Analysis
-
max time kernel
91s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
20/12/2022, 14:23
Static task
static1
Behavioral task
behavioral1
Sample
b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe
Resource
win7-20220812-en
General
-
Target
b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe
-
Size
5.7MB
-
MD5
216bbaf75caf5bbb9ff3bf4e9c022a36
-
SHA1
f080f91bd0e96ebb28a5da981b4a2876ce9eccea
-
SHA256
b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1
-
SHA512
7c5c3670dfc4f84330df9ec382bf7b7ec8e2436d053d75afd25b6328aeddbe886c4d5eb7eb986ef86136171104ee3bb5334eeca0a44edf6d5de78e5296303831
-
SSDEEP
98304:PHbIvLebqBxxiTkNj0iJpZcPhlusOhxH97mVXzk28p/kw9fYSNaHUGaeEyc/UhU:vbIdxGkLvklusOhxd4zk209fYSNPGFcL
Malware Config
Extracted
danabot
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
-
type
loader
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 60 Eewfhetyyyrtfpd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Control Panel\International\Geo\Nation b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 4724 chrome.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2700 set thread context of 1392 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 82 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4480 4724 WerFault.exe 83 -
Checks processor information in registry 2 TTPs 43 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Revision b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform Specific Field 1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Revision rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform Specific Field 1 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\Local Settings rundll32.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 1392 rundll32.exe 1392 rundll32.exe 2916 chrome.exe 2916 chrome.exe 4724 chrome.exe 4724 chrome.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 60 Eewfhetyyyrtfpd.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 60 Eewfhetyyyrtfpd.exe 1392 rundll32.exe 4724 chrome.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 60 Eewfhetyyyrtfpd.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4724 chrome.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2700 wrote to memory of 60 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 81 PID 2700 wrote to memory of 60 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 81 PID 2700 wrote to memory of 60 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 81 PID 2700 wrote to memory of 1392 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 82 PID 2700 wrote to memory of 1392 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 82 PID 2700 wrote to memory of 1392 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 82 PID 2700 wrote to memory of 1392 2700 b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe 82 PID 4724 wrote to memory of 4392 4724 chrome.exe 84 PID 4724 wrote to memory of 4392 4724 chrome.exe 84 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 3296 4724 chrome.exe 87 PID 4724 wrote to memory of 2916 4724 chrome.exe 88 PID 4724 wrote to memory of 2916 4724 chrome.exe 88 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89 PID 4724 wrote to memory of 428 4724 chrome.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe"C:\Users\Admin\AppData\Local\Temp\b20cd935421cd4cd45a193853144bf1432e8f861816687aee30ecce9e42a19f1.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"C:\Users\Admin\AppData\Local\Temp\Eewfhetyyyrtfpd.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:60
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\syswow64\rundll32.exe" "C:\Windows\syswow64\shell32.dll",#612⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:1392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --no-first-run --no-default-browser-check --silent-launch --disable-backgrounding-occluded-windows --disable-background-timer-throttling --ran-launcher --profile-directory="Default"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4724 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff850104f50,0x7ff850104f60,0x7ff850104f702⤵PID:4392
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1636,17882633032625635754,18031604627809544232,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1700 /prefetch:22⤵PID:3296
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,17882633032625635754,18031604627809544232,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1888 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,17882633032625635754,18031604627809544232,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2356 /prefetch:82⤵PID:428
-
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4724 -s 36042⤵
- Program crash
PID:4480
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:880
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 460 -p 4724 -ip 47241⤵PID:5076
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401
-
Filesize
2.4MB
MD5e7053575255acd45d4213d866123dbaf
SHA195fa5a2178eb1dd6a445685b3ab2905c11045d0c
SHA256794be0b98421623959185a060092be697fa695a73268ab8a46c7ab12655df62b
SHA512e934ae1bb4cef1e71cf1905655bcb5979f8f70944817de88204d8bebf3a36300b7b282d0bd711cc41ae5e69f91b6e14576b7a8098ee283d29bdb451d98238401