Analysis

  • max time kernel
    91s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20/12/2022, 14:23

General

  • Target

    b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe

  • Size

    5.7MB

  • MD5

    216bbaf75caf5bbb9ff3bf4e9c022a36

  • SHA1

    f080f91bd0e96ebb28a5da981b4a2876ce9eccea

  • SHA256

    b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1

  • SHA512

    7c5c3670dfc4f84330df9ec382bf7b7ec8e2436d053d75afd25b6328aeddbe886c4d5eb7eb986ef86136171104ee3bb5334eeca0a44edf6d5de78e5296303831

  • SSDEEP

    98304:PHbIvLebqBxxiTkNj0iJpZcPhlusOhxH97mVXzk28p/kw9fYSNaHUGaeEyc/UhU:vbIdxGkLvklusOhxd4zk209fYSNPGFcL

Score
10/10

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Executes dropped EXE 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 43 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe
    "C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of SetThreadContext
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2700
    • C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe
      "C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:60
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#61
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      PID:1392
  • C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"
    1⤵
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850104f50,0x7ff850104f60,0x7ff850104f70
      2⤵
        PID:4392
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,17882633032625635754,18031604627809544232,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:2
        2⤵
          PID:3296
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,17882633032625635754,18031604627809544232,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1888 /prefetch:8
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2916
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,17882633032625635754,18031604627809544232,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:8
          2⤵
            PID:428
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 4724 -s 3604
            2⤵
            • Program crash
            PID:4480
        • C:\Windows\System32\CompPkgSrv.exe
          C:\Windows\System32\CompPkgSrv.exe -Embedding
          1⤵
            PID:880
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -pss -s 460 -p 4724 -ip 4724
            1⤵
              PID:5076

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

              Filesize

              2.4MB

              MD5

              e7053575255acd45d4213d866123dbaf

              SHA1

              95fa5a2178eb1dd6a445685b3ab2905c11045d0c

              SHA256

              794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

              SHA512

              e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

            • C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe

              Filesize

              2.4MB

              MD5

              e7053575255acd45d4213d866123dbaf

              SHA1

              95fa5a2178eb1dd6a445685b3ab2905c11045d0c

              SHA256

              794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b

              SHA512

              e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401

            • memory/1392-153-0x0000000002840000-0x0000000002F65000-memory.dmp

              Filesize

              7.1MB

            • memory/1392-150-0x0000000002FB0000-0x00000000030F0000-memory.dmp

              Filesize

              1.2MB

            • memory/1392-152-0x0000000002FB0000-0x00000000030F0000-memory.dmp

              Filesize

              1.2MB

            • memory/1392-151-0x0000000002840000-0x0000000002F65000-memory.dmp

              Filesize

              7.1MB

            • memory/1392-149-0x0000000000A90000-0x0000000001095000-memory.dmp

              Filesize

              6.0MB

            • memory/1392-148-0x0000000002FB0000-0x00000000030F0000-memory.dmp

              Filesize

              1.2MB

            • memory/1392-147-0x0000000002FB0000-0x00000000030F0000-memory.dmp

              Filesize

              1.2MB

            • memory/1392-146-0x0000000002840000-0x0000000002F65000-memory.dmp

              Filesize

              7.1MB

            • memory/2700-139-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-144-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-143-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-141-0x0000000006580000-0x0000000006CA5000-memory.dmp

              Filesize

              7.1MB

            • memory/2700-142-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-140-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-138-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-137-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-136-0x0000000006F00000-0x0000000007040000-memory.dmp

              Filesize

              1.2MB

            • memory/2700-154-0x0000000006580000-0x0000000006CA5000-memory.dmp

              Filesize

              7.1MB

            • memory/2700-135-0x0000000006580000-0x0000000006CA5000-memory.dmp

              Filesize

              7.1MB