Analysis
-
max time kernel
91s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 14:20
Static task
static1
Behavioral task
behavioral1
Sample
bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe
Resource
win7-20220901-en
General
-
Target
bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe
-
Size
4.4MB
-
MD5
3d088c318806bbf9a789218e492adb25
-
SHA1
d66eb99a636a285e3dbf884e83871f53879f15aa
-
SHA256
bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49
-
SHA512
26d0b9bb11ca91f2d6559c0aebbb9f57c782dcb3ac3f9a6b2b6b0973d05948a9515cbf1b25366ccb3ab54fddc48921b90abac3afc2e59a4c85c65af9f6db6025
-
SSDEEP
98304:TYq2KV9A9Ms9N6+ISkiSfWnJsi4lK7RB1/EU2U6Uu:eKV9C37keJMKL1/Rs
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 4284 Yystuqewt.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4772 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2112 set thread context of 5016 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 85 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 2816 4772 WerFault.exe 83 -
Checks processor information in registry 2 TTPs 45 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 5016 rundll32.exe 5016 rundll32.exe 2468 chrome.exe 2468 chrome.exe 4772 chrome.exe 4772 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 4284 Yystuqewt.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4284 Yystuqewt.exe 5016 rundll32.exe 4772 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 4284 Yystuqewt.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4772 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2112 wrote to memory of 4284 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 82 PID 2112 wrote to memory of 4284 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 82 PID 2112 wrote to memory of 4284 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 82 PID 4772 wrote to memory of 4380 4772 chrome.exe 84 PID 4772 wrote to memory of 4380 4772 chrome.exe 84 PID 2112 wrote to memory of 5016 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 85 PID 2112 wrote to memory of 5016 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 85 PID 2112 wrote to memory of 5016 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 85 PID 2112 wrote to memory of 5016 2112 bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe 85 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 1324 4772 chrome.exe 89 PID 4772 wrote to memory of 2468 4772 chrome.exe 87 PID 4772 wrote to memory of 2468 4772 chrome.exe 87 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88 PID 4772 wrote to memory of 5076 4772 chrome.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe"C:\Users\Admin\AppData\Local\Temp\bfefb9e23594e49561ddcd7bc273b083004963e5a4973ea3f41355e627a8ac49.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Users\Admin\AppData\Local\Temp\Yystuqewt.exe"C:\Users\Admin\AppData\Local\Temp\Yystuqewt.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4284
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:5016
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff831654f50,0x7ff831654f60,0x7ff831654f702⤵PID:4380
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,1212604991987128687,7976288432983271574,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1908 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1632,1212604991987128687,7976288432983271574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2344 /prefetch:82⤵PID:5076
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1632,1212604991987128687,7976288432983271574,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1640 /prefetch:22⤵PID:1324
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4772 -s 36362⤵
- Program crash
PID:2816
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4952
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 360 -p 4772 -ip 47721⤵PID:4940
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a
-
Filesize
1.2MB
MD51620dabc5dc8ff0c18497a0e60bcacfb
SHA1f90061876eb844fefc9de8fdccf963b66066a7e5
SHA2565b642f72bdb6f420d87669c20fd94f879da22e30a04620b3e9faaf755b1a201b
SHA512355e9b01e4b09029d813cfcbdf6fea814130e21e65d4496d4a098034d66a0b1eb428a8183dc6e0e5c422e8d2d51ec2e0807f3345137e51ac591b4331f6c2d91a