Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
16-12-2022 11:24
General
-
Target
file.exe
-
Size
235KB
-
MD5
6a70c8ff0b09cc809fa362398e18b3c2
-
SHA1
77011a9774d30c2aa71777ef756b217442d57564
-
SHA256
f331a3b1ab03bd227de9722bfc16dfaf0bdf8a692995ebc868c711c08f664b9c
-
SHA512
87f3a3fd21850d3175ef9af86f6e7a4cf2d5fad410726a48d6a12bce0e80f9dc423e7b9a388a3341386aaae39479902fd0e41c133707d9ffd2fbbc363b09e139
-
SSDEEP
6144:eLhyLd3BRfc5wE2BO4IQGkRQmFstTtTHX8qMrc:eLhyFPQwLE4I1kjFsPT38n
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
-
Detects Smokeloader packer 1 IoCs
-
SmokeLoader
Modular backdoor trojan in use since 2014.
-
Downloads MZ/PE file
-
Executes dropped EXE 2 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 3 IoCs
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 46 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 38 IoCs
-
Suspicious use of FindShellTrayWindow 2 IoCs
-
Suspicious use of SendNotifyMessage 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Users\Admin\AppData\Local\Temp\E6BB.exeC:\Users\Admin\AppData\Local\Temp\E6BB.exe1⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Yystuqewt.exe"C:\Users\Admin\AppData\Local\Temp\Yystuqewt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4196 -s 13163⤵
- Program crash
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3544 -s 14362⤵
- Program crash
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff4dd44f50,0x7fff4dd44f60,0x7fff4dd44f702⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,9616140401906500169,15347428270810435543,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1980 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,9616140401906500169,15347428270810435543,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:22⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,9616140401906500169,15347428270810435543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2276 /prefetch:82⤵
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1636,9616140401906500169,15347428270810435543,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3536 /prefetch:82⤵
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 1412 -s 36202⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4196 -ip 41961⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 512 -p 1412 -ip 14121⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3544 -ip 35441⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD59ff180b2f2774103cb0d36ccbf89e99f
SHA12e87dd7a8d0ee68427f89fd4bb88a60f76a4eb76
SHA2564b0831d1621248e1cf4d0e98208193ca71c278714e034ea0b2d0b0c2a26a3593
SHA512250107df31add644fb06aee8c7078de8a06f14fe4f19b1aaa3ee9a0541e7b6d90daee237c902bf592f3d64228625023c50b2130ba84387e1a41fd94d08b9756a
-
Filesize
4.3MB
MD59ff180b2f2774103cb0d36ccbf89e99f
SHA12e87dd7a8d0ee68427f89fd4bb88a60f76a4eb76
SHA2564b0831d1621248e1cf4d0e98208193ca71c278714e034ea0b2d0b0c2a26a3593
SHA512250107df31add644fb06aee8c7078de8a06f14fe4f19b1aaa3ee9a0541e7b6d90daee237c902bf592f3d64228625023c50b2130ba84387e1a41fd94d08b9756a
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
1.2MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.1MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
7.1MB
-
Filesize
4.4MB
-
Filesize
4.4MB
-
Filesize
1.2MB
-
Filesize
4.4MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
1.2MB
-
Filesize
4.4MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
6.0MB
-
Filesize
1.2MB
-
Filesize
1.2MB
-
Filesize
7.1MB
-
Filesize
1.2MB
-
Filesize
352KB
-
Filesize
352KB
-
Filesize
36KB
-
Filesize
68KB