danabot | 106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f

Analysis

max time kernel
133s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 09:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f54e72ec43ba9b6d7dcb039cc2ad48f6.exe
Size

1.1MB
MD5

f54e72ec43ba9b6d7dcb039cc2ad48f6
SHA1

4dd3e8194b67d5e594eee18101bee38a69d1343a
SHA256

106a8c05bd4fe5807019f19c99c66dd65166442148ab41a482944a06740dca2f
SHA512

50e425e51b2fe3a11e35499470c0cb9e571f82a1beff6acf21a061da53f278de362a7dd93b121408cf7a27421ff2a557e59c94943f9b3681dab7e023b64c7c3e
SSDEEP

24576:T8Wm0i8kSft6kipJYRYWvFZS1LVb1wkOGM9MiALQ2wFP:PGhSEvARYSZSxBBOxJAQhFP

Score

10^/10

danabot banker discovery trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 5 IoCs

Processes:

rundll32.exe

flow pid process

7 2820 rundll32.exe
8 2820 rundll32.exe
10 2820 rundll32.exe
11 2820 rundll32.exe
47 2820 rundll32.exe
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2820 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2820 set thread context of 1960 2820 rundll32.exe rundll32.exe

flow	pid	process
7	2820	rundll32.exe
8	2820	rundll32.exe
10	2820	rundll32.exe
11	2820	rundll32.exe
47	2820	rundll32.exe

pid	process
2820	rundll32.exe

description	pid	process	target process
PID 2820 set thread context of 1960	2820	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Review_RHP.aapp	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\AcroBroker.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\2d.x3d	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\3difr.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\3difr.x3d	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\Review_RHP.aapp	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\adobe_spinner.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ViewerPS.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\tl.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4556 904 WerFault.exe f54e72ec43ba9b6d7dcb039cc2ad48f6.exe

pid	pid_target	process	target process
4556	904	WerFault.exe	f54e72ec43ba9b6d7dcb039cc2ad48f6.exe

Checks processor information in registry 2 TTPs 27 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2820 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

1960 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2820	rundll32.exe

pid	process
1960	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f54e72ec43ba9b6d7dcb039cc2ad48f6.exerundll32.exe

description	pid	process	target process
PID 904 wrote to memory of 2820	904	f54e72ec43ba9b6d7dcb039cc2ad48f6.exe	rundll32.exe
PID 904 wrote to memory of 2820	904	f54e72ec43ba9b6d7dcb039cc2ad48f6.exe	rundll32.exe
PID 904 wrote to memory of 2820	904	f54e72ec43ba9b6d7dcb039cc2ad48f6.exe	rundll32.exe
PID 2820 wrote to memory of 1960	2820	rundll32.exe	rundll32.exe
PID 2820 wrote to memory of 1960	2820	rundll32.exe	rundll32.exe
PID 2820 wrote to memory of 1960	2820	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\f54e72ec43ba9b6d7dcb039cc2ad48f6.exe
"C:\Users\Admin\AppData\Local\Temp\f54e72ec43ba9b6d7dcb039cc2ad48f6.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:904

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2820

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14137
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:1960

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:3152

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:1300

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 904 -s 556
2⤵
- Program crash
PID:4556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 904 -ip 904
1⤵
PID:2748

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3008

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:2400

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\tl.dll",aQ5b
2⤵
PID:3504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\tl.dll
Filesize
797KB

MD5
42d704b84a7fecfd38d0f6e14fdadaa2

SHA1
952c7030db3a653a2f68711b94da852060ecf47f

SHA256
a99fe485a22fa50c2cfc929a3aa3b602ef5ba72a2b03811c73465998c231d845

SHA512
c1989d325ac4efa554a7ebca53f502a3eec746e7267c197221e46ed3d586890ffe2cba921db75405bf4f1cb8b70a508a1c1fcbea837198d43a9e540688b9762d

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\tl.dll
Filesize
797KB

MD5
42d704b84a7fecfd38d0f6e14fdadaa2

SHA1
952c7030db3a653a2f68711b94da852060ecf47f

SHA256
a99fe485a22fa50c2cfc929a3aa3b602ef5ba72a2b03811c73465998c231d845

SHA512
c1989d325ac4efa554a7ebca53f502a3eec746e7267c197221e46ed3d586890ffe2cba921db75405bf4f1cb8b70a508a1c1fcbea837198d43a9e540688b9762d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp
Filesize
2.3MB

MD5
50d23ef3b65dfcbea418948122e2338c

SHA1
7d0a04be14fcfa5cadeaf9899cd44d48917bf736

SHA256
b7d3dc673c6f6e02f289b096c97ad9cc3b7183edbc4ff3e97fd0cdb9ae9cd5f8

SHA512
bb1f0a81e7ed02cdce36e125f7e00880ddcedcbb48c7c0a416dc434c78de4a616d0cbc86ace0f8c670cd480b581c910fe76df452cc49d466b46bd5a2fa70eb38

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
849B

MD5
bd5949f7138558f33eeadec17d3605a1

SHA1
7089296812fd9348b62936a6eea5928809f26d63

SHA256
0b9ef96887d1143ced0048b15f5437eaf878c932dd89a05794a742ce8f905fe6

SHA512
6be4a51529e882a8f6c3001a8598ce41d00f401bc53ec3e38b1122cf2e61076ef3a780c077f672faae774078a4dc68e6481f1ad660342d2836dde9b38c6752d8

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe.xml
Filesize
913B

MD5
1600f66ce0d9c342eb6a49155a2f8c14

SHA1
e13fdac3eb45a9d47f965b2f2cf7f2ff4893af07

SHA256
8dcf324dfacd70d3e32cd9423bf9067f3cbc50929dee5154bdaa531c84a9dc27

SHA512
ed27ee001fefa4d7ae3ab0fe2cb1059f277692eb0b6fddb6092467ec67cfdacc3db2252e8700095ccaf503e7ca0c7942771614b1b2a0b800fd27daa30ebb5b00

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\print_queue.ico
Filesize
55KB

MD5
0f3c6d90637f0fdc57b1d303cf8d76cd

SHA1
91cef4325b363b31e4555302a70321a2110b51cf

SHA256
4858a310c97817f76fd6430067ac3c0b54dc030f7547eb9fbdb082545e8cc261

SHA512
6f533242faef57f84c88ea6d5134f60f3fc8a9771a0106752d430875266698cd5d1d4beffd00abdd492d08d5f5365d905dd8869ced2ec0bc7c20be8430d73df5

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\tasks.xml
Filesize
11KB

MD5
6ab160b8998020e6d4373c003e9879d4

SHA1
efa87d3fb95a73a892ed88b08651c44fe03c150f

SHA256
faf021b3c06abc41a9fb8e021171fd0ea41684b732a8e77433e447af8e527516

SHA512
c923c48b0b5c741777666ca161864879defd50c299ae76d9f093ffb846d144600c99d281d879f9328509061f3ae6784a706f15248e0fed7bfd7a595b389aae1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp
Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\tl.dll
Filesize
797KB

MD5
42d704b84a7fecfd38d0f6e14fdadaa2

SHA1
952c7030db3a653a2f68711b94da852060ecf47f

SHA256
a99fe485a22fa50c2cfc929a3aa3b602ef5ba72a2b03811c73465998c231d845

SHA512
c1989d325ac4efa554a7ebca53f502a3eec746e7267c197221e46ed3d586890ffe2cba921db75405bf4f1cb8b70a508a1c1fcbea837198d43a9e540688b9762d

Download Submit
memory/904-136-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/904-134-0x0000000002480000-0x00000000025B0000-memory.dmp

Filesize
1.2MB

Download
memory/904-133-0x00000000022AB000-0x0000000002399000-memory.dmp

Filesize
952KB

Download
memory/1300-167-0x0000000000000000-mapping.dmp

Download
memory/1960-148-0x0000029911330000-0x0000029911470000-memory.dmp

Filesize
1.2MB

Download
memory/1960-146-0x00007FF711936890-mapping.dmp

Download
memory/1960-150-0x0000029911330000-0x0000029911470000-memory.dmp

Filesize
1.2MB

Download
memory/1960-149-0x00000000005E0000-0x00000000007F9000-memory.dmp

Filesize
2.1MB

Download
memory/1960-151-0x000002990F960000-0x000002990FB8A000-memory.dmp

Filesize
2.2MB

Download
memory/2400-168-0x0000000003B90000-0x00000000042B5000-memory.dmp

Filesize
7.1MB

Download
memory/2400-157-0x0000000003B90000-0x00000000042B5000-memory.dmp

Filesize
7.1MB

Download
memory/2400-156-0x0000000003B90000-0x00000000042B5000-memory.dmp

Filesize
7.1MB

Download
memory/2820-143-0x0000000005260000-0x00000000053A0000-memory.dmp

Filesize
1.2MB

Download
memory/2820-140-0x0000000005260000-0x00000000053A0000-memory.dmp

Filesize
1.2MB

Download
memory/2820-144-0x0000000005260000-0x00000000053A0000-memory.dmp

Filesize
1.2MB

Download
memory/2820-147-0x00000000052D9000-0x00000000052DB000-memory.dmp

Filesize
8KB

Download
memory/2820-152-0x0000000006510000-0x0000000006C35000-memory.dmp

Filesize
7.1MB

Download
memory/2820-142-0x0000000005260000-0x00000000053A0000-memory.dmp

Filesize
1.2MB

Download
memory/2820-132-0x0000000000000000-mapping.dmp

Download
memory/2820-145-0x0000000005260000-0x00000000053A0000-memory.dmp

Filesize
1.2MB

Download
memory/2820-141-0x0000000005260000-0x00000000053A0000-memory.dmp

Filesize
1.2MB

Download
memory/2820-139-0x0000000006510000-0x0000000006C35000-memory.dmp

Filesize
7.1MB

Download
memory/2820-138-0x0000000006510000-0x0000000006C35000-memory.dmp

Filesize
7.1MB

Download
memory/3152-166-0x0000000000000000-mapping.dmp

Download
memory/3504-165-0x0000000004040000-0x0000000004765000-memory.dmp

Filesize
7.1MB

Download
memory/3504-164-0x0000000004040000-0x0000000004765000-memory.dmp

Filesize
7.1MB

Download
memory/3504-162-0x0000000000000000-mapping.dmp

Download
memory/3504-169-0x0000000004040000-0x0000000004765000-memory.dmp

Filesize
7.1MB

Download