Analysis
-
max time kernel
148s -
max time network
153s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
04-12-2022 14:59
Static task
static1
Behavioral task
behavioral1
Sample
0019389_01039.js
Resource
win7-20220901-en
General
-
Target
0019389_01039.js
-
Size
1.0MB
-
MD5
d115552252592f589e7412d6650a949e
-
SHA1
ad4c6cd7e85541866f5cd0fa747b7f08a5fe8067
-
SHA256
3b55010b7f8f4e7ded435b29af5d00f98c06dd8f14258355d0049f186f4a6bbc
-
SHA512
461aebb7a488102e3de0c9b807dbf8d04a41737d050dc4ca95bbf8283ee5176845adafee6bf81db83a73af2b67e66f45adaad6a145062ae035208cee71adfa71
-
SSDEEP
1536:toTXaFN5VEYPznC2x1ZQu56WD/EYc9piGqvzlY84fEgZt32a2zO70tsE+TXURbtj:tS2uXtlk
Malware Config
Extracted
danabot
164.175.70.152
89.144.25.243
86.177.194.155
29.195.96.191
29.43.1.29
84.215.94.117
115.58.63.174
89.144.25.104
199.179.34.46
68.48.87.153
Signatures
-
Danabot x86 payload 6 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll family_danabot \Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll family_danabot \Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll family_danabot \Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll family_danabot \Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll family_danabot \Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 1 2024 rundll32.exe 2 2024 rundll32.exe 4 2024 rundll32.exe 5 2024 rundll32.exe 6 2024 rundll32.exe 7 2024 rundll32.exe 8 2024 rundll32.exe -
Loads dropped DLL 5 IoCs
Processes:
regsvr32.exerundll32.exepid process 1628 regsvr32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe 2024 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
wscript.exeregsvr32.exeregsvr32.exedescription pid process target process PID 2016 wrote to memory of 972 2016 wscript.exe regsvr32.exe PID 2016 wrote to memory of 972 2016 wscript.exe regsvr32.exe PID 2016 wrote to memory of 972 2016 wscript.exe regsvr32.exe PID 2016 wrote to memory of 972 2016 wscript.exe regsvr32.exe PID 2016 wrote to memory of 972 2016 wscript.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 972 wrote to memory of 1628 972 regsvr32.exe regsvr32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe PID 1628 wrote to memory of 2024 1628 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\0019389_01039.js1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exe"C:\Windows\System32\regsvr32.exe" -s C:\Users\Admin\AppData\Local\Temp\\ALNYajCWUsjV.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\\ALNYajCWUsjV.dll3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dll,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dllFilesize
284KB
MD582e719eae0182374cb433118d8d802d2
SHA1626ba0208fcf1ef29bf8cfa0e6f70ded70aee885
SHA2568e0dcdd85ab03fd0230f512158aaee86a29b6816c959bfd4ae6a91500f37e45c
SHA512914370240040c3ee6bc328a8c93b8a00ab20af44ac98222626ecee907bfe18a1e856f6b4a07c75073a40abd4b2caac042b9f92b7f3f774700cbfb5998ba8e968
-
\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dllFilesize
284KB
MD582e719eae0182374cb433118d8d802d2
SHA1626ba0208fcf1ef29bf8cfa0e6f70ded70aee885
SHA2568e0dcdd85ab03fd0230f512158aaee86a29b6816c959bfd4ae6a91500f37e45c
SHA512914370240040c3ee6bc328a8c93b8a00ab20af44ac98222626ecee907bfe18a1e856f6b4a07c75073a40abd4b2caac042b9f92b7f3f774700cbfb5998ba8e968
-
\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dllFilesize
284KB
MD582e719eae0182374cb433118d8d802d2
SHA1626ba0208fcf1ef29bf8cfa0e6f70ded70aee885
SHA2568e0dcdd85ab03fd0230f512158aaee86a29b6816c959bfd4ae6a91500f37e45c
SHA512914370240040c3ee6bc328a8c93b8a00ab20af44ac98222626ecee907bfe18a1e856f6b4a07c75073a40abd4b2caac042b9f92b7f3f774700cbfb5998ba8e968
-
\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dllFilesize
284KB
MD582e719eae0182374cb433118d8d802d2
SHA1626ba0208fcf1ef29bf8cfa0e6f70ded70aee885
SHA2568e0dcdd85ab03fd0230f512158aaee86a29b6816c959bfd4ae6a91500f37e45c
SHA512914370240040c3ee6bc328a8c93b8a00ab20af44ac98222626ecee907bfe18a1e856f6b4a07c75073a40abd4b2caac042b9f92b7f3f774700cbfb5998ba8e968
-
\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dllFilesize
284KB
MD582e719eae0182374cb433118d8d802d2
SHA1626ba0208fcf1ef29bf8cfa0e6f70ded70aee885
SHA2568e0dcdd85ab03fd0230f512158aaee86a29b6816c959bfd4ae6a91500f37e45c
SHA512914370240040c3ee6bc328a8c93b8a00ab20af44ac98222626ecee907bfe18a1e856f6b4a07c75073a40abd4b2caac042b9f92b7f3f774700cbfb5998ba8e968
-
\Users\Admin\AppData\Local\Temp\ALNYajCWUsjV.dllFilesize
284KB
MD582e719eae0182374cb433118d8d802d2
SHA1626ba0208fcf1ef29bf8cfa0e6f70ded70aee885
SHA2568e0dcdd85ab03fd0230f512158aaee86a29b6816c959bfd4ae6a91500f37e45c
SHA512914370240040c3ee6bc328a8c93b8a00ab20af44ac98222626ecee907bfe18a1e856f6b4a07c75073a40abd4b2caac042b9f92b7f3f774700cbfb5998ba8e968
-
memory/972-54-0x0000000000000000-mapping.dmp
-
memory/972-55-0x000007FEFC2F1000-0x000007FEFC2F3000-memory.dmpFilesize
8KB
-
memory/1628-57-0x0000000000000000-mapping.dmp
-
memory/1628-58-0x0000000075A71000-0x0000000075A73000-memory.dmpFilesize
8KB
-
memory/2024-60-0x0000000000000000-mapping.dmp