danabot | 4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912

Analysis

max time kernel
135s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-12-2022 12:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tmp.exe
Size

1.1MB
MD5

be1369ec379e0ec8dd84be3d5a26ac00
SHA1

ee6832ff5c366b22291778d8c314f0d4ec6b1225
SHA256

4162582a729874d7ae84b69bb265fcc1a26ef2635de322bc60c18db397f20912
SHA512

4b1546ac4017772a97d5c16be5be988ce31f64161a4df2ed39d4fcab6590616f8268f8cc3d193a9b50c0ebecf7505a445554a5897dd5ff29f1eda6437194b171
SSDEEP

24576:TuVphQcMt0PVCry56Ck+ghSeqNXT2v1fxOdmpCWYLkur4+g:TCpTBsNCMfZ1fgdZwX

Score

10^/10

danabot banker discovery persistence trojan

Malware Config

Signatures

Danabot
Danabot is a modular banking Trojan that has been linked with other malware.
trojan banker danabot
Blocklisted process makes network request 4 IoCs

Processes:

rundll32.exe

flow pid process

10 2240 rundll32.exe
11 2240 rundll32.exe
34 2240 rundll32.exe
69 2240 rundll32.exe

flow	pid	process
10	2240	rundll32.exe
11	2240	rundll32.exe
34	2240	rundll32.exe
69	2240	rundll32.exe

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\A12_Spinner\Parameters\ServiceDll = "C:\\Program Files (x86)\\WindowsPowerShell\\Modules\\A12_Spinner.dll"	rundll32.exe

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\A12_Spinner\ImagePath = "C:\\Windows\\system32\\svchost.exe -k LocalService"	rundll32.exe

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2240 rundll32.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Suspicious use of SetThreadContext 1 IoCs

Processes:

rundll32.exe

description pid process target process

PID 2240 set thread context of 3540 2240 rundll32.exe rundll32.exe

pid	process
2240	rundll32.exe

description	pid	process	target process
PID 2240 set thread context of 3540	2240	rundll32.exe	rundll32.exe

Drops file in Program Files directory 12 IoCs

Processes:

rundll32.exe

description	ioc	process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\DVA.api	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ccme_asym.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\DVA.api	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\turnOffNotificationInAcrobat.gif	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Onix32.dll	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\AddressBook.png	rundll32.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\turnOffNotificationInAcrobat.gif	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Onix32.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\ccme_asym.dll	rundll32.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Eula.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1060 4600 WerFault.exe tmp.exe

pid	pid_target	process	target process
1060	4600	WerFault.exe	tmp.exe

Checks processor information in registry 2 TTPs 20 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

rundll32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision	rundll32.exe
Key value enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	rundll32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	rundll32.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	rundll32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	rundll32.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	rundll32.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

rundll32.exe

description pid process

Token: SeDebugPrivilege 2240 rundll32.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

rundll32.exe

pid process

3540 rundll32.exe

description	pid	process
Token: SeDebugPrivilege	2240	rundll32.exe

pid	process
3540	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

tmp.exerundll32.exe

description	pid	process	target process
PID 4600 wrote to memory of 2240	4600	tmp.exe	rundll32.exe
PID 4600 wrote to memory of 2240	4600	tmp.exe	rundll32.exe
PID 4600 wrote to memory of 2240	4600	tmp.exe	rundll32.exe
PID 2240 wrote to memory of 3540	2240	rundll32.exe	rundll32.exe
PID 2240 wrote to memory of 3540	2240	rundll32.exe	rundll32.exe
PID 2240 wrote to memory of 3540	2240	rundll32.exe	rundll32.exe

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4600

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp",Wufaiiuuye
2⤵
- Blocklisted process makes network request
- Sets DLL path for service in the registry
- Sets service image path in registry
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\system32\shell32.dll",#61 14109
3⤵
- Modifies registry class
- Suspicious use of FindShellTrayWindow
PID:3540

C:\Windows\SysWOW64\schtasks.exe
schtasks /End /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2552

C:\Windows\SysWOW64\schtasks.exe
schtasks /Run /tn \Microsoft\Windows\Wininet\CacheTask
3⤵
PID:2748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4600 -s 252
2⤵
- Program crash
PID:1060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4600 -ip 4600
1⤵
PID:3880

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3608

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k LocalService
1⤵
PID:4180

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\system32\rundll32.exe" "c:\program files (x86)\windowspowershell\modules\a12_spinner.dll",hCpaelIz
2⤵
PID:4736

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.dll

Filesize
797KB

MD5
e3cd84b47ea48415041634b89fa03347

SHA1
e4dee6ffb3fcca7c2665198838d54fc81b5c8422

SHA256
596565dbbc4e7c29c4908fc6f01571a07a46b59e882b41e369e0c87fa38931b1

SHA512
bea53db42e5d889afe3b61950e84b4e45d6c2777250ae369e37bb9ead879297960a20d7602c2ec82329ba7e98f3bba62b83f6d4869ac4ee67f6740ff285e163d

Download Submit
C:\Program Files (x86)\WindowsPowerShell\Modules\A12_Spinner.dll

Filesize
797KB

MD5
e3cd84b47ea48415041634b89fa03347

SHA1
e4dee6ffb3fcca7c2665198838d54fc81b5c8422

SHA256
596565dbbc4e7c29c4908fc6f01571a07a46b59e882b41e369e0c87fa38931b1

SHA512
bea53db42e5d889afe3b61950e84b4e45d6c2777250ae369e37bb9ead879297960a20d7602c2ec82329ba7e98f3bba62b83f6d4869ac4ee67f6740ff285e163d

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\AirSpace.Etw.man

Filesize
412KB

MD5
39e5270caae15015c8203fec413669c7

SHA1
f44f5617f2bc496fb497a1e8ad13997ccecf0f6d

SHA256
2e6cbfc09039d76897eaf701179ba2011d2ea134ca8b6c6e9792a0843006a5f1

SHA512
9bdab6d4cea87cd1172a77554c0059dbd5f7f29ca754e4ed21aa99bc4b16f40fc28e32c81f0ab3ea49158c12cc6c5318a81bd942b916c0b1241b2c6818b2657a

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\CiPT0000.002

Filesize
64KB

MD5
08c1446a011937f5608e5f2448443304

SHA1
53e7291e9b33e46a17d9514a6005302e79a36407

SHA256
c10595f1ade2f1adced14a578b437e6958adf631c01a4c167b14b6904eaf2680

SHA512
a7a339940faba59e5a07b715ae39df9de39a4e69913d8d347cd696709a3191483537d1c011a1bea2d5faa222bf768e33dbde5791d04458b7e14a3db494eb6b07

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
958f3558d952f0e1f19bf0eff21db3b2

SHA1
35ce6621d1326538855de2ecb151a921990a21d2

SHA256
d076751ecddd3ee7970dd74daca9103690f9987fadf7d3059655aa543e8398a7

SHA512
0d6f4515c10d6b6d9082dc67ec8a6111f3dd7685fcee71a4ce0dd4fefbe5cab6b5ba706dbdc405fd3d98a3ec9c14c8abeac5fb98d33a13dfd06d4a4dc1bea708

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\Fwroes.tmp

Filesize
2.3MB

MD5
61476558518d29bb4603ebe391c74bf5

SHA1
ab40eea12efa8e57a34bb4a3fef31a157fe85026

SHA256
515348dda14ad2d785e57620025d3d5d65cf52a94f04f4c970617deb0f7ae623

SHA512
30361d871b40940d08e3b8882ec477a870f22e19474c45321db7d444b6371d8aa7ae7062fd2613fa8799745ca3eeea18effc7e2609f16826e65a219a20822d67

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\s640.hash

Filesize
106B

MD5
bef40d5a19278ca19b56fbcdde7e26ef

SHA1
4f01d5b8de038e120c64bd7cc22cf150af1452fb

SHA256
7f9c7cc5b265e312fc587d98c7c31218b7a46f1efb8c397dcc329354b4e5831d

SHA512
5a361b1378c7b9f635e72ffdfba4d59acd17341caba480a5271237a37d40d8eb03a6ca7f3c38e73ce87a15b682d434ffa0a7f96dd6355e286d8213a80518c493

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.ASM-WindowsDefault.json

Filesize
143KB

MD5
fe9f7b7fd16a326e40b72f2424bb9f13

SHA1
a3f40de8864d051cec6d1561192233e3a4b54463

SHA256
3512d316332ebd399244d3fb8a0445c0d8e6be9d37d3052cdf0dc80d2bb77a0b

SHA512
86756198db0909080eb2a6a3b5eefcabaeb59aa10db0189459af59f04c2e24fca322875c045adebc3f1c597d468c9dc71d9ff6dce916b1f891b8c3e16af7c132

Download Submit
C:\ProgramData\{DFE614B1-1B05-F404-C372-1D93E0034A80}\telemetry.P-Eco3PTelDefault.json

Filesize
57B

MD5
b658c06c14ff523bce634e14236c9441

SHA1
aa15105fc5cbee478303c5a1d8814a88197573be

SHA256
29633ff726d1c72f895545fd97d546035e7045a046b3d2888ff0950e67b8eb82

SHA512
3326a97db218aa09814e80317c1150f8a6808e8b6aab07af27c8126688b30964cc85936940d310c1d4d6190c49eaa01ee51d598775ec8c156676bbfd53f8f4cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\Qsedeqtedeooeo.tmp

Filesize
797KB

MD5
24925b25552a7d8f1d3292071e545920

SHA1
f786e1d40df30f6fed0301d60c823b655f2d6eac

SHA256
9931503a3ab908d2840dae6a7cb77a5abc5e77cc67af405d1329b7dfc3fe800b

SHA512
242dbf94b06e67fdf0aac29b2f38ce4929d156c42e2413565f203cda1fdb6458e34b26eeb0151fe4f1914432be28b16d648affa63f20c7b480c54e2d9360fb26

Download Submit
\??\c:\program files (x86)\windowspowershell\modules\a12_spinner.dll

Filesize
797KB

MD5
e3cd84b47ea48415041634b89fa03347

SHA1
e4dee6ffb3fcca7c2665198838d54fc81b5c8422

SHA256
596565dbbc4e7c29c4908fc6f01571a07a46b59e882b41e369e0c87fa38931b1

SHA512
bea53db42e5d889afe3b61950e84b4e45d6c2777250ae369e37bb9ead879297960a20d7602c2ec82329ba7e98f3bba62b83f6d4869ac4ee67f6740ff285e163d

Download Submit
memory/2240-140-0x0000000005030000-0x0000000005170000-memory.dmp

Filesize
1.2MB

Download
memory/2240-132-0x0000000000000000-mapping.dmp

Download
memory/2240-144-0x0000000005030000-0x0000000005170000-memory.dmp

Filesize
1.2MB

Download
memory/2240-149-0x00000000050A9000-0x00000000050AB000-memory.dmp

Filesize
8KB

Download
memory/2240-138-0x00000000062E0000-0x0000000006A05000-memory.dmp

Filesize
7.1MB

Download
memory/2240-139-0x00000000062E0000-0x0000000006A05000-memory.dmp

Filesize
7.1MB

Download
memory/2240-152-0x00000000062E0000-0x0000000006A05000-memory.dmp

Filesize
7.1MB

Download
memory/2240-145-0x0000000005030000-0x0000000005170000-memory.dmp

Filesize
1.2MB

Download
memory/2240-143-0x0000000005030000-0x0000000005170000-memory.dmp

Filesize
1.2MB

Download
memory/2240-142-0x0000000005030000-0x0000000005170000-memory.dmp

Filesize
1.2MB

Download
memory/2240-141-0x0000000005030000-0x0000000005170000-memory.dmp

Filesize
1.2MB

Download
memory/2552-168-0x0000000000000000-mapping.dmp

Download
memory/2748-169-0x0000000000000000-mapping.dmp

Download
memory/3540-151-0x000002A32F5A0000-0x000002A32F7CA000-memory.dmp

Filesize
2.2MB

Download
memory/3540-148-0x000002A32F420000-0x000002A32F560000-memory.dmp

Filesize
1.2MB

Download
memory/3540-146-0x00007FF738BE6890-mapping.dmp

Download
memory/3540-150-0x0000000000130000-0x0000000000349000-memory.dmp

Filesize
2.1MB

Download
memory/3540-147-0x000002A32F420000-0x000002A32F560000-memory.dmp

Filesize
1.2MB

Download
memory/4180-156-0x00000000030C0000-0x00000000037E5000-memory.dmp

Filesize
7.1MB

Download
memory/4180-165-0x00000000030C0000-0x00000000037E5000-memory.dmp

Filesize
7.1MB

Download
memory/4180-170-0x00000000030C0000-0x00000000037E5000-memory.dmp

Filesize
7.1MB

Download
memory/4600-137-0x0000000000400000-0x000000000053E000-memory.dmp

Filesize
1.2MB

Download
memory/4600-136-0x0000000002310000-0x0000000002440000-memory.dmp

Filesize
1.2MB

Download
memory/4600-135-0x000000000219B000-0x000000000228A000-memory.dmp

Filesize
956KB

Download
memory/4736-162-0x0000000000000000-mapping.dmp

Download
memory/4736-167-0x0000000004450000-0x0000000004B75000-memory.dmp

Filesize
7.1MB

Download
memory/4736-166-0x0000000004450000-0x0000000004B75000-memory.dmp

Filesize
7.1MB

Download