Analysis
-
max time kernel
136s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20220901-en -
resource tags
arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system -
submitted
29-01-2023 14:52
Static task
static1
Behavioral task
behavioral1
Sample
cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab.vbs
Resource
win7-20220901-en
General
-
Target
cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab.vbs
-
Size
1.4MB
-
MD5
bdf665a8c154813acbc9248b04632439
-
SHA1
7f0735dd37f0be3b6ef62decf063449cebcff237
-
SHA256
cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab
-
SHA512
a3ae986efd8a2f7a85b90c2869e8995f18b581b995746e3e660b3fa030c934372158bc9c12b080de0c3fb486d809f5a5e8b0c9ae4ac1e91c04c056373dbc6385
-
SSDEEP
12288:ZYinvW0+d/iOPxhiSw2iv+3BFShNHd0ALmw+5ERQa+mTNLEpD:ZYiOR/iOPxKlvULShtd0ASE8
Malware Config
Extracted
danabot
17.61.181.105
106.24.105.193
185.92.222.238
31.22.129.27
148.52.73.88
8.17.13.17
178.209.51.211
132.245.225.89
240.11.153.6
45.198.49.124
Signatures
-
Danabot x86 payload 3 IoCs
Detection of Danabot x86 payload, mapped in memory during the execution of its loader.
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX family_danabot \Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX family_danabot \Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX family_danabot -
Blocklisted process makes network request 7 IoCs
Processes:
rundll32.exeflow pid process 1 900 rundll32.exe 2 900 rundll32.exe 4 900 rundll32.exe 5 900 rundll32.exe 6 900 rundll32.exe 7 900 rundll32.exe 8 900 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
regsvr32.exerundll32.exepid process 824 regsvr32.exe 900 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
regsvr32.exerundll32.exepid process 824 regsvr32.exe 824 regsvr32.exe 824 regsvr32.exe 824 regsvr32.exe 824 regsvr32.exe 824 regsvr32.exe 824 regsvr32.exe 824 regsvr32.exe 900 rundll32.exe 900 rundll32.exe 900 rundll32.exe 900 rundll32.exe 900 rundll32.exe 900 rundll32.exe 900 rundll32.exe 900 rundll32.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
WScript.exeregsvr32.exeregsvr32.exedescription pid process target process PID 1352 wrote to memory of 1324 1352 WScript.exe regsvr32.exe PID 1352 wrote to memory of 1324 1352 WScript.exe regsvr32.exe PID 1352 wrote to memory of 1324 1352 WScript.exe regsvr32.exe PID 1352 wrote to memory of 1324 1352 WScript.exe regsvr32.exe PID 1352 wrote to memory of 1324 1352 WScript.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 1324 wrote to memory of 824 1324 regsvr32.exe regsvr32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe PID 824 wrote to memory of 900 824 regsvr32.exe rundll32.exe
Processes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\cb0fb16a8600ed4d7cc0e2e799ee2d387336ac4396e81c400900d822003c85ab.vbs"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\regsvr32.exeregsvr32.exe -s C:\Users\Admin\AppData\Local\Temp\\iRkuPrJLysX.dllxCQIX2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe-s C:\Users\Admin\AppData\Local\Temp\\iRkuPrJLysX.dllxCQIX3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIX,f04⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIXFilesize
456KB
MD591eefb993eec684763a77369024b5e60
SHA1d1c22a4aa01542e4688fbfad5790c77a3dc29605
SHA2569f6cd0001edfce28667b965bbd74d453231eff8b8f7bb54d55cf454a83d01cd0
SHA512947b33faccf7e97e781593e2646dfaadd769dca5e5527fa92430af2c391cf298845fd01da07985757c9dcfc435ae50b0a33012979c9071711eca007c09d15b3e
-
\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIXFilesize
456KB
MD591eefb993eec684763a77369024b5e60
SHA1d1c22a4aa01542e4688fbfad5790c77a3dc29605
SHA2569f6cd0001edfce28667b965bbd74d453231eff8b8f7bb54d55cf454a83d01cd0
SHA512947b33faccf7e97e781593e2646dfaadd769dca5e5527fa92430af2c391cf298845fd01da07985757c9dcfc435ae50b0a33012979c9071711eca007c09d15b3e
-
\Users\Admin\AppData\Local\Temp\iRkuPrJLysX.dllxCQIXFilesize
456KB
MD591eefb993eec684763a77369024b5e60
SHA1d1c22a4aa01542e4688fbfad5790c77a3dc29605
SHA2569f6cd0001edfce28667b965bbd74d453231eff8b8f7bb54d55cf454a83d01cd0
SHA512947b33faccf7e97e781593e2646dfaadd769dca5e5527fa92430af2c391cf298845fd01da07985757c9dcfc435ae50b0a33012979c9071711eca007c09d15b3e
-
memory/824-57-0x0000000000000000-mapping.dmp
-
memory/824-58-0x0000000075B51000-0x0000000075B53000-memory.dmpFilesize
8KB
-
memory/900-61-0x0000000000000000-mapping.dmp
-
memory/900-64-0x00000000006C0000-0x000000000073F000-memory.dmpFilesize
508KB
-
memory/1324-54-0x0000000000000000-mapping.dmp
-
memory/1324-55-0x000007FEFB5E1000-0x000007FEFB5E3000-memory.dmpFilesize
8KB