Overview

overview

10

Static

static

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/10/2022, 14:00

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    63a1f40c0b381d1b483445822dc2f6a6413a17d58a84f185621b50b54ee8732a.exe

  • Size

    1.3MB

  • MD5

    66eea88b2c9e24cd13f4c86e41b3e6a0

  • SHA1

    b2380bb40efcb87076b5ddbad91ff5c695a1806e

  • SHA256

    63a1f40c0b381d1b483445822dc2f6a6413a17d58a84f185621b50b54ee8732a

  • SHA512

    0945760ccf58ba23db5d0b34c903ccf7dac2f14dc56e0fff993035a6d3c8f2a21f8a3c555a3ed1cfd6730f0c366696d0fc18923af47d5b3f57e0c48e49247029

  • SSDEEP

    24576:LcxerY1UZBGvD/oDIU4Bu70CMP9ie7HxIGwZxCOiOaUIdCZ9lthKR/S:LccmvDNUIurMEe7H6GwWyIoeR/S

Score
10/10
danabotbankertrojan

Malware Config

Extracted

Family

danabot

C2

192.236.233.188:443

192.119.70.159:443

23.106.124.171:443

213.227.155.103:443
Attributes
  • embedded_hash

    56951C922035D696BFCE443750496462

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

    trojanbankerdanabot
  • Blocklisted process makes network request 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 6 IoCs
  • Checks SCSI registry key(s) 3 TTPs 36 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 19 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\63a1f40c0b381d1b483445822dc2f6a6413a17d58a84f185621b50b54ee8732a.exe
    "C:\Users\Admin\AppData\Local\Temp\63a1f40c0b381d1b483445822dc2f6a6413a17d58a84f185621b50b54ee8732a.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2188
    • C:\Windows\SysWOW64\agentactivationruntimestarter.exe
      C:\Windows\system32\agentactivationruntimestarter.exe
      2⤵
        PID:3700
      • C:\Windows\SysWOW64\rundll32.exe
        "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
        2⤵
        • Blocklisted process makes network request
        PID:4084
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 628
        2⤵
        • Program crash
        PID:1504
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 872
        2⤵
        • Program crash
        PID:5056
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 908
        2⤵
        • Program crash
        PID:3464
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1012
        2⤵
        • Program crash
        PID:2896
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1032
        2⤵
        • Program crash
        PID:2820
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 1044
        2⤵
        • Program crash
        PID:2288
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k AarSvcGroup -p -s AarSvc
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:4956
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x4e4 0x430
      1⤵
        PID:3364
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2188 -ip 2188
        1⤵
          PID:4432
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2188 -ip 2188
          1⤵
            PID:2508
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2188 -ip 2188
            1⤵
              PID:2544
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 2188 -ip 2188
              1⤵
                PID:3404
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2188 -ip 2188
                1⤵
                  PID:1356
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2188 -ip 2188
                  1⤵
                    PID:3144

                  Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Local\Temp\Sepawuaopqtypsq.tmp
                          Filesize

                          3.3MB

                          MD5

                          8b9c0f72deaf2ee06e7441209cbe4ffb

                          SHA1

                          34912f3c7f4285d85497c96e95c33e5d6a597c97

                          SHA256

                          1e7242ac7c025b87636e59c07e3601f1bbf5894ce0b23709405b6fefbca4dabe

                          SHA512

                          db8fb980b6331f494fea8dd4adf6d8724c9ad1a7a2048c6d91e49d9e81fc83700c1195854efc5dcbe2b3aef8d94b5f0ddd7ae8910f40b9cdab017e381f855cd7

                          Download Submit

                        • memory/2188-137-0x0000000000400000-0x00000000006CE000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-146-0x0000000003FC0000-0x0000000004100000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/2188-135-0x0000000000400000-0x00000000006CE000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-136-0x00000000025D0000-0x0000000002892000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-132-0x000000000245E000-0x000000000257C000-memory.dmp

                          Filesize

                          1.1MB

                          Download

                        • memory/2188-138-0x0000000000400000-0x00000000006CE000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-139-0x0000000000400000-0x00000000006CE000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-152-0x00000000032E0000-0x0000000003DA3000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2188-133-0x00000000025D0000-0x0000000002892000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-151-0x0000000003FC0000-0x0000000004100000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/2188-145-0x00000000032E0000-0x0000000003DA3000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2188-144-0x00000000032E0000-0x0000000003DA3000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2188-143-0x00000000032E0000-0x0000000003DA3000-memory.dmp

                          Filesize

                          10.8MB

                          Download

                        • memory/2188-141-0x0000000000400000-0x00000000006CE000-memory.dmp

                          Filesize

                          2.8MB

                          Download

                        • memory/2188-147-0x0000000003FC0000-0x0000000004100000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/2188-148-0x0000000003FC0000-0x0000000004100000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/2188-150-0x0000000003FC0000-0x0000000004100000-memory.dmp

                          Filesize

                          1.2MB

                          Download

                        • memory/2188-149-0x0000000003FC0000-0x0000000004100000-memory.dmp

                          Filesize

                          1.2MB

                          Download