Analysis
-
max time kernel
43s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
18/12/2022, 07:33
Static task
static1
Behavioral task
behavioral1
Sample
9e91c32b888335e331d2b2bce4dcc6e5.exe
Resource
win7-20220901-en
General
-
Target
9e91c32b888335e331d2b2bce4dcc6e5.exe
-
Size
4.2MB
-
MD5
9e91c32b888335e331d2b2bce4dcc6e5
-
SHA1
b5296fb410921fbc4704414c0ae5b9f66fdf8827
-
SHA256
04d2372a5d64fda367c1fe2bbaff93d609beac0aef98dde396e4c2290a54f5cf
-
SHA512
a1d3628edcef3bd51433126397878c4a7deb0723ff467423a54b6d62f765e3812dd76a39b774281973297bffb33e177e719d6cfa0ae12312692b6d027733b673
-
SSDEEP
98304:EH8pUO4W/bMugp8ETlVHU2OeKA/XgpW/+dqDhOOlRYTkrrFqe5xoBAfVeWk+:iKx48bJgppLPvKA/DGsDXYo/Bxoifh
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 2040 Orwtaofpwtre.exe -
Loads dropped DLL 2 IoCs
pid Process 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 1052 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1768 set thread context of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 44 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data 9e91c32b888335e331d2b2bce4dcc6e5.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9e91c32b888335e331d2b2bce4dcc6e5.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status 9e91c32b888335e331d2b2bce4dcc6e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 9e91c32b888335e331d2b2bce4dcc6e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier 9e91c32b888335e331d2b2bce4dcc6e5.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet 9e91c32b888335e331d2b2bce4dcc6e5.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 1052 chrome.exe 1052 chrome.exe 556 rundll32.exe 1128 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2040 Orwtaofpwtre.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 2040 Orwtaofpwtre.exe 556 rundll32.exe 1052 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2040 Orwtaofpwtre.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1052 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1768 wrote to memory of 2040 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 27 PID 1768 wrote to memory of 2040 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 27 PID 1768 wrote to memory of 2040 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 27 PID 1768 wrote to memory of 2040 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 27 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1052 wrote to memory of 1428 1052 chrome.exe 30 PID 1052 wrote to memory of 1428 1052 chrome.exe 30 PID 1052 wrote to memory of 1428 1052 chrome.exe 30 PID 1768 wrote to memory of 556 1768 9e91c32b888335e331d2b2bce4dcc6e5.exe 29 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1492 1052 chrome.exe 31 PID 1052 wrote to memory of 1128 1052 chrome.exe 32 PID 1052 wrote to memory of 1128 1052 chrome.exe 32 PID 1052 wrote to memory of 1128 1052 chrome.exe 32 PID 1052 wrote to memory of 1972 1052 chrome.exe 33 PID 1052 wrote to memory of 1972 1052 chrome.exe 33 PID 1052 wrote to memory of 1972 1052 chrome.exe 33 PID 1052 wrote to memory of 1972 1052 chrome.exe 33 PID 1052 wrote to memory of 1972 1052 chrome.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\9e91c32b888335e331d2b2bce4dcc6e5.exe"C:\Users\Admin\AppData\Local\Temp\9e91c32b888335e331d2b2bce4dcc6e5.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"C:\Users\Admin\AppData\Local\Temp\Orwtaofpwtre.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2040
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:556
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1052 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefaa24f50,0x7fefaa24f60,0x7fefaa24f702⤵PID:1428
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1020,5250628208315513204,13485334837614520168,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1036 /prefetch:22⤵PID:1492
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1020,5250628208315513204,13485334837614520168,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1308 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1128
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1020,5250628208315513204,13485334837614520168,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1816 /prefetch:82⤵PID:1972
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD550e03c260a0f6db796aa22d7443aa105
SHA1573a47d22475dc990d57cdd33b0952b721e4ddd9
SHA2565b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065
SHA5124528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434
-
Filesize
1.2MB
MD550e03c260a0f6db796aa22d7443aa105
SHA1573a47d22475dc990d57cdd33b0952b721e4ddd9
SHA2565b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065
SHA5124528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434
-
Filesize
1.2MB
MD550e03c260a0f6db796aa22d7443aa105
SHA1573a47d22475dc990d57cdd33b0952b721e4ddd9
SHA2565b71ae23c39fbcd56d58ad59d4b13b0346f1f162bc5089b3ea4be35c0e621065
SHA5124528944754d4f6fae49d63c30377913ea4cf6741a37da8c91fc8ad1006fde8065de9aa96c5de03c84b78a27aecffbf43de9daa94f25408c866c605394a71d434