 1688 rundll32.exe 30 1688 rundll32.exe 31 1688 rundll32.exe 32 1688 rundll32.exe 33 1688 rundll32.exe 34 1688 rundll32.exe 35 1688 rundll32.exe 36 1688 rundll32.exe 37 1688 rundll32.exe 38 1688 rundll32.exe 39 1688 rundll32.exe 40 1688 rundll32.exe 41 1688 rundll32.exe 42 1688 rundll32.exe 43 1688 rundll32.exe 44 1688 rundll32.exe 45 1688 rundll32.exe 46 1688 rundll32.exe 47 1688 rundll32.exe 48 1688 rundll32.exe 49 1688 rundll32.exe 50 1688 rundll32.exe 51 1688 rundll32.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
malware_smoke_809594919.exedescription pid process target process PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe PID 2032 wrote to memory of 1688 2032 malware_smoke_809594919.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware_smoke_809594919.exe"C:\Users\Admin\AppData\Local\Temp\malware_smoke_809594919.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1688-59-0x00000000001C0000-0x00000000001C2000-memory.dmpFilesize
8KB
-
memory/1688-61-0x0000000000000000-mapping.dmp
-
memory/1688-63-0x00000000000C0000-0x00000000000C2000-memory.dmpFilesize
8KB
-
memory/1688-64-0x00000000000D0000-0x00000000000D2000-memory.dmpFilesize
8KB
-
memory/1688-66-0x00000000000D0000-0x00000000000D2000-memory.dmpFilesize
8KB
-
memory/2032-54-0x0000000000220000-0x00000000002EA000-memory.dmpFilesize
808KB
-
memory/2032-55-0x00000000766D1000-0x00000000766D3000-memory.dmpFilesize
8KB
-
memory/2032-56-0x0000000000220000-0x00000000002EA000-memory.dmpFilesize
808KB
-
memory/2032-57-0x0000000001F60000-0x0000000002153000-memory.dmpFilesize
1.9MB
-
memory/2032-58-0x0000000000400000-0x00000000005FE000-memory.dmpFilesize
2.0MB
-
memory/2032-65-0x0000000000400000-0x00000000005FE000-memory.dmpFilesize
2.0MB