Analysis

  • max time kernel
    40s
  • max time network
    44s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    20/12/2022, 14:23

General

  • Target

    b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe

  • Size

    5.7MB

  • MD5

    216bbaf75caf5bbb9ff3bf4e9c022a36

  • SHA1

    f080f91bd0e96ebb28a5da981b4a2876ce9eccea

  • SHA256

    b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1

  • SHA512

    7c5c3670dfc4f84330df9ec382bf7b7ec8e2436d053d75afd25b6328aeddbe886c4d5eb7eb986ef86136171104ee3bb5334eeca0a44edf6d5de78e5296303831

  • SSDEEP

    98304:PHbIvLebqBxxiTkNj0iJpZcPhlusOhxH97mVXzk28p/kw9fYSNaHUGaeEyc/UhU:vbIdxGkLvklusOhxd4zk209fYSNPGFcL

Score
10/10

Malware Config

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Checks processor information in registry 2 TTPs 43 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe
    "C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe
      "C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:1968
    • C:\Windows\syswow64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:1560
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fefb694f50,0x7fefb694f60,0x7fefb694f70
      2⤵
        PID:616
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1100,7606213856199990778,17156442537818590365,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1112 /prefetch:2
        2⤵
          PID:1724
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1100,7606213856199990778,17156442537818590365,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1368 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:624
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1100,7606213856199990778,17156442537818590365,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:8
          2⤵
            PID:956

        Network

        MITRE ATT&CK Enterprise v6

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

          Filesize

          2.4MB

          MD5

          e7053575255acd45d4213d866123dbaf

          SHA1

          95fa5a2178eb1dd6a445685b3ab2905c11045d0c

          SHA256

          794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

          SHA512

          e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

        • \Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

          Filesize

          2.4MB

          MD5

          e7053575255acd45d4213d866123dbaf

          SHA1

          95fa5a2178eb1dd6a445685b3ab2905c11045d0c

          SHA256

          794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

          SHA512

          e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

        • \Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

          Filesize

          2.4MB

          MD5

          e7053575255acd45d4213d866123dbaf

          SHA1

          95fa5a2178eb1dd6a445685b3ab2905c11045d0c

          SHA256

          794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

          SHA512

          e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

        • memory/1488-69-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-85-0x0000000005A00000-0x0000000006125000-memory.dmp

          Filesize

          7.1MB

        • memory/1488-61-0x0000000005A00000-0x0000000006125000-memory.dmp

          Filesize

          7.1MB

        • memory/1488-62-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-63-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-64-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-67-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-66-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-68-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-65-0x0000000006320000-0x0000000006460000-memory.dmp

          Filesize

          1.2MB

        • memory/1488-54-0x0000000076681000-0x0000000076683000-memory.dmp

          Filesize

          8KB

        • memory/1488-59-0x0000000005A00000-0x0000000006125000-memory.dmp

          Filesize

          7.1MB

        • memory/1560-70-0x0000000000730000-0x0000000000D35000-memory.dmp

          Filesize

          6.0MB

        • memory/1560-74-0x0000000002890000-0x0000000002FB5000-memory.dmp

          Filesize

          7.1MB

        • memory/1560-76-0x0000000002890000-0x0000000002FB5000-memory.dmp

          Filesize

          7.1MB

        • memory/1560-78-0x0000000002FC0000-0x0000000003100000-memory.dmp

          Filesize

          1.2MB

        • memory/1560-77-0x0000000002FC0000-0x0000000003100000-memory.dmp

          Filesize

          1.2MB

        • memory/1560-79-0x0000000000730000-0x0000000000D35000-memory.dmp

          Filesize

          6.0MB

        • memory/1560-80-0x0000000002890000-0x0000000002FB5000-memory.dmp

          Filesize

          7.1MB

        • memory/1560-82-0x0000000002FC0000-0x0000000003100000-memory.dmp

          Filesize

          1.2MB

        • memory/1560-83-0x0000000002FC0000-0x0000000003100000-memory.dmp

          Filesize

          1.2MB

        • memory/1560-84-0x0000000002890000-0x0000000002FB5000-memory.dmp

          Filesize

          7.1MB