Analysis
-
max time kernel
183s -
max time network
198s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 17:51
Static task
static1
Behavioral task
behavioral1
Sample
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe
Resource
win7-20221111-en
General
-
Target
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe
-
Size
4.0MB
-
MD5
8f129ca0e882e49208ef4749bfaab916
-
SHA1
6a44d8e9af5097a8f2fd5e9928fd1d29c483aa53
-
SHA256
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa
-
SHA512
d97b9a0b5d8dd80a0138eb4e33ec00be66e57f5978eb1614d05c0d60c6390a546097e454249ca207aa1f6ec04fcf2e44cdca4a84dfc5bd905f2a9d9c0991987d
-
SSDEEP
98304:fpvKw4l/aCvEhf/EtxpQD4x1K0hp476EtDF:f8NHEdEzy4DK0hp476I
Malware Config
Extracted
danabot
1765
3
79.124.78.236:443
134.119.186.199:443
192.236.162.42:443
134.119.186.198:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation RUNDLL32.EXE -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 1348 rundll32.exe 3672 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4832 1556 WerFault.exe 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe -
Checks processor information in registry 2 TTPs 24 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 956 powershell.exe 956 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exedescription pid process Token: SeDebugPrivilege 1348 rundll32.exe Token: SeDebugPrivilege 3672 RUNDLL32.EXE Token: SeDebugPrivilege 956 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exerundll32.exeRUNDLL32.EXEdescription pid process target process PID 1556 wrote to memory of 1348 1556 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1556 wrote to memory of 1348 1556 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1556 wrote to memory of 1348 1556 19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe rundll32.exe PID 1348 wrote to memory of 3672 1348 rundll32.exe RUNDLL32.EXE PID 1348 wrote to memory of 3672 1348 rundll32.exe RUNDLL32.EXE PID 1348 wrote to memory of 3672 1348 rundll32.exe RUNDLL32.EXE PID 3672 wrote to memory of 956 3672 RUNDLL32.EXE powershell.exe PID 3672 wrote to memory of 956 3672 RUNDLL32.EXE powershell.exe PID 3672 wrote to memory of 956 3672 RUNDLL32.EXE powershell.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe"C:\Users\Admin\AppData\Local\Temp\19524f18ed92072060b9e7cb4bc49b2c8a48341f42dd981fbb9989798f1ca1fa.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\19524F~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\19524F~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\19524F~1.DLL,Oxwf3⤵
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp1122.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1556 -s 4442⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1556 -ip 15561⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\19524F~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\19524F~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\19524F~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\tmp1122.tmp.ps1Filesize
261B
MD593e28099f235db73849fb517b40cd3f3
SHA1b6eb1b1f96ec1058296e1d20b0bf5fd46a76163d
SHA2562949dff62c89f2bb7cec2b44d8e7b87d3ef32725c46773c3be62a4a0ab676d8b
SHA51217a95016d7ab4fddf348b7e883c31303fd898d88e4035f8566bd2507bc97d9e2cdba4e7e54d2f5cf9a35744866b33c33e81aa29cd106fb0219c38562c013c118
-
memory/956-154-0x0000000005470000-0x0000000005A98000-memory.dmpFilesize
6.2MB
-
memory/956-152-0x0000000000000000-mapping.dmp
-
memory/956-160-0x0000000006500000-0x000000000650A000-memory.dmpFilesize
40KB
-
memory/956-158-0x0000000004FC0000-0x0000000004FDE000-memory.dmpFilesize
120KB
-
memory/956-157-0x0000000005D00000-0x0000000005D66000-memory.dmpFilesize
408KB
-
memory/956-156-0x0000000005C90000-0x0000000005CF6000-memory.dmpFilesize
408KB
-
memory/956-155-0x0000000005300000-0x0000000005322000-memory.dmpFilesize
136KB
-
memory/956-153-0x00000000029C0000-0x00000000029F6000-memory.dmpFilesize
216KB
-
memory/1348-140-0x0000000002C50000-0x00000000032B2000-memory.dmpFilesize
6.4MB
-
memory/1348-137-0x0000000000000000-mapping.dmp
-
memory/1348-145-0x0000000002C50000-0x00000000032B2000-memory.dmpFilesize
6.4MB
-
memory/1556-134-0x0000000000400000-0x0000000002F80000-memory.dmpFilesize
43.5MB
-
memory/1556-151-0x0000000000400000-0x0000000002F80000-memory.dmpFilesize
43.5MB
-
memory/1556-132-0x00000000031A9000-0x0000000003575000-memory.dmpFilesize
3.8MB
-
memory/1556-135-0x00000000031A9000-0x0000000003575000-memory.dmpFilesize
3.8MB
-
memory/1556-133-0x0000000003580000-0x000000000395F000-memory.dmpFilesize
3.9MB
-
memory/1556-136-0x0000000000400000-0x0000000002F80000-memory.dmpFilesize
43.5MB
-
memory/3672-150-0x0000000002CA0000-0x0000000003302000-memory.dmpFilesize
6.4MB
-
memory/3672-149-0x0000000002CA0000-0x0000000003302000-memory.dmpFilesize
6.4MB
-
memory/3672-146-0x0000000002CA0000-0x0000000003302000-memory.dmpFilesize
6.4MB
-
memory/3672-143-0x0000000000000000-mapping.dmp