Analysis
-
max time kernel
144s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2022 14:12
Static task
static1
Behavioral task
behavioral1
Sample
malware_smoke_1300718746.exe
Resource
win7-20220812-en
windows7-x64
3 signatures
150 seconds
General
-
Target
malware_smoke_1300718746.exe
-
Size
1.0MB
-
MD5
918be9d668bffdec63f184050d4b2883
-
SHA1
63adbf4aeeffe68460bf64f4832c6660193e30c0
-
SHA256
cbced5793450b49eedfaa70e1f569e0d80c336faeac2a5a16a3fc43536b0970d
-
SHA512
564107fa81f0d20874b1d5a524d9a4eba972803324b284b70d0c01147e657609e3818497dcae66195096f643c4c69fd61e5bc8e3da5ec197d235a780aac7f81d
-
SSDEEP
24576:ED+Xqsgozyz8SK0jgiQR5nYuuPsYY9h2yLz8iL5RB:Hasnzy3OF3JuPe9wy
Malware Config
Extracted
Family
danabot
Botnet
5
C2
23.254.133.7:443
213.227.155.102:443
Attributes
-
embedded_hash
12DF5314C5FDA13D9BF397EE140FD5E8
-
type
loader
Signatures
-
Blocklisted process makes network request 36 IoCs
Processes:
rundll32.exeflow pid process 10 3840 rundll32.exe 16 3840 rundll32.exe 17 3840 rundll32.exe 18 3840 rundll32.exe 19 3840 rundll32.exe 21 3840 rundll32.exe 29 3840 rundll32.exe 33 3840 rundll32.exe 34 3840 rundll32.exe 35 3840 rundll32.exe 36 3840 rundll32.exe 37 3840 rundll32.exe 40 3840 rundll32.exe 41 3840 rundll32.exe 44 3840 rundll32.exe 45 3840 rundll32.exe 46 3840 rundll32.exe 47 3840 rundll32.exe 48 3840 rundll32.exe 49 3840 rundll32.exe 50 3840 rundll32.exe 51 3840 rundll32.exe 52 3840 rundll32.exe 53 3840 rundll32.exe 54 3840 rundll32.exe 55 3840 rundll32.exe 56 3840 rundll32.exe 57 3840 rundll32.exe 58 3840 rundll32.exe 59 3840 rundll32.exe 60 3840 rundll32.exe 61 3840 rundll32.exe 62 3840 rundll32.exe 63 3840 rundll32.exe 64 3840 rundll32.exe 65 3840 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2288 1884 WerFault.exe malware_smoke_1300718746.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
malware_smoke_1300718746.exedescription pid process target process PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe PID 1884 wrote to memory of 3840 1884 malware_smoke_1300718746.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\malware_smoke_1300718746.exe"C:\Users\Admin\AppData\Local\Temp\malware_smoke_1300718746.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1884 -s 6122⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 1884 -ip 18841⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1884-132-0x0000000000A55000-0x0000000000B1F000-memory.dmpFilesize
808KB
-
memory/1884-133-0x00000000022E0000-0x00000000024D3000-memory.dmpFilesize
1.9MB
-
memory/1884-134-0x0000000000400000-0x00000000005FE000-memory.dmpFilesize
2.0MB
-
memory/1884-136-0x0000000000400000-0x00000000005FE000-memory.dmpFilesize
2.0MB
-
memory/3840-135-0x0000000000000000-mapping.dmp