Analysis
-
max time kernel
52s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
18/12/2022, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
cc4b391886bf4238e70772704b2c97ca.exe
Resource
win7-20220901-en
General
-
Target
cc4b391886bf4238e70772704b2c97ca.exe
-
Size
4.2MB
-
MD5
cc4b391886bf4238e70772704b2c97ca
-
SHA1
aa0cf46c73caac0019a6f5e7f172f4540d33d525
-
SHA256
0290bb1ffcb644899aeb89c8aafdf2dba92aae13b251738163d2d16087f32c4d
-
SHA512
379148eaef2495c9518dfb98fc1c1924e310270e4c9965d42b80fd97531fbccafbec04c3fa67d7cec29140a83e37667426092ac6b60b95313cfccaa626df9072
-
SSDEEP
98304:HVB49SUAYWqaJJVJ8J4EqriM3lp+OJMIUvX6J12EulTjAgW+P:HfUnjaJJVJM4EqrJ331eXW1FuNjJWu
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2112 Orwtaofpwtre.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation cc4b391886bf4238e70772704b2c97ca.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 5076 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2188 set thread context of 1376 2188 cc4b391886bf4238e70772704b2c97ca.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 2 IoCs
pid pid_target Process procid_target 3016 5076 WerFault.exe 81 4516 2188 WerFault.exe 78 -
Checks processor information in registry 2 TTPs 49 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString cc4b391886bf4238e70772704b2c97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor cc4b391886bf4238e70772704b2c97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet cc4b391886bf4238e70772704b2c97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cc4b391886bf4238e70772704b2c97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString cc4b391886bf4238e70772704b2c97ca.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 cc4b391886bf4238e70772704b2c97ca.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision cc4b391886bf4238e70772704b2c97ca.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status cc4b391886bf4238e70772704b2c97ca.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information cc4b391886bf4238e70772704b2c97ca.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1376 rundll32.exe 1376 rundll32.exe 232 chrome.exe 232 chrome.exe 5076 chrome.exe 5076 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2112 Orwtaofpwtre.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2112 Orwtaofpwtre.exe 1376 rundll32.exe 5076 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2112 Orwtaofpwtre.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5076 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2188 wrote to memory of 2112 2188 cc4b391886bf4238e70772704b2c97ca.exe 79 PID 2188 wrote to memory of 2112 2188 cc4b391886bf4238e70772704b2c97ca.exe 79 PID 2188 wrote to memory of 2112 2188 cc4b391886bf4238e70772704b2c97ca.exe 79 PID 5076 wrote to memory of 5088 5076 chrome.exe 80 PID 5076 wrote to memory of 5088 5076 chrome.exe 80 PID 2188 wrote to memory of 1376 2188 cc4b391886bf4238e70772704b2c97ca.exe 82 PID 2188 wrote to memory of 1376 2188 cc4b391886bf4238e70772704b2c97ca.exe 82 PID 2188 wrote to memory of 1376 2188 cc4b391886bf4238e70772704b2c97ca.exe 82 PID 2188 wrote to memory of 1376 2188 cc4b391886bf4238e70772704b2c97ca.exe 82 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 3360 5076 chrome.exe 85 PID 5076 wrote to memory of 232 5076 chrome.exe 86 PID 5076 wrote to memory of 232 5076 chrome.exe 86 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87 PID 5076 wrote to memory of 4720 5076 chrome.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\cc4b391886bf4238e70772704b2c97ca.exe"C:\Users\Admin\AppData\Local\Temp\cc4b391886bf4238e70772704b2c97ca.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2188 -
C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2112
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1376
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2188 -s 11602⤵
- Program crash
PID:4516
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea7104f50,0x7ffea7104f60,0x7ffea7104f701⤵PID:5088
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1604,10032942835176622942,11999446419820805690,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:22⤵PID:3360
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1604,10032942835176622942,11999446419820805690,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2024 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:232
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1604,10032942835176622942,11999446419820805690,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2272 /prefetch:82⤵PID:4720
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1604,10032942835176622942,11999446419820805690,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:82⤵PID:1184
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 5076 -s 35882⤵
- Program crash
PID:3016
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2128
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 428 -p 5076 -ip 50761⤵PID:1160
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 560 -p 2188 -ip 21881⤵PID:2372
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD550e03c260a0f6db796aa22d7443aa105
SHA1573a47d22475dc990d57cdd33b0952b721e4ddd9
SHA2565b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065
SHA5124528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434
-
Filesize
1.2MB
MD550e03c260a0f6db796aa22d7443aa105
SHA1573a47d22475dc990d57cdd33b0952b721e4ddd9
SHA2565b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065
SHA5124528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434