Analysis
-
max time kernel
157s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 13:00
Static task
static1
Behavioral task
behavioral1
Sample
f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe
Resource
win7-20220812-en
General
-
Target
f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe
-
Size
4.0MB
-
MD5
4d1a5f5719f0b62562eb0d99f1a7baff
-
SHA1
7455d73ee12d1ac328f3aedaf2a0f61fd9d69b0d
-
SHA256
f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0
-
SHA512
220635c140c062a8265106cb245cfe16316ba592454a66ac8c00a923bd6ea0e0482fdd2b94a9f1f4104c1f318b544f006fc5374f767b2955def208d3e99e7c6e
-
SSDEEP
98304:MjK/i39kLrkjzYQ3mM1HXZ7sBHLJ868wOq8I9w1yPP7:MjCi39kPLQ3fpu+68JqdP7
Malware Config
Extracted
danabot
1765
3
79.124.78.236:443
134.119.186.199:443
192.236.162.42:443
134.119.186.198:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 19 4936 RUNDLL32.EXE 23 4936 RUNDLL32.EXE 24 4936 RUNDLL32.EXE 28 4936 RUNDLL32.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation RUNDLL32.EXE -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 4832 rundll32.exe 4832 rundll32.exe 4936 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4792 4180 WerFault.exe f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1660 powershell.exe 1660 powershell.exe 4936 RUNDLL32.EXE 4936 RUNDLL32.EXE 1720 powershell.exe 1720 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 4832 rundll32.exe Token: SeDebugPrivilege 4936 RUNDLL32.EXE Token: SeDebugPrivilege 1660 powershell.exe Token: SeDebugPrivilege 1720 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 4936 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 4180 wrote to memory of 4832 4180 f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe rundll32.exe PID 4180 wrote to memory of 4832 4180 f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe rundll32.exe PID 4180 wrote to memory of 4832 4180 f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe rundll32.exe PID 4832 wrote to memory of 4936 4832 rundll32.exe RUNDLL32.EXE PID 4832 wrote to memory of 4936 4832 rundll32.exe RUNDLL32.EXE PID 4832 wrote to memory of 4936 4832 rundll32.exe RUNDLL32.EXE PID 4936 wrote to memory of 1660 4936 RUNDLL32.EXE powershell.exe PID 4936 wrote to memory of 1660 4936 RUNDLL32.EXE powershell.exe PID 4936 wrote to memory of 1660 4936 RUNDLL32.EXE powershell.exe PID 4936 wrote to memory of 1720 4936 RUNDLL32.EXE powershell.exe PID 4936 wrote to memory of 1720 4936 RUNDLL32.EXE powershell.exe PID 4936 wrote to memory of 1720 4936 RUNDLL32.EXE powershell.exe PID 1720 wrote to memory of 2324 1720 powershell.exe nslookup.exe PID 1720 wrote to memory of 2324 1720 powershell.exe nslookup.exe PID 1720 wrote to memory of 2324 1720 powershell.exe nslookup.exe PID 4936 wrote to memory of 548 4936 RUNDLL32.EXE schtasks.exe PID 4936 wrote to memory of 548 4936 RUNDLL32.EXE schtasks.exe PID 4936 wrote to memory of 548 4936 RUNDLL32.EXE schtasks.exe PID 4936 wrote to memory of 2260 4936 RUNDLL32.EXE schtasks.exe PID 4936 wrote to memory of 2260 4936 RUNDLL32.EXE schtasks.exe PID 4936 wrote to memory of 2260 4936 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe"C:\Users\Admin\AppData\Local\Temp\f055aaac2e4445e7dacf3fccbc3950eb6c44464d60625fa9476e9e4e5000d8f0.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\F055AA~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\F055AA~1.DLL,gCxUfI1A3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1F8E.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpB150.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4180 -ip 41801⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD595201d9e44c732d9b261b4b334505d6b
SHA1d5f3f499ef27920d8a614152191a7e0c2f9c0264
SHA256baa9a89717f4013b2799bd06490c738246759ecdf7a3200406fad5a443e83669
SHA51215ddf637b642144dca99e2794cb4ca4d1dfa9d682e7eb42075d9b269dd5a479b5ea86017db142b599a3f022ebb695baf3691305ab17009060b4f64ddd7254282
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD57fbe8ee49ad4372b16b333635a3cb260
SHA1bd31a8fddcecce381105fe6034cd566f5d379253
SHA25677426dd61f7cadb0bf54a73c2b3bc2df7d8a87b05c3bc321c57f6010b7b99918
SHA512ee1e093270bab625e1107d70abfa08145130d393b1395364e793c1600a534888925549fb336d702dcf2e4dfb1c9c49b4c3893c390eeef0054e5aab124f56d4b7
-
C:\Users\Admin\AppData\Local\Temp\F055AA~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\F055AA~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\tmp1F8E.tmp.ps1Filesize
261B
MD5fc8f9131f87304dc8ad086de79e83429
SHA1a0a1531b50435afffc90127da6e4a8ee2cb39e19
SHA256ca8ed0a8c02249104596bb6a96b2841040cf3d12b995685a134d81deb1d406ea
SHA512bdcf98a41c0c3fb5bdef645c5bb60fa135c551891570003de4be38ea89a8b413b59801327cc7edae2ea6a0fd683f746eda455bb038abad2e41d0e032093696fe
-
C:\Users\Admin\AppData\Local\Temp\tmp1F8F.tmpFilesize
1KB
MD5c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmpB150.tmp.ps1Filesize
80B
MD5ad92feb595879e782f7bf4ec052607df
SHA1f9775ba1b8af5798c38ad9fd9d4efeb28d1fa6f9
SHA256ced9c61b787319b1fcbb1fd908c0babb260bb0201861a0bede6aae8ce41e4515
SHA51262204707c6bb1910003cc9037c0f4fffd2f2e5ce557d429436f9886663a9884a4d57aa7618aae8b02f46a52d6efd5c895a008eb1f874c3b06a0ae58dbde942a5
-
C:\Users\Admin\AppData\Local\Temp\tmpB151.tmpFilesize
86B
MD51860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
memory/548-169-0x0000000000000000-mapping.dmp
-
memory/1660-161-0x00000000069F0000-0x0000000006A0A000-memory.dmpFilesize
104KB
-
memory/1660-156-0x00000000065B0000-0x00000000065CE000-memory.dmpFilesize
120KB
-
memory/1660-162-0x00000000069D0000-0x00000000069D8000-memory.dmpFilesize
32KB
-
memory/1660-160-0x0000000007F10000-0x000000000858A000-memory.dmpFilesize
6.5MB
-
memory/1660-149-0x0000000000000000-mapping.dmp
-
memory/1660-159-0x00000000068A0000-0x00000000068AA000-memory.dmpFilesize
40KB
-
memory/1660-151-0x0000000004FE0000-0x0000000005016000-memory.dmpFilesize
216KB
-
memory/1660-152-0x0000000005680000-0x0000000005CA8000-memory.dmpFilesize
6.2MB
-
memory/1660-153-0x0000000005620000-0x0000000005642000-memory.dmpFilesize
136KB
-
memory/1660-154-0x0000000005F20000-0x0000000005F86000-memory.dmpFilesize
408KB
-
memory/1660-155-0x0000000005F90000-0x0000000005FF6000-memory.dmpFilesize
408KB
-
memory/1720-164-0x0000000000000000-mapping.dmp
-
memory/2260-170-0x0000000000000000-mapping.dmp
-
memory/2324-167-0x0000000000000000-mapping.dmp
-
memory/4180-133-0x0000000002C30000-0x000000000300F000-memory.dmpFilesize
3.9MB
-
memory/4180-134-0x0000000000400000-0x0000000000C49000-memory.dmpFilesize
8.3MB
-
memory/4180-132-0x000000000285F000-0x0000000002C2B000-memory.dmpFilesize
3.8MB
-
memory/4180-147-0x0000000000400000-0x0000000000C49000-memory.dmpFilesize
8.3MB
-
memory/4832-135-0x0000000000000000-mapping.dmp
-
memory/4832-139-0x00000000023E0000-0x00000000027AD000-memory.dmpFilesize
3.8MB
-
memory/4832-140-0x0000000002BF0000-0x0000000003252000-memory.dmpFilesize
6.4MB
-
memory/4832-143-0x0000000002BF0000-0x0000000003252000-memory.dmpFilesize
6.4MB
-
memory/4936-144-0x00000000031C0000-0x0000000003822000-memory.dmpFilesize
6.4MB
-
memory/4936-157-0x00000000031C0000-0x0000000003822000-memory.dmpFilesize
6.4MB
-
memory/4936-148-0x00000000031C0000-0x0000000003822000-memory.dmpFilesize
6.4MB
-
memory/4936-141-0x0000000000000000-mapping.dmp