Analysis
-
max time kernel
143s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-10-2022 07:48
Static task
static1
Behavioral task
behavioral1
Sample
24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe
Resource
win7-20220812-en
General
-
Target
24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe
-
Size
1.2MB
-
MD5
39ae3110dc8ee4239811f2a1083e675e
-
SHA1
f235ea35b4a408a052ec5bc93310adb77b52ecbc
-
SHA256
24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7
-
SHA512
cee1b9804a3a3d4f033d8076f66ffd6021a0b017a7588b96749d319d382056847d26aedc2f1fa5b7140c01697407da3c2873d59c78044376b083bc8f0c8494ee
-
SSDEEP
24576:aG4NAckBXt2Uj3WTNWIcXuDTPyYaOnuhZiOASiN0A:O0shOeDjzagumObiN
Malware Config
Extracted
danabot
4
192.119.110.73:443
192.236.192.201:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\24989D~1.DLL DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\24989D~1.EXE.dll DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 32 3468 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3468 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3464 4844 WerFault.exe 24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exedescription pid process target process PID 4844 wrote to memory of 3468 4844 24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe rundll32.exe PID 4844 wrote to memory of 3468 4844 24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe rundll32.exe PID 4844 wrote to memory of 3468 4844 24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe"C:\Users\Admin\AppData\Local\Temp\24989d884f480964f0cfd5d5ed0cf785b6b97843779051ab12c6c17beabb15b7.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\24989D~1.DLL,s C:\Users\Admin\AppData\Local\Temp\24989D~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4844 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4844 -ip 48441⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\24989D~1.DLLFilesize
1.3MB
MD575fc2614c6155104791c20a2bb421ac1
SHA14b310814161ee1605a10536f32b40bb98d74eb9c
SHA2565ed2de37c6a40fb6ce089d14a025aa9c5422ece049c6fbd4f5bc33fe34a6b50b
SHA512ce439aae25431cb127c72424960a65655ae4d1500fd44c3ac0721d88d437ac2aef02d0303691811293010cb79cfe1a1840ac9e6708b210848637e00723e4782d
-
C:\Users\Admin\AppData\Local\Temp\24989D~1.EXE.dllFilesize
1.3MB
MD575fc2614c6155104791c20a2bb421ac1
SHA14b310814161ee1605a10536f32b40bb98d74eb9c
SHA2565ed2de37c6a40fb6ce089d14a025aa9c5422ece049c6fbd4f5bc33fe34a6b50b
SHA512ce439aae25431cb127c72424960a65655ae4d1500fd44c3ac0721d88d437ac2aef02d0303691811293010cb79cfe1a1840ac9e6708b210848637e00723e4782d
-
memory/3468-134-0x0000000000000000-mapping.dmp
-
memory/4844-132-0x0000000002360000-0x000000000244E000-memory.dmpFilesize
952KB
-
memory/4844-133-0x0000000002450000-0x0000000002556000-memory.dmpFilesize
1.0MB
-
memory/4844-137-0x0000000000400000-0x0000000000532000-memory.dmpFilesize
1.2MB
-
memory/4844-138-0x0000000002450000-0x0000000002556000-memory.dmpFilesize
1.0MB