Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
17-10-2022 13:23
Static task
static1
Behavioral task
behavioral1
Sample
Faktura.PDF.exe
Resource
win7-20220901-en
General
-
Target
Faktura.PDF.exe
-
Size
3.2MB
-
MD5
5da162eebc4d19470d96c9138eef7c1b
-
SHA1
674fae4a60d3040bf962c8ff0af5bd14bcb9ed9e
-
SHA256
3c825d5a2cc6da2b923f3bba6ba850295e0e23ca8ddad1f716d859d585c225e6
-
SHA512
08efaea6cc218b873b23727ca6f72f06460dc5b1d3ab6af2a551f5ce6d3ea796a10112c1ab88c8e82744b614b778b239eef7ed1b3805f14c9a3a96844b3535e8
-
SSDEEP
98304:tjeA5Hw2+x3MOITGA2ZgtMvhjvsSk3SU7iio:heA5H9AIythjvm3lo
Malware Config
Extracted
danabot
136.167.173.24
73.114.1.155
45.172.198.33
100.88.36.122
106.127.134.181
195.123.220.45
151.236.14.84
198.102.202.22
19.121.241.168
222.30.140.7
Signatures
-
Danabot x86 payload 4 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Faktura.dll family_danabot C:\Users\Admin\AppData\Local\Temp\Faktura.dll family_danabot C:\Users\Admin\AppData\Local\Temp\Faktura.dll family_danabot C:\Users\Admin\AppData\Local\Temp\Faktura.dll family_danabot -
Blocklisted process makes network request 8 IoCs
Processes:
rundll32.exeflow pid process 15 2252 rundll32.exe 17 2252 rundll32.exe 30 2252 rundll32.exe 36 2252 rundll32.exe 37 2252 rundll32.exe 40 2252 rundll32.exe 42 2252 rundll32.exe 43 2252 rundll32.exe -
Loads dropped DLL 3 IoCs
Processes:
regsvr32.exerundll32.exepid process 4964 regsvr32.exe 2252 rundll32.exe 2252 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2376 4988 WerFault.exe Faktura.PDF.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
Faktura.PDF.exeregsvr32.exedescription pid process target process PID 4988 wrote to memory of 4964 4988 Faktura.PDF.exe regsvr32.exe PID 4988 wrote to memory of 4964 4988 Faktura.PDF.exe regsvr32.exe PID 4988 wrote to memory of 4964 4988 Faktura.PDF.exe regsvr32.exe PID 4964 wrote to memory of 2252 4964 regsvr32.exe rundll32.exe PID 4964 wrote to memory of 2252 4964 regsvr32.exe rundll32.exe PID 4964 wrote to memory of 2252 4964 regsvr32.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Faktura.PDF.exe"C:\Users\Admin\AppData\Local\Temp\Faktura.PDF.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exeC:\Windows\system32\regsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\Faktura.dll f1 C:\Users\Admin\AppData\Local\Temp\FAKTUR~1.EXE@49882⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Faktura.dll,f03⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4988 -s 4242⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4988 -ip 49881⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Faktura.dllFilesize
1.3MB
MD5d84c213b9d5f4c7d747f772524972cc6
SHA1870e13b0eed7d595edc30d6680f402790176a6b2
SHA256fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b
SHA512d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b
-
C:\Users\Admin\AppData\Local\Temp\Faktura.dllFilesize
1.3MB
MD5d84c213b9d5f4c7d747f772524972cc6
SHA1870e13b0eed7d595edc30d6680f402790176a6b2
SHA256fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b
SHA512d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b
-
C:\Users\Admin\AppData\Local\Temp\Faktura.dllFilesize
1.3MB
MD5d84c213b9d5f4c7d747f772524972cc6
SHA1870e13b0eed7d595edc30d6680f402790176a6b2
SHA256fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b
SHA512d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b
-
C:\Users\Admin\AppData\Local\Temp\Faktura.dllFilesize
1.3MB
MD5d84c213b9d5f4c7d747f772524972cc6
SHA1870e13b0eed7d595edc30d6680f402790176a6b2
SHA256fac9994f5c4520a355ddaf2a71d796a601bc962dbad0c8831e342409d803181b
SHA512d7b87f5ff51d512252948b4ffac11a94b573d73bf6d55e889d4af80433cd4b0cd3ed4636d8f655bdd3773b5fadba1058287d1678790b91fd35a5d56172ac133b
-
memory/2252-140-0x0000000000000000-mapping.dmp
-
memory/2252-143-0x0000000002C50000-0x0000000002DB5000-memory.dmpFilesize
1.4MB
-
memory/4964-137-0x0000000000000000-mapping.dmp
-
memory/4988-135-0x0000000002C60000-0x0000000002EB0000-memory.dmpFilesize
2.3MB
-
memory/4988-136-0x0000000000400000-0x000000000074A000-memory.dmpFilesize
3.3MB
-
memory/4988-134-0x0000000000400000-0x000000000074A000-memory.dmpFilesize
3.3MB
-
memory/4988-133-0x0000000002C60000-0x0000000002EB0000-memory.dmpFilesize
2.3MB
-
memory/4988-132-0x0000000002A0A000-0x0000000002BC8000-memory.dmpFilesize
1.7MB
-
memory/4988-144-0x0000000000400000-0x000000000074A000-memory.dmpFilesize
3.3MB