Analysis

  • max time kernel
    143s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 14:20

General

  • Target

    baf04deceb528bfb0e9026ea59cc0e990d6fb801a543de52ae06adec8c25461d.dll

  • Size

    6.0MB

  • MD5

    89a5990fa68c0a5e6e37abfefa644a9e

  • SHA1

    4117d473ae5cd47d6645ede338232ab7f1bd8cd1

  • SHA256

    baf04deceb528bfb0e9026ea59cc0e990d6fb801a543de52ae06adec8c25461d

  • SHA512

    e29d90b7e7f14b06c2378bc1547c8b26f6d9c009ddd4139527ff22fa3f3de11bc8388f0c6e1ca90f0f904d78b408acc03248a7ced4517681480ff480c9544966

  • SSDEEP

    98304:6gneR9kp4C6i07BHQvWaUbNWQ4QlotB99GBRngd42LEeVSP4+V:6xq4C69pQxG7nOfl+

Score
10/10

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 27 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\baf04deceb528bfb0e9026ea59cc0e990d6fb801a543de52ae06adec8c25461d.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5000
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\baf04deceb528bfb0e9026ea59cc0e990d6fb801a543de52ae06adec8c25461d.dll,#1
      2⤵
      • Checks processor information in registry
      PID:5080
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 5080 -s 976
        3⤵
        • Program crash
        PID:1520
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 5080 -ip 5080
    1⤵
      PID:2648

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/5080-133-0x0000000002320000-0x0000000002A45000-memory.dmp

      Filesize

      7.1MB

    • memory/5080-134-0x0000000002321000-0x000000000283B000-memory.dmp

      Filesize

      5.1MB