Analysis
-
max time kernel
155s -
max time network
163s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 14:09
Static task
static1
Behavioral task
behavioral1
Sample
malware_smoke_2685359676.exe
Resource
win7-20220901-en
3 signatures
150 seconds
General
-
Target
malware_smoke_2685359676.exe
-
Size
1.0MB
-
MD5
709ac17aa5df3c0524aea20526c972a8
-
SHA1
7ca26cff5ad3877c54539b14b85267689e9167b0
-
SHA256
2115604b92baedae0ce00d0999b30ce95ef4b7a500394d93ff0964058564b86f
-
SHA512
0f6aa767a8103600b708d5f67b06c0c07c7ee810c30138d63715e3333dc6dd8065cea54992fb7002fff1efb3aa12a3f1b270209f833f579cf8fd40850bc553c4
-
SSDEEP
24576:Ur9ateFHxSeaj01+U/76idwZmmA2E5R4Fn3Z5Uhp/1fKbEWA:UdHxb801+U/e3A2E5SF3Zqhp1fKb
Malware Config
Extracted
Family
danabot
Botnet
5
C2
23.254.133.7:443
213.227.155.102:443
Attributes
-
embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
-
type
loader
Signatures
-
Blocklisted process makes network request 33 IoCs
Processes:
rundll32.exeflow pid process 13 2260 rundll32.exe 15 2260 rundll32.exe 16 2260 rundll32.exe 22 2260 rundll32.exe 23 2260 rundll32.exe 26 2260 rundll32.exe 34 2260 rundll32.exe 36 2260 rundll32.exe 37 2260 rundll32.exe 40 2260 rundll32.exe 41 2260 rundll32.exe 43 2260 rundll32.exe 44 2260 rundll32.exe 45 2260 rundll32.exe 46 2260 rundll32.exe 47 2260 rundll32.exe 48 2260 rundll32.exe 49 2260 rundll32.exe 50 2260 rundll32.exe 51 2260 rundll32.exe 52 2260 rundll32.exe 53 2260 rundll32.exe 56 2260 rundll32.exe 57 2260 rundll32.exe 58 2260 rundll32.exe 59 2260 rundll32.exe 60 2260 rundll32.exe 61 2260 rundll32.exe 62 2260 rundll32.exe 63 2260 rundll32.exe 64 2260 rundll32.exe 65 2260 rundll32.exe 66 2260 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1312 780 WerFault.exe malware_smoke_2685359676.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
malware_smoke_2685359676.exedescription pid process target process PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe PID 780 wrote to memory of 2260 780 malware_smoke_2685359676.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware_smoke_2685359676.exe"C:\Users\Admin\AppData\Local\Temp\malware_smoke_2685359676.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 780 -s 6122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 780 -ip 7801⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/780-132-0x0000000002231000-0x00000000022FB000-memory.dmpFilesize
808KB
-
memory/780-133-0x0000000002300000-0x00000000024F3000-memory.dmpFilesize
1.9MB
-
memory/780-134-0x0000000000400000-0x00000000005FE000-memory.dmpFilesize
2.0MB
-
memory/780-135-0x0000000002300000-0x00000000024F3000-memory.dmpFilesize
1.9MB
-
memory/780-136-0x0000000000400000-0x00000000005FE000-memory.dmpFilesize
2.0MB
-
memory/2260-137-0x0000000000000000-mapping.dmp
-
memory/2260-138-0x0000000000CC0000-0x0000000000CC3000-memory.dmpFilesize
12KB
-
memory/2260-139-0x0000000000CD0000-0x0000000000CD3000-memory.dmpFilesize
12KB
-
memory/2260-140-0x0000000000CD0000-0x0000000000CD3000-memory.dmpFilesize
12KB