Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
-
submitted
27-10-2022 12:35
General
-
Target
0312783b108da0ed9b172c72a935119f199d7976f30d55e0dc830e90e78b4d5a.exe
-
Size
260KB
-
MD5
0422013509122e0b6c419b0d8e41e762
-
SHA1
05df75f7b2391c7485920367058b487306e5dab7
-
SHA256
0312783b108da0ed9b172c72a935119f199d7976f30d55e0dc830e90e78b4d5a
-
SHA512
2c46102c3a662d2518798c3853d0e890e35282e1dbae2a155336ef9656e7bae94574371e7081fc0ef37090c55b8f0cbb98f856a070104e9604887ca04451efca
-
SSDEEP
6144:dqhhmHJQAaPd9FZh6h98USHgn+PkfZx0U:dWhmHJQA2d9Lh6h966+28
Score
10/10
Malware Config
Extracted
Family
danabot
C2
172.86.120.215:443
213.227.155.103:443
103.187.26.147:443
172.86.120.138:443
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
Attributes
-
embedded_hash
BBBB0DB8CB7E6D152424535822E445A7
-
type
loader
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Blocklisted process makes network request 3 IoCs
-
Downloads MZ/PE file
-
Executes dropped EXE 1 IoCs
-
Deletes itself 1 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 38 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 4 IoCs
-
Modifies registry class 20 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 29 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0312783b108da0ed9b172c72a935119f199d7976f30d55e0dc830e90e78b4d5a.exe"C:\Users\Admin\AppData\Local\Temp\0312783b108da0ed9b172c72a935119f199d7976f30d55e0dc830e90e78b4d5a.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\1F6F.exeC:\Users\Admin\AppData\Local\Temp\1F6F.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\appidtel.exeC:\Windows\system32\appidtel.exe2⤵
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Blocklisted process makes network request
- Checks processor information in registry
- Modifies registry class
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\1F6F.exeFilesize
1.3MB
MD55bca63386bbada2c021da12fae6e0a2b
SHA19ac800c5c720e0c4f6a21fdb27211c4a9a875452
SHA256b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be
SHA512957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339
-
C:\Users\Admin\AppData\Local\Temp\1F6F.exeFilesize
1.3MB
MD55bca63386bbada2c021da12fae6e0a2b
SHA19ac800c5c720e0c4f6a21fdb27211c4a9a875452
SHA256b09c865208a4ae4f0960b5acc8229e7964a5c237cc0dd3de82137c65afcd91be
SHA512957f2cc397158d9784fb4c45349f16597c28837064a40b7865c291a29acf1cb2d21334efe5bb5e861f98cc1453d800ac0f60bc28d6b1aaed89d2b6463f376339
-
C:\Users\Admin\AppData\Local\Temp\Dhfteep.tmpFilesize
3.3MB
MD59ee66bd586450c037b6a14eed557a159
SHA16218331454c5204349b259ea260dd2161ce41371
SHA256d9cf31419401bed1796f49f2daea2f9eea468c3643ab9086ba61d24e3283db0f
SHA512eabdb81f278abe54088740b4139ca6d5b8cf99c014102128b9c3ebebf51b163d6ba0b06a066de1eeb33199c2a475c0ce585c102b7684ce2d086b493f842ee8a8
-
memory/2676-137-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-121-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-120-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-140-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-122-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-123-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-124-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-125-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-126-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-127-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-128-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-129-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-130-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-131-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-132-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-139-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-134-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-135-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-136-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-118-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-115-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-119-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-133-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-141-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-142-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-143-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-146-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-145-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-144-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-147-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-149-0x0000000002C30000-0x0000000002D7A000-memory.dmpFilesize
1.3MB
-
memory/2676-148-0x0000000002EF3000-0x0000000002F08000-memory.dmpFilesize
84KB
-
memory/2676-150-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2676-151-0x0000000000400000-0x0000000002C2E000-memory.dmpFilesize
40.2MB
-
memory/2676-117-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-116-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2676-138-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/2900-283-0x0000000000590000-0x0000000000593000-memory.dmpFilesize
12KB
-
memory/2900-282-0x0000000000580000-0x0000000000583000-memory.dmpFilesize
12KB
-
memory/2900-281-0x0000000000570000-0x0000000000573000-memory.dmpFilesize
12KB
-
memory/2900-262-0x0000000000560000-0x0000000000563000-memory.dmpFilesize
12KB
-
memory/2900-301-0x0000000000590000-0x0000000000593000-memory.dmpFilesize
12KB
-
memory/2900-221-0x0000000000000000-mapping.dmp
-
memory/4748-186-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4748-187-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4748-185-0x0000000000000000-mapping.dmp
-
memory/4768-173-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-167-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-166-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-160-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-168-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-170-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-171-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-172-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-174-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-162-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-176-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-177-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-178-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-175-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-179-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-163-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-181-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-182-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-183-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-184-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-412-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4768-165-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-180-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-190-0x0000000003280000-0x00000000033A5000-memory.dmpFilesize
1.1MB
-
memory/4768-191-0x0000000004B50000-0x0000000004E1C000-memory.dmpFilesize
2.8MB
-
memory/4768-199-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4768-200-0x0000000003280000-0x00000000033A5000-memory.dmpFilesize
1.1MB
-
memory/4768-201-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4768-203-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4768-159-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-158-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-157-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-156-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-155-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-154-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-302-0x0000000000400000-0x0000000002D3B000-memory.dmpFilesize
41.2MB
-
memory/4768-152-0x0000000000000000-mapping.dmp
-
memory/4768-164-0x00000000774C0000-0x000000007764E000-memory.dmpFilesize
1.6MB
-
memory/4768-349-0x0000000005610000-0x00000000060CC000-memory.dmpFilesize
10.7MB
-
memory/5048-397-0x0000000002CF0000-0x000000000368C000-memory.dmpFilesize
9.6MB
-
memory/5048-401-0x0000000004E50000-0x000000000590C000-memory.dmpFilesize
10.7MB
-
memory/5048-334-0x0000000000CD5FB0-mapping.dmp
-
memory/5048-442-0x0000000004E50000-0x000000000590C000-memory.dmpFilesize
10.7MB