Analysis
-
max time kernel
47s -
max time network
52s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
20/12/2022, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe
Resource
win7-20220901-en
General
-
Target
bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe
-
Size
4.4MB
-
MD5
3d088c318806bbf9a789218e492adb25
-
SHA1
d66eb99a636a285e3dbf884e83871f53879f15aa
-
SHA256
bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49
-
SHA512
26d0b9bb11ca91f2d6559c0aebbb9f57c782dcb3ac3f9a6b2b6b0973d05948a9515cbf1b25366ccb3ab54fddc48921b90abac3afc2e59a4c85c65af9f6db6025
-
SSDEEP
98304:TYq2KV9A9Ms9N6+ISkiSfWnJsi4lK7RB1/EU2U6Uu:eKV9C37keJMKL1/Rs
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1188 Yystuqewt.exe -
Loads dropped DLL 2 IoCs
pid Process 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 812 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1380 set thread context of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 1236 576 WerFault.exe 28 -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 576 rundll32.exe 812 chrome.exe 812 chrome.exe 1552 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1188 Yystuqewt.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1188 Yystuqewt.exe 812 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 1188 Yystuqewt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 812 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1380 wrote to memory of 1188 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 27 PID 1380 wrote to memory of 1188 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 27 PID 1380 wrote to memory of 1188 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 27 PID 1380 wrote to memory of 1188 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 27 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 1380 wrote to memory of 576 1380 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 28 PID 812 wrote to memory of 1804 812 chrome.exe 30 PID 812 wrote to memory of 1804 812 chrome.exe 30 PID 812 wrote to memory of 1804 812 chrome.exe 30 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 812 wrote to memory of 1424 812 chrome.exe 31 PID 576 wrote to memory of 1236 576 rundll32.exe 34 PID 576 wrote to memory of 1236 576 rundll32.exe 34 PID 576 wrote to memory of 1236 576 rundll32.exe 34 PID 576 wrote to memory of 1236 576 rundll32.exe 34 PID 812 wrote to memory of 1552 812 chrome.exe 32 PID 812 wrote to memory of 1552 812 chrome.exe 32 PID 812 wrote to memory of 1552 812 chrome.exe 32 PID 812 wrote to memory of 752 812 chrome.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe"C:\Users\Admin\AppData\Local\Temp\bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1380 -
C:\Users\Admin\AppData\Local\Temp\Yystuqewt.exe"C:\Users\Admin\AppData\Local\Temp\Yystuqewt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1188
-
-
C:\Windows\syswow64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:576 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 576 -s 6163⤵
- Program crash
PID:1236
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:812 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefacb4f50,0x7fefacb4f60,0x7fefacb4f702⤵PID:1804
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1052,17645279348794401848,6097382304926481890,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1060 /prefetch:22⤵PID:1424
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1052,17645279348794401848,6097382304926481890,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1532 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1552
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1052,17645279348794401848,6097382304926481890,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1852 /prefetch:82⤵PID:752
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a