Analysis
-
max time kernel
42s -
max time network
45s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
10-11-2022 21:02
Static task
static1
Behavioral task
behavioral1
Sample
f90484603fcebe6dcf6d13b4154c6761cfa084e0a8ad2b5dc5b57b4d1867a48c.dll
Resource
win7-20220812-en
General
-
Target
f90484603fcebe6dcf6d13b4154c6761cfa084e0a8ad2b5dc5b57b4d1867a48c.dll
-
Size
7.6MB
-
MD5
35857661dcaa8222d6e4a94d272910b7
-
SHA1
6624dbbf4a5eca4d4dc50ba363bec08d97e55618
-
SHA256
f90484603fcebe6dcf6d13b4154c6761cfa084e0a8ad2b5dc5b57b4d1867a48c
-
SHA512
aabcb363760f16206d00bb119f9b5610f70512f303488f23cc71b8494e90a0886863233fea95d54fa840ffb0ab8a62df0db063df8d33e2016365134ee958cedd
-
SSDEEP
196608:UOkd+1H96rzMtV3cpIwKlLMvfcHSpdskL:PP9IMtVM/KlQvfcHP
Malware Config
Extracted
danabot
-
embedded_hash
794D6CC67928F094F294B738E3257AB8
-
type
loader
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
rundll32.exeflow pid process 1 2004 rundll32.exe 2 2004 rundll32.exe 3 2004 rundll32.exe 4 2004 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 17 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
rundll32.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
rundll32.exedescription pid process target process PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe PID 948 wrote to memory of 2004 948 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f90484603fcebe6dcf6d13b4154c6761cfa084e0a8ad2b5dc5b57b4d1867a48c.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f90484603fcebe6dcf6d13b4154c6761cfa084e0a8ad2b5dc5b57b4d1867a48c.dll,#12⤵
- Blocklisted process makes network request
- Checks processor information in registry
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/240-58-0x000007FEFB6D1000-0x000007FEFB6D3000-memory.dmpFilesize
8KB
-
memory/2004-54-0x0000000000000000-mapping.dmp
-
memory/2004-55-0x0000000074AB1000-0x0000000074AB3000-memory.dmpFilesize
8KB
-
memory/2004-56-0x00000000022D0000-0x0000000002A74000-memory.dmpFilesize
7.6MB
-
memory/2004-57-0x00000000022D0000-0x0000000002A74000-memory.dmpFilesize
7.6MB
-
memory/2004-59-0x0000000002D70000-0x0000000003847000-memory.dmpFilesize
10.8MB
-
memory/2004-60-0x0000000002D70000-0x0000000003847000-memory.dmpFilesize
10.8MB
-
memory/2004-62-0x0000000002D70000-0x0000000003847000-memory.dmpFilesize
10.8MB
-
memory/2004-63-0x0000000002D70000-0x0000000003847000-memory.dmpFilesize
10.8MB
-
memory/2004-64-0x00000000022D0000-0x0000000002A74000-memory.dmpFilesize
7.6MB
-
memory/2004-65-0x0000000002D70000-0x0000000003847000-memory.dmpFilesize
10.8MB