Analysis
-
max time kernel
188s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
26-11-2022 04:26
Static task
static1
Behavioral task
behavioral1
Sample
9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll
Resource
win7-20220812-en
General
-
Target
9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll
-
Size
3.8MB
-
MD5
9c52ec98ac0e9e6fa4cc47a75874587e
-
SHA1
6bc94c984e6908ecf1e339642172519c82c6a30e
-
SHA256
9fc9d28077290d908516a0fb27bbd7361e7b8ec842e3451a9985697d54b31608
-
SHA512
6bb9b55dc1b7271cb6490db2093e94d2d63b6bb571be9670957f4e673d8d660bc540bf58ef87906e0f6cbfbd5f2939055b4ec2414d1e7ee6434c406d98b7ee75
-
SSDEEP
98304:Io9Ui7KhE8MBGHLLVNUvSlZ902ojL5mT0dAVz2huo0:g5aJGXTUvw02+L5mT0dsC50
Malware Config
Extracted
danabot
1765
3
192.236.192.241:443
134.119.186.198:443
104.168.156.222:443
167.114.188.34:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 2808 powershell.exe 2808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 1908 rundll32.exe Token: SeDebugPrivilege 3804 RUNDLL32.EXE Token: SeDebugPrivilege 2808 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
rundll32.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 3408 wrote to memory of 1908 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 1908 3408 rundll32.exe rundll32.exe PID 3408 wrote to memory of 1908 3408 rundll32.exe rundll32.exe PID 1908 wrote to memory of 3804 1908 rundll32.exe RUNDLL32.EXE PID 1908 wrote to memory of 3804 1908 rundll32.exe RUNDLL32.EXE PID 1908 wrote to memory of 3804 1908 rundll32.exe RUNDLL32.EXE PID 3804 wrote to memory of 2808 3804 RUNDLL32.EXE powershell.exe PID 3804 wrote to memory of 2808 3804 RUNDLL32.EXE powershell.exe PID 3804 wrote to memory of 2808 3804 RUNDLL32.EXE powershell.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\9FC9D28077290D908516A0FB27BBD7361E7B8EC842E34.dll,jjpUfDZ9Aw==3⤵
- Checks computer location settings
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpC8E.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpC8E.tmp.ps1Filesize
260B
MD5bdd5f197557746c87715b294992cf23b
SHA112eafface2dea9ac4a9c7214bc51b5f5cee3e890
SHA25648436399ad831ce9df9a5c36214aad876358a9392dbf6e927ee07345d0f20d4f
SHA5123f87fb04f52b42dcc2ba830dbfaa25dbb0175eb23d9e4275eac60f6ee245e6a4dd7f4d0c6568083a615c8447799920dc84caa7bbaa0d7d5c108b74061fefb06d
-
C:\Users\Admin\AppData\Local\Temp\tmpC8F.tmpFilesize
1KB
MD5c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
memory/1908-132-0x0000000000000000-mapping.dmp
-
memory/1908-133-0x0000000002F80000-0x00000000035E2000-memory.dmpFilesize
6.4MB
-
memory/1908-138-0x0000000002F80000-0x00000000035E2000-memory.dmpFilesize
6.4MB
-
memory/2808-144-0x0000000004F80000-0x00000000055A8000-memory.dmpFilesize
6.2MB
-
memory/2808-146-0x0000000005720000-0x0000000005786000-memory.dmpFilesize
408KB
-
memory/2808-153-0x0000000006FB0000-0x0000000006FB8000-memory.dmpFilesize
32KB
-
memory/2808-142-0x0000000000000000-mapping.dmp
-
memory/2808-143-0x0000000002480000-0x00000000024B6000-memory.dmpFilesize
216KB
-
memory/2808-152-0x0000000006330000-0x000000000634A000-memory.dmpFilesize
104KB
-
memory/2808-145-0x0000000004E10000-0x0000000004E32000-memory.dmpFilesize
136KB
-
memory/2808-151-0x0000000007610000-0x0000000007C8A000-memory.dmpFilesize
6.5MB
-
memory/2808-147-0x0000000005790000-0x00000000057F6000-memory.dmpFilesize
408KB
-
memory/2808-148-0x0000000004B10000-0x0000000004B2E000-memory.dmpFilesize
120KB
-
memory/2808-150-0x0000000005DD0000-0x0000000005DDA000-memory.dmpFilesize
40KB
-
memory/3804-137-0x00000000021F0000-0x00000000025BD000-memory.dmpFilesize
3.8MB
-
memory/3804-140-0x0000000002B40000-0x00000000031A2000-memory.dmpFilesize
6.4MB
-
memory/3804-139-0x0000000002B40000-0x00000000031A2000-memory.dmpFilesize
6.4MB
-
memory/3804-141-0x0000000002B40000-0x00000000031A2000-memory.dmpFilesize
6.4MB
-
memory/3804-136-0x0000000000000000-mapping.dmp