Analysis
-
max time kernel
130s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
30-11-2022 18:41
Static task
static1
Behavioral task
behavioral1
Sample
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe
Resource
win7-20221111-en
General
-
Target
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe
-
Size
4.0MB
-
MD5
a8c0796d74fe9e34fe0c67a500dc7b32
-
SHA1
ebdd34cd4fda39ade14e4fc0c4e8ce4b397e8959
-
SHA256
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b
-
SHA512
906db571ec138e9fec43e9182ecf2a6a2af7120f85169e14e68d4632c36bf785768a87e2043c9107b0db23f0a3f7c7473b8b1a45a943b79d68d9baf2d8bede33
-
SSDEEP
98304:acC8excbiUsPc9K7YrHDjJzp1PGcjXF1D4TQ4Ll5nZGv13dwsBD:acC8eKGU8c9fVpBLJ1MT5J5nZp
Malware Config
Extracted
danabot
1765
3
79.124.78.236:443
134.119.186.199:443
192.236.162.42:443
134.119.186.198:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 16 2952 RUNDLL32.EXE 18 2952 RUNDLL32.EXE 25 2952 RUNDLL32.EXE 30 2952 RUNDLL32.EXE -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation RUNDLL32.EXE -
Loads dropped DLL 3 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpid process 3920 rundll32.exe 2952 RUNDLL32.EXE 2952 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts RUNDLL32.EXE -
Accesses Microsoft Outlook profiles 1 TTPs 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2204 3248 WerFault.exe 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe -
Checks processor information in registry 2 TTPs 23 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
powershell.exeRUNDLL32.EXEpowershell.exepid process 1164 powershell.exe 1164 powershell.exe 2952 RUNDLL32.EXE 2952 RUNDLL32.EXE 3712 powershell.exe 3712 powershell.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
rundll32.exeRUNDLL32.EXEpowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3920 rundll32.exe Token: SeDebugPrivilege 2952 RUNDLL32.EXE Token: SeDebugPrivilege 1164 powershell.exe Token: SeDebugPrivilege 3712 powershell.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
RUNDLL32.EXEpid process 2952 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exerundll32.exeRUNDLL32.EXEpowershell.exedescription pid process target process PID 3248 wrote to memory of 3920 3248 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 3248 wrote to memory of 3920 3248 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 3248 wrote to memory of 3920 3248 0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe rundll32.exe PID 3920 wrote to memory of 2952 3920 rundll32.exe RUNDLL32.EXE PID 3920 wrote to memory of 2952 3920 rundll32.exe RUNDLL32.EXE PID 3920 wrote to memory of 2952 3920 rundll32.exe RUNDLL32.EXE PID 2952 wrote to memory of 1164 2952 RUNDLL32.EXE powershell.exe PID 2952 wrote to memory of 1164 2952 RUNDLL32.EXE powershell.exe PID 2952 wrote to memory of 1164 2952 RUNDLL32.EXE powershell.exe PID 2952 wrote to memory of 3712 2952 RUNDLL32.EXE powershell.exe PID 2952 wrote to memory of 3712 2952 RUNDLL32.EXE powershell.exe PID 2952 wrote to memory of 3712 2952 RUNDLL32.EXE powershell.exe PID 3712 wrote to memory of 4364 3712 powershell.exe nslookup.exe PID 3712 wrote to memory of 4364 3712 powershell.exe nslookup.exe PID 3712 wrote to memory of 4364 3712 powershell.exe nslookup.exe PID 2952 wrote to memory of 4968 2952 RUNDLL32.EXE schtasks.exe PID 2952 wrote to memory of 4968 2952 RUNDLL32.EXE schtasks.exe PID 2952 wrote to memory of 4968 2952 RUNDLL32.EXE schtasks.exe PID 2952 wrote to memory of 1948 2952 RUNDLL32.EXE schtasks.exe PID 2952 wrote to memory of 1948 2952 RUNDLL32.EXE schtasks.exe PID 2952 wrote to memory of 1948 2952 RUNDLL32.EXE schtasks.exe -
outlook_office_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE -
outlook_win_path 1 IoCs
Processes:
RUNDLL32.EXEdescription ioc process Key opened \REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 RUNDLL32.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe"C:\Users\Admin\AppData\Local\Temp\0ff222e570a6934c471b2bcb13b78f88c75e95141b7c84bbd3dc936d7d46437b.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLL,nkBefDZUAw==3⤵
- Blocklisted process makes network request
- Checks computer location settings
- Loads dropped DLL
- Accesses Microsoft Outlook accounts
- Accesses Microsoft Outlook profiles
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
- outlook_office_path
- outlook_win_path
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Executionpolicy bypass -File "C:\Users\Admin\AppData\Local\Temp\tmp4D47.tmp.ps1"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\nslookup.exe"C:\Windows\system32\nslookup.exe" -type=any localhost5⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /End /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3248 -s 5362⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3248 -ip 32481⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.logFilesize
2KB
MD56ad58b45ba900fe2b784c35fe1ddd496
SHA17701cf4dfebc92b77e3d16a4094dac0def34f13a
SHA256139a32ad96800367dc709be507e2b78e667610000be7c68f94c174e6fa60f84f
SHA512168f58da543d5c3a645c9a51916528c8e291f0f49069fb8567328e6960874a97026839a31a3505bcd1cc26320a477fbd095406ff3e12c4419c5429b729cd9c1a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
17KB
MD5c54e1c0e2ea8b06a4b61c1a304658d8c
SHA1d1e0766a307cd84e3bfda2db7ef01af707c96e53
SHA25624bcbc97d203be6b6785e18242c8baec336e48cde52e0ceb02cca1f3b6be348d
SHA51275b2032dcfe601ec3a48bba8245563bafb7b9b93ed3a57990d4c95de0ef84392b3666873cb75d2db53a16c055fdddbb3e93daec4950c64c3bc73a2c2df269fbf
-
C:\Users\Admin\AppData\Local\Temp\0FF222~1.DLLFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\0FF222~1.EXE.dllFilesize
3.8MB
MD50fa776ebc6c175716ddae5d5ce2a5894
SHA13dbb9ac31089481cdba10345889f73d9acb59a02
SHA256fda53157a533ba28a067f49b29c517b1e7ac91cba890aa5bcb2ed245a036cdd7
SHA51255d11b53fe9134bf8b43a017591a27bedb9d539c5bac03e93cd3cd4a8a96b3f7030b9ad9fec373a0cf6e88a0776f32a3c57388dcb6114e895733fd45a5922b9e
-
C:\Users\Admin\AppData\Local\Temp\tmp2328.tmp.ps1Filesize
261B
MD5f84d05c90d7201f60b1811e693d93373
SHA18476a1e2ae10497a1cd7d3c8964ce85f12cbaad0
SHA256d1814a71743501a80bdc3711ad4460748b333a0d66cb07b78ce34169dd65810b
SHA512d0a0be55a5b40ea10d4d969a7cd12c0e14775cc0fb2ab5ec71ab0d72e22ef3e0eba35e987e6ac300ebbb78e7be41b55e3194d9bede5c60e36ff0d2bc3bd9367f
-
C:\Users\Admin\AppData\Local\Temp\tmp2329.tmpFilesize
1KB
MD5c416c12d1b2b1da8c8655e393b544362
SHA1fb1a43cd8e1c556c2d25f361f42a21293c29e447
SHA2560600d59103840dff210778179fdfba904dcb737a4bfdb35384608698c86ea046
SHA512cb6d3636be4330aa2fd577c3636d0b7165f92ee817e98f21180ba0c918eb76f4e38f025086593a0e508234ca981cfec2c53482b0e9cc0acfa885fefbdf89913c
-
C:\Users\Admin\AppData\Local\Temp\tmp4D47.tmp.ps1Filesize
80B
MD5f572f34fe6a4bb7bbcf754072325dcbe
SHA1e430b7a8f92b80d3f8ff08c96fc5f52d432a1480
SHA2562c4ea6d1a10afdf0e71b8247560850f74900120a2ff0b6c84213539b802e9531
SHA512fb9a21ad3ed05c257fe9e772dcc9ce67a542a1d47242f7eec17b6c7f5a110f59ac0c2826c7a097abb8f74a232ee3e83adab5335995f208007039e667a19ffa55
-
C:\Users\Admin\AppData\Local\Temp\tmp4D48.tmpFilesize
86B
MD51860260b2697808b80802352fe324782
SHA1f07b4cb6a8133d8dd942fc285d63cb3ce5a1ed6b
SHA2560c4bb6ae7726faa47aef8459bcf37bf9ca16f0b93fd52790932adaf7845d1fb1
SHA512d9fd458e2fe871e93199d7f3783133ded898d824024d9525e8c9af2af31892b13f3fb147d3bfda7dfd7659b7072f5cd1d6c3ebfe2dbf5893afd00e59a96aa94f
-
memory/1164-165-0x0000000006980000-0x0000000006988000-memory.dmpFilesize
32KB
-
memory/1164-161-0x00000000067B0000-0x00000000067BA000-memory.dmpFilesize
40KB
-
memory/1164-163-0x00000000069F0000-0x0000000006A0A000-memory.dmpFilesize
104KB
-
memory/1164-162-0x0000000007CB0000-0x000000000832A000-memory.dmpFilesize
6.5MB
-
memory/1164-159-0x0000000006480000-0x000000000649E000-memory.dmpFilesize
120KB
-
memory/1164-153-0x0000000000000000-mapping.dmp
-
memory/1164-154-0x0000000004EA0000-0x0000000004ED6000-memory.dmpFilesize
216KB
-
memory/1164-155-0x0000000005520000-0x0000000005B48000-memory.dmpFilesize
6.2MB
-
memory/1164-156-0x0000000005BE0000-0x0000000005C02000-memory.dmpFilesize
136KB
-
memory/1164-157-0x0000000005D80000-0x0000000005DE6000-memory.dmpFilesize
408KB
-
memory/1164-158-0x0000000005DF0000-0x0000000005E56000-memory.dmpFilesize
408KB
-
memory/1948-175-0x0000000000000000-mapping.dmp
-
memory/2952-167-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/2952-151-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/2952-150-0x0000000002960000-0x0000000002FC2000-memory.dmpFilesize
6.4MB
-
memory/2952-145-0x0000000000000000-mapping.dmp
-
memory/2952-149-0x0000000002010000-0x00000000023DD000-memory.dmpFilesize
3.8MB
-
memory/3248-134-0x0000000000400000-0x0000000000C49000-memory.dmpFilesize
8.3MB
-
memory/3248-132-0x00000000012DA000-0x00000000016A6000-memory.dmpFilesize
3.8MB
-
memory/3248-152-0x0000000000400000-0x0000000000C49000-memory.dmpFilesize
8.3MB
-
memory/3248-133-0x00000000016B0000-0x0000000001A8F000-memory.dmpFilesize
3.9MB
-
memory/3712-168-0x0000000000000000-mapping.dmp
-
memory/3920-146-0x0000000002CF0000-0x0000000003352000-memory.dmpFilesize
6.4MB
-
memory/3920-135-0x0000000000000000-mapping.dmp
-
memory/3920-138-0x0000000002CF0000-0x0000000003352000-memory.dmpFilesize
6.4MB
-
memory/3920-164-0x0000000002CF0000-0x0000000003352000-memory.dmpFilesize
6.4MB
-
memory/4364-172-0x0000000000000000-mapping.dmp
-
memory/4968-174-0x0000000000000000-mapping.dmp