Analysis
-
max time kernel
136s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
26-11-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll
Resource
win7-20220812-en
General
-
Target
9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll
-
Size
3.8MB
-
MD5
9c52ec98ac0e9e6fa4cc47a75874587e
-
SHA1
6bc94c984e6908ecf1e339642172519c82c6a30e
-
SHA256
9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608
-
SHA512
6bb9b55dc1b7271cb6490db2093e94d2d63b6bb571be9670957f4e673d8d660bc540bf58ef87906e0f6cbfbd5f2939055b4ec2414d1e7ee6434c406d98b7ee75
-
SSDEEP
98304:Io9Ui7KhE8MBGHLLVNUvSlZ902ojL5mT0dAVz2huo0:g5aJGXTUvw02+L5mT0dsC50
Malware Config
Extracted
danabot
1765
3
192.236.192.241:443
134.119.186.198:443
104.168.156.222:443
167.114.188.34:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 4 616 RUNDLL32.EXE 5 616 RUNDLL32.EXE 6 616 RUNDLL32.EXE 9 616 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\INLM2B61\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RUNDLL32.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 18 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1876 powershell.exe 616 RUNDLL32.EXE 616 RUNDLL32.EXE 840 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1536 rundll32.exe Token: SeDebugPrivilege 616 RUNDLL32.EXE Token: SeDebugPrivilege 1876 powershell.exe Token: SeDebugPrivilege 840 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 616 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
rundll32.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1520 wrote to memory of 1536 1520 rundll32.exe rundll32.exe PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 1536 wrote to memory of 616 1536 rundll32.exe RUNDLL32.EXE PID 616 wrote to memory of 1876 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 1876 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 1876 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 1876 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 840 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 840 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 840 616 RUNDLL32.EXE powershell.exe PID 616 wrote to memory of 840 616 RUNDLL32.EXE powershell.exe PID 840 wrote to memory of 808 840 powershell.exe nslookup.exe PID 840 wrote to memory of 808 840 powershell.exe nslookup.exe PID 840 wrote to memory of 808 840 powershell.exe nslookup.exe PID 840 wrote to memory of 808 840 powershell.exe nslookup.exe PID 616 wrote to memory of 980 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 980 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 980 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 980 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 1360 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 1360 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 1360 616 RUNDLL32.EXE schtasks.exe PID 616 wrote to memory of 1360 616 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,QCkX3⤵
- Blocklisted process makes network request
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpECDF.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1FA4.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1FA4.tmp.ps1Filesize
80B
MD530894f58d44a6ecf7ea27d5e4ca6908e
SHA1399f2c861d4a6da8681f9a571c9b76ee959b71c4
SHA2564629ea59ea77f03d3d5198d074ba4dd75471ee71f1b15d0d8f5d829c52852831
SHA512c220c0259ae48b98c34341092ff8b85049eca190418393df35b433f1390056fbfa199b39442a10dff9d25d15537be72f0031e5341a0d0729483f790b7e8cb1af
-
C:\Users\Admin\AppData\Local\Temp\tmp1FA5.tmpFilesize
86B
MD51860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpECDF.tmp.ps1Filesize
261B
MD529f052fe0e175c48c3ebf54caf19b056
SHA1f856ddbd183c3ec42389b4411e67115ca56cdc9c
SHA256e0ec7b3c0850ac622c6de08b53e3bc3eef1f684a63acc545d7165631c3b8aac0
SHA512080e46ba0c69d38bb849134a7345c681a0dedd1da55d5ae7bb5599a13eecb8d5f419db4b9b409ea1333b75c2c656e10d99d7b62bb42b0598917b90b0fb54b30c
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-msFilesize
7KB
MD585c92de9479494790d26b717bcba4802
SHA10c4b02ab81bb5cf6442b6cdc8b17a814cfcb66eb
SHA256856ad5e0202605c03e6759f7eebaf0c73b15176b2e18991bf73d16b21926b515
SHA512f661792af50fb22c03b2305dce9e0960463ccf552c240b119e18e81e29265c5b142f8ff3104d01610ed56028d607c224bce67695ec47bcdd570614fe5c05ebb0
-
\??\PIPE\srvsvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/616-60-0x0000000001BB0000-0x0000000001F7D000-memory.dmpFilesize
3.8MB
-
memory/616-58-0x0000000000000000-mapping.dmp
-
memory/616-62-0x0000000002490000-0x0000000002AF2000-memory.dmpFilesize
6.4MB
-
memory/616-63-0x0000000002490000-0x0000000002AF2000-memory.dmpFilesize
6.4MB
-
memory/808-75-0x0000000000000000-mapping.dmp
-
memory/840-73-0x0000000072F20000-0x00000000734CB000-memory.dmpFilesize
5.7MB
-
memory/840-69-0x0000000000000000-mapping.dmp
-
memory/840-76-0x0000000072F20000-0x00000000734CB000-memory.dmpFilesize
5.7MB
-
memory/980-78-0x0000000000000000-mapping.dmp
-
memory/1360-79-0x0000000000000000-mapping.dmp
-
memory/1536-54-0x0000000000000000-mapping.dmp
-
memory/1536-57-0x00000000028C0000-0x0000000002F22000-memory.dmpFilesize
6.4MB
-
memory/1536-56-0x0000000002220000-0x00000000025ED000-memory.dmpFilesize
3.8MB
-
memory/1536-61-0x00000000028C0000-0x0000000002F22000-memory.dmpFilesize
6.4MB
-
memory/1536-55-0x0000000075CF1000-0x0000000075CF3000-memory.dmpFilesize
8KB
-
memory/1876-68-0x0000000073320000-0x00000000738CB000-memory.dmpFilesize
5.7MB
-
memory/1876-64-0x0000000000000000-mapping.dmp
-
memory/1876-66-0x0000000073320000-0x00000000738CB000-memory.dmpFilesize
5.7MB