Analysis

  • max time kernel
    151s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/12/2022, 02:32

General

  • Target

    43157b2d302a8a1baff450e8c67af7b41f62edad8aa68adffbd6aa6ef0cbbc24.exe

  • Size

    214KB

  • MD5

    1021f84c8752ea79512272424205566a

  • SHA1

    48276be4e6429b8920bb9aa2de0b9bedfe8dc399

  • SHA256

    43157b2d302a8a1baff450e8c67af7b41f62edad8aa68adffbd6aa6ef0cbbc24

  • SHA512

    a9db622055e96348a40957f4c13543b5b8f13a6a2a9526082d37edaa504de2c7b95128570235eb20d6aecc2ee6b4ebef7d4101cac11eaf33d53141bb18691ecc

  • SSDEEP

    3072:kl8mcsFLPYpZwRyxg9qaLt4L0OmjPxwiB1ts8/g3xoSckkFyG3ERWR3LV:a8mZFLPYpdC9SL5uP/pg3Ctk4U0VB

Malware Config

Extracted

Family

danabot

C2

23.236.181.126:443

123.253.35.251:443

66.85.173.3:443

Attributes
  • embedded_hash

    06BD317F4F9CFA75DD0DF0D5CD9B06A1

  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Detects Smokeloader packer 1 IoCs
  • SmokeLoader

    Modular backdoor trojan in use since 2014.

  • Blocklisted process makes network request 3 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 20 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 30 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43157b2d302a8a1baff450e8c67af7b41f62edad8aa68adffbd6aa6ef0cbbc24.exe
    "C:\Users\Admin\AppData\Local\Temp\43157b2d302a8a1baff450e8c67af7b41f62edad8aa68adffbd6aa6ef0cbbc24.exe"
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    PID:1504
  • C:\Users\Admin\AppData\Local\Temp\48E0.exe
    C:\Users\Admin\AppData\Local\Temp\48E0.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\rundll32.exe
      C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll,start
      2⤵
      • Blocklisted process makes network request
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Checks processor information in registry
      • Suspicious use of WriteProcessMemory
      PID:2312
      • C:\Windows\system32\rundll32.exe
        "C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 20216
        3⤵
        • Modifies registry class
        • Suspicious use of FindShellTrayWindow
        PID:3260
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 480
      2⤵
      • Program crash
      PID:2496
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 4812 -ip 4812
    1⤵
      PID:1716
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:4592

      Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\48E0.exe

              Filesize

              2.4MB

              MD5

              0bb2b15ca73128dbc816ea4ed583119c

              SHA1

              17d05964d9208ca1a27fd007ad5f41752cfa893e

              SHA256

              295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8

              SHA512

              d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

            • C:\Users\Admin\AppData\Local\Temp\48E0.exe

              Filesize

              2.4MB

              MD5

              0bb2b15ca73128dbc816ea4ed583119c

              SHA1

              17d05964d9208ca1a27fd007ad5f41752cfa893e

              SHA256

              295dfd4608b81ee276a04f1c58d806b7f906695e744cfe8234eca6360c555ca8

              SHA512

              d58afa63c04cb95576e9a7b5ae026dc28526cee7a26c5e829c091356179f4d255503914398dd209c506743ab78f16cb84d862e2f8ae5f43282bfe2a3e7afe375

            • C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

              Filesize

              2.4MB

              MD5

              382de5a0458d5deeb8cfb59cb930f1d3

              SHA1

              45cf4fc723134598d368532461b9778d54d459e3

              SHA256

              df24ecb582c5d61d74305941b999b3bc066d796de691a4b815f91ca36a51c93c

              SHA512

              16abdc412afe43253cb9efd8682239db21ac12239a1db3bff0ab2d3b90efe0453a4df9e31464f58116790164bb0d539e569d0c174cc47172bb341f9ad1a33c64

            • C:\Users\Admin\AppData\Local\Temp\Iseiuaqptde.dll

              Filesize

              2.4MB

              MD5

              382de5a0458d5deeb8cfb59cb930f1d3

              SHA1

              45cf4fc723134598d368532461b9778d54d459e3

              SHA256

              df24ecb582c5d61d74305941b999b3bc066d796de691a4b815f91ca36a51c93c

              SHA512

              16abdc412afe43253cb9efd8682239db21ac12239a1db3bff0ab2d3b90efe0453a4df9e31464f58116790164bb0d539e569d0c174cc47172bb341f9ad1a33c64

            • memory/1504-133-0x0000000000460000-0x0000000000469000-memory.dmp

              Filesize

              36KB

            • memory/1504-134-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

            • memory/1504-135-0x0000000000400000-0x000000000045F000-memory.dmp

              Filesize

              380KB

            • memory/1504-132-0x00000000004A2000-0x00000000004B2000-memory.dmp

              Filesize

              64KB

            • memory/2312-156-0x00000000043C0000-0x0000000004500000-memory.dmp

              Filesize

              1.2MB

            • memory/2312-149-0x0000000003BD0000-0x00000000042F5000-memory.dmp

              Filesize

              7.1MB

            • memory/2312-163-0x0000000003BD0000-0x00000000042F5000-memory.dmp

              Filesize

              7.1MB

            • memory/2312-160-0x0000000004439000-0x000000000443B000-memory.dmp

              Filesize

              8KB

            • memory/2312-145-0x0000000000400000-0x0000000000671000-memory.dmp

              Filesize

              2.4MB

            • memory/2312-155-0x00000000043C0000-0x0000000004500000-memory.dmp

              Filesize

              1.2MB

            • memory/2312-147-0x0000000000400000-0x0000000000671000-memory.dmp

              Filesize

              2.4MB

            • memory/2312-148-0x0000000003BD0000-0x00000000042F5000-memory.dmp

              Filesize

              7.1MB

            • memory/2312-154-0x00000000043C0000-0x0000000004500000-memory.dmp

              Filesize

              1.2MB

            • memory/2312-150-0x0000000003BD0000-0x00000000042F5000-memory.dmp

              Filesize

              7.1MB

            • memory/2312-152-0x00000000043C0000-0x0000000004500000-memory.dmp

              Filesize

              1.2MB

            • memory/2312-151-0x00000000043C0000-0x0000000004500000-memory.dmp

              Filesize

              1.2MB

            • memory/2312-153-0x00000000043C0000-0x0000000004500000-memory.dmp

              Filesize

              1.2MB

            • memory/3260-159-0x000001D2AB3E0000-0x000001D2AB520000-memory.dmp

              Filesize

              1.2MB

            • memory/3260-161-0x0000000000140000-0x0000000000359000-memory.dmp

              Filesize

              2.1MB

            • memory/3260-162-0x000001D2AB540000-0x000001D2AB76A000-memory.dmp

              Filesize

              2.2MB

            • memory/3260-158-0x000001D2AB3E0000-0x000001D2AB520000-memory.dmp

              Filesize

              1.2MB

            • memory/4812-146-0x0000000000400000-0x0000000000791000-memory.dmp

              Filesize

              3.6MB

            • memory/4812-141-0x0000000000400000-0x0000000000791000-memory.dmp

              Filesize

              3.6MB

            • memory/4812-139-0x0000000000B25000-0x0000000000D70000-memory.dmp

              Filesize

              2.3MB

            • memory/4812-140-0x0000000002620000-0x00000000029A5000-memory.dmp

              Filesize

              3.5MB