Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    91s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/10/2022, 11:31 UTC

General

  • Target

    b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe

  • Size

    1.3MB

  • MD5

    f0c494e386eee0c623b4a7685f01916e

  • SHA1

    0ad286248fddf6500c01caf659736e737e0b7e9c

  • SHA256

    b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e

  • SHA512

    de03f3daafda3c0ab8604e5cb5fdfafa83ee8e136b5dac9c375b99e1cf452aa0afd310239663b27c7b38b287549eb8b4cc057ba7b771e30ca064efb7f4e5962f

  • SSDEEP

    24576:2GgQbyym/cA+QtEsBaJGhuk3gd5nlmkOYHgjDHpDXJ6aYg+f5:2UK6ScM73KOYHgPVJ/H

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443

Attributes
  • embedded_hash

    56951C922035D696BFCE443750496462

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Blocklisted process makes network request 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 24 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 5 IoCs
  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 48 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe
    "C:\Users\Admin\AppData\Local\Temp\b6044f9ec3560bbbfa3ea4d2300e6a03df446b33805d06e8c4d73162e5d9a02e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:4752
    • C:\Windows\SysWOW64\agentactivationruntimestarter.exe
      C:\Windows\system32\agentactivationruntimestarter.exe
      2⤵
        PID:4944
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        PID:3656
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 596
        2⤵
        • Program crash
        PID:2796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 876
        2⤵
        • Program crash
        PID:3096
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 876
        2⤵
        • Program crash
        PID:2808
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 940
        2⤵
        • Program crash
        PID:3880
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        • Enumerates connected drives
        • Drops file in Program Files directory
        • Checks processor information in registry
        • Modifies registry class
        • Modifies system certificate store
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:4884
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4752 -s 1036
        2⤵
        • Program crash
        PID:3376
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4128
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x510 0x33c
      1⤵
        PID:5092
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 4752 -ip 4752
        1⤵
          PID:3864
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 4752 -ip 4752
          1⤵
            PID:452
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4752 -ip 4752
            1⤵
              PID:2100
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 4752 -ip 4752
              1⤵
                PID:4140
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 4752 -ip 4752
                1⤵
                  PID:1020

                Network

                • flag-nl
                  GET
                  https://192.236.233.188/Ga3q93tybV/PwmabJ6gJXN29YX5c9uCmmhrZpO60SZMijOn8kQXRKdiHA+KxfqI4b6DmkpisGw3wO/dqpy368i43lSk0/PeaJ7DcoyeLec3mnq3mOkTw3BYTnY2sy7Mib+0L+xBTi2AREoh+oCLR67DeBjrG36SmEXREAOgdSoWxgrLa+hs7W3ubu9v7HDxcfA==
                  rundll32.exe
                  Remote address:
                  192.236.233.188:443
                  Request
                  GET /Ga3q93tybV/PwmabJ6gJXN29YX5c9uCmmhrZpO60SZMijOn8kQXRKdiHA+KxfqI4b6DmkpisGw3wO/dqpy368i43lSk0/PeaJ7DcoyeLec3mnq3mOkTw3BYTnY2sy7Mib+0L+xBTi2AREoh+oCLR67DeBjrG36SmEXREAOgdSoWxgrLa+hs7W3ubu9v7HDxcfA== HTTP/1.1
                  Host: 192.236.233.188
                  Response
                  HTTP/1.0 200 OK
                  Server: Apache/2.4.7 (Ubuntu)
                  Accept-Ranges: bytes
                  Content-Type: application/octet-stream
                  Content-Disposition: attachment; filename=3EA0035295F7CA0C359C0E74E1172AC3
                  Connection: Close
                  Content-Length: 3426304
                  Connection: close
                • 93.184.220.29:80
                  322 B
                  7
                • 93.184.221.240:80
                  322 B
                  7
                • 20.189.173.7:443
                  322 B
                  7
                • 13.107.4.50:80
                  322 B
                  7
                • 13.107.4.50:80
                  322 B
                  7
                • 13.107.4.50:80
                  322 B
                  7
                • 192.236.233.188:443
                  https://192.236.233.188/Ga3q93tybV/PwmabJ6gJXN29YX5c9uCmmhrZpO60SZMijOn8kQXRKdiHA+KxfqI4b6DmkpisGw3wO/dqpy368i43lSk0/PeaJ7DcoyeLec3mnq3mOkTw3BYTnY2sy7Mib+0L+xBTi2AREoh+oCLR67DeBjrG36SmEXREAOgdSoWxgrLa+hs7W3ubu9v7HDxcfA==
                  tls, http
                  rundll32.exe
                  160.2kB
                  3.5MB
                  2541
                  2537

                  HTTP Request

                  GET https://192.236.233.188/Ga3q93tybV/PwmabJ6gJXN29YX5c9uCmmhrZpO60SZMijOn8kQXRKdiHA+KxfqI4b6DmkpisGw3wO/dqpy368i43lSk0/PeaJ7DcoyeLec3mnq3mOkTw3BYTnY2sy7Mib+0L+xBTi2AREoh+oCLR67DeBjrG36SmEXREAOgdSoWxgrLa+hs7W3ubu9v7HDxcfA==

                  HTTP Response

                  200
                • 192.236.233.188:443
                  https
                  rundll32.exe
                  101.0kB
                  29.7kB
                  112
                  88
                • 127.0.0.1:25340
                  rundll32.exe
                No results found

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp

                  Filesize

                  3.3MB

                  MD5

                  8b9c0f72deaf2ee06e7441209cbe4ffb

                  SHA1

                  34912f3c7f4285d85497c96e95c33e5d6a597c97

                  SHA256

                  1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

                  SHA512

                  db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

                • memory/3656-142-0x0000000000A90000-0x0000000000A94000-memory.dmp

                  Filesize

                  16KB

                • memory/3656-141-0x0000000000A90000-0x0000000000A94000-memory.dmp

                  Filesize

                  16KB

                • memory/3656-140-0x0000000000A80000-0x0000000000A84000-memory.dmp

                  Filesize

                  16KB

                • memory/4752-148-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-150-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-137-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4752-136-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4752-135-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4752-134-0x00000000025A0000-0x0000000002862000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4752-133-0x000000000244C000-0x000000000256A000-memory.dmp

                  Filesize

                  1.1MB

                • memory/4752-144-0x0000000003120000-0x0000000003BE3000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4752-145-0x0000000003120000-0x0000000003BE3000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4752-146-0x0000000003120000-0x0000000003BE3000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4752-147-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-163-0x0000000003120000-0x0000000003BE3000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4752-149-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-138-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4752-151-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-152-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-153-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-154-0x0000000003DD0000-0x0000000003F10000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4752-162-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4752-159-0x0000000000400000-0x00000000006CE000-memory.dmp

                  Filesize

                  2.8MB

                • memory/4884-157-0x0000000003760000-0x00000000038A0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4884-158-0x0000000003760000-0x00000000038A0000-memory.dmp

                  Filesize

                  1.2MB

                • memory/4884-156-0x0000000002C90000-0x0000000003753000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4884-160-0x0000000000B40000-0x00000000014E4000-memory.dmp

                  Filesize

                  9.6MB

                • memory/4884-161-0x0000000002C90000-0x0000000003753000-memory.dmp

                  Filesize

                  10.8MB

                • memory/4884-164-0x0000000002C90000-0x0000000003753000-memory.dmp

                  Filesize

                  10.8MB

                We care about your privacy.

                This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.