Analysis
-
max time kernel
136s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 14:34
Static task
static1
Behavioral task
behavioral1
Sample
697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe
Resource
win7-20220812-en
General
-
Target
697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe
-
Size
4.0MB
-
MD5
817e14be1b3a0979390a8c3cc7c4f9d1
-
SHA1
ce294e099cefdcfb41ef8463a52be5f0dcd0e992
-
SHA256
697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783
-
SHA512
1fc1c1917b583d37ce57903c71a8b987bc3333d0cc309e933dde2f7f816ce5b8e42dd7c883eefd2cbd198952979fb38052cdb1e0756ae023263c4b85db898942
-
SSDEEP
98304:xiFrwPbHPPquDjTdNwoTPI//JSGZoTw899Y72en:x5bnqunT7woqJpyTw899iH
Malware Config
Extracted
danabot
1765
3
192.236.192.241:443
134.119.186.198:443
104.168.156.222:443
192.236.192.238:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 34 4896 RUNDLL32.EXE 40 4896 RUNDLL32.EXE 41 4896 RUNDLL32.EXE 42 4896 RUNDLL32.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1792 rundll32.exe 1792 rundll32.exe 4896 RUNDLL32.EXE 4896 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4944 3312 WerFault.exe 697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe -
Checks processor information in registry 2 TTPs 26 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 2356 powershell.exe 2356 powershell.exe 4896 RUNDLL32.EXE 4896 RUNDLL32.EXE 1660 powershell.exe 1660 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1792 rundll32.exe Token: SeDebugPrivilege 4896 RUNDLL32.EXE Token: SeDebugPrivilege 2356 powershell.exe Token: SeDebugPrivilege 1660 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 4896 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3312 wrote to memory of 1792 3312 697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe rundll32.exe PID 3312 wrote to memory of 1792 3312 697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe rundll32.exe PID 3312 wrote to memory of 1792 3312 697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe rundll32.exe PID 1792 wrote to memory of 4896 1792 rundll32.exe RUNDLL32.EXE PID 1792 wrote to memory of 4896 1792 rundll32.exe RUNDLL32.EXE PID 1792 wrote to memory of 4896 1792 rundll32.exe RUNDLL32.EXE PID 4896 wrote to memory of 2356 4896 RUNDLL32.EXE powershell.exe PID 4896 wrote to memory of 2356 4896 RUNDLL32.EXE powershell.exe PID 4896 wrote to memory of 2356 4896 RUNDLL32.EXE powershell.exe PID 4896 wrote to memory of 1660 4896 RUNDLL32.EXE powershell.exe PID 4896 wrote to memory of 1660 4896 RUNDLL32.EXE powershell.exe PID 4896 wrote to memory of 1660 4896 RUNDLL32.EXE powershell.exe PID 1660 wrote to memory of 4948 1660 powershell.exe nslookup.exe PID 1660 wrote to memory of 4948 1660 powershell.exe nslookup.exe PID 1660 wrote to memory of 4948 1660 powershell.exe nslookup.exe PID 4896 wrote to memory of 4796 4896 RUNDLL32.EXE schtasks.exe PID 4896 wrote to memory of 4796 4896 RUNDLL32.EXE schtasks.exe PID 4896 wrote to memory of 4796 4896 RUNDLL32.EXE schtasks.exe PID 4896 wrote to memory of 3472 4896 RUNDLL32.EXE schtasks.exe PID 4896 wrote to memory of 3472 4896 RUNDLL32.EXE schtasks.exe PID 4896 wrote to memory of 3472 4896 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe"C:\Users\Admin\AppData\Local\Temp\697a11fb5efab2c155e459623ea902409395463c379f4549cc471d806e90f783.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\697A11~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\697A11~1.DLL,rFBcfI0=3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmpFEA8.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp5517.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3312 -s 4442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3312 -ip 33121⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD56ad58b45ba900fe2b784c35fe1ddd496
SHA17701cf4dfebc92b77e3d16a4094dac0def34f13a
SHA256139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f
SHA512168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD580ab80e8adfc9e4f1871d3a14b365725
SHA1ebeb1f097fc16fc7dee4a4f13084e57545a26a4f
SHA256eebaf76616325e6f3065df05726cd8b3b1eb872f7c57836a79b15377760b5826
SHA5129ded9540f7918f88e518db81312bb410099006acb26f6adafd46d47cd154888dd207a5ebf73be1fd82a26957aa603e1a6bc1c364775cbfaaa47dde1d706ae47c
-
C:\Users\Admin\AppData\Local\Temp\697A11~1.DLLFilesize
3.8MB
MD5bfd6071199ed716a90c57a78b45274b4
SHA1c2af91e2fee92907868eff13a39c2b3787fca4f1
SHA256b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1
SHA512cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce
-
C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dllFilesize
3.8MB
MD5bfd6071199ed716a90c57a78b45274b4
SHA1c2af91e2fee92907868eff13a39c2b3787fca4f1
SHA256b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1
SHA512cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce
-
C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dllFilesize
3.8MB
MD5bfd6071199ed716a90c57a78b45274b4
SHA1c2af91e2fee92907868eff13a39c2b3787fca4f1
SHA256b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1
SHA512cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce
-
C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dllFilesize
3.8MB
MD5bfd6071199ed716a90c57a78b45274b4
SHA1c2af91e2fee92907868eff13a39c2b3787fca4f1
SHA256b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1
SHA512cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce
-
C:\Users\Admin\AppData\Local\Temp\697A11~1.EXE.dllFilesize
3.8MB
MD5bfd6071199ed716a90c57a78b45274b4
SHA1c2af91e2fee92907868eff13a39c2b3787fca4f1
SHA256b64a043a5a33d465e2e8d69a087bc90be11d39b1495ca355c2e3ce4fd1824ee1
SHA512cab575f60e4156923c8db09de32da40250d01ebdc932bf0333f5075f9fb62123c6d7262af63333dd4901b796a8893f49569f1e5f738cbfff2560c5e39f98d7ce
-
C:\Users\Admin\AppData\Local\Temp\tmp5517.tmp.ps1Filesize
80B
MD5ffe322a356857c1a5c6d2117df0eea41
SHA16714667088139618ee159132befc87b42cc59b13
SHA256822abe0b21ab0d8f8248dc3c97943e1009dc81b761e698e154041f3994c071f0
SHA512a9ffe7cc077ff0189076e7b944b2884267667830eb7afb910abfe537df733cb16bc678fc083af26f093356e1ee1ff29fa4094dab89340bfd942dcaa5545e66f1
-
C:\Users\Admin\AppData\Local\Temp\tmp5518.tmpFilesize
86B
MD51860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
C:\Users\Admin\AppData\Local\Temp\tmpFEA8.tmp.ps1Filesize
261B
MD5d08c2709e4c2db97e49ab7f48b1019b7
SHA1ac2a1602ccf40cdbabbebdac62ae81883e3a73ef
SHA2568b63e6e834763eda5b9d4b2fbb130a54f558b9e18146de0c62430ff4bf33c01b
SHA5123111603f2db44760829ce2223cd3bcd57356887ea649378b0173f746d18313eda5f306288bd803f601a1181a7de9e9b7c6eb693c7a4d4446c8b7426d42efaa4f
-
C:\Users\Admin\AppData\Local\Temp\tmpFEA9.tmpFilesize
1KB
MD5c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
memory/1660-165-0x0000000000000000-mapping.dmp
-
memory/1792-140-0x0000000002F30000-0x0000000003592000-memory.dmpFilesize
6.4MB
-
memory/1792-142-0x0000000002F30000-0x0000000003592000-memory.dmpFilesize
6.4MB
-
memory/1792-146-0x0000000002F30000-0x0000000003592000-memory.dmpFilesize
6.4MB
-
memory/1792-135-0x0000000000000000-mapping.dmp
-
memory/1792-139-0x00000000025E0000-0x00000000029AE000-memory.dmpFilesize
3.8MB
-
memory/2356-160-0x0000000005490000-0x000000000549A000-memory.dmpFilesize
40KB
-
memory/2356-158-0x00000000066F0000-0x000000000670E000-memory.dmpFilesize
120KB
-
memory/2356-151-0x0000000000000000-mapping.dmp
-
memory/2356-163-0x0000000006A60000-0x0000000006A68000-memory.dmpFilesize
32KB
-
memory/2356-153-0x0000000002DA0000-0x0000000002DD6000-memory.dmpFilesize
216KB
-
memory/2356-154-0x0000000005820000-0x0000000005E48000-memory.dmpFilesize
6.2MB
-
memory/2356-155-0x0000000005720000-0x0000000005742000-memory.dmpFilesize
136KB
-
memory/2356-156-0x0000000006000000-0x0000000006066000-memory.dmpFilesize
408KB
-
memory/2356-157-0x0000000006070000-0x00000000060D6000-memory.dmpFilesize
408KB
-
memory/2356-162-0x0000000006C40000-0x0000000006C5A000-memory.dmpFilesize
104KB
-
memory/2356-161-0x0000000007D90000-0x000000000840A000-memory.dmpFilesize
6.5MB
-
memory/3312-132-0x00000000010C5000-0x0000000001492000-memory.dmpFilesize
3.8MB
-
memory/3312-150-0x0000000000400000-0x0000000000C93000-memory.dmpFilesize
8.6MB
-
memory/3312-149-0x00000000014A0000-0x000000000187F000-memory.dmpFilesize
3.9MB
-
memory/3312-134-0x0000000000400000-0x0000000000C93000-memory.dmpFilesize
8.6MB
-
memory/3312-133-0x00000000014A0000-0x000000000187F000-memory.dmpFilesize
3.9MB
-
memory/3472-172-0x0000000000000000-mapping.dmp
-
memory/4796-171-0x0000000000000000-mapping.dmp
-
memory/4896-141-0x0000000000000000-mapping.dmp
-
memory/4896-152-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/4896-148-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/4896-147-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/4896-145-0x0000000002250000-0x000000000261E000-memory.dmpFilesize
3.8MB
-
memory/4948-169-0x0000000000000000-mapping.dmp