Analysis
-
max time kernel
172s -
max time network
92s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
21-03-2023 14:34
Static task
static1
Behavioral task
behavioral1
Sample
3720f6761683944e9ff72e547aca0d961ae4954b5f9a4bed711231af244b3e17.dll
Resource
win7-20230220-en
General
-
Target
3720f6761683944e9ff72e547aca0d961ae4954b5f9a4bed711231af244b3e17.dll
-
Size
5.7MB
-
MD5
0532c57582e893b26a112e48ef15c3ec
-
SHA1
8649af1c6725215edddcace5a7f63f26197a77d3
-
SHA256
3720f6761683944e9ff72e547aca0d961ae4954b5f9a4bed711231af244b3e17
-
SHA512
0e402a3ea1d29f1a69f5ff77e8378a3a5e3548c18ba7a8bcf077ee722dce6d73916633a255a39eeaa4330914997e466e39062e18b8b2d232613073044f3c8276
-
SSDEEP
98304:XIqBK9rFDqAznNcGb9O4kkwB9yR85OsN+fbynAiomtSJWp:PBeJVNg4Zwvg85mfWnR/EWp
Malware Config
Extracted
danabot
1765
3
192.236.146.203:443
192.161.48.5:443
142.44.224.16:443
192.3.26.98:443
-
embedded_hash
B2585F6479280F48B64C99F950BBF36D
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1924 RUNDLL32.EXE 3 1924 RUNDLL32.EXE 4 1924 RUNDLL32.EXE 5 1924 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JPTKCP3O\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\CNVACXT5\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini RUNDLL32.EXE -
Checks processor information in registry 2 TTPs 25 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
RUNDLL32.EXEdescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Platform ID RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Previous Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier RUNDLL32.EXE Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Status RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information RUNDLL32.EXE Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor RUNDLL32.EXE Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier RUNDLL32.EXE Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Platform ID RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 1748 rundll32.exe Token: SeDebugPrivilege 1924 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1576 wrote to memory of 1748 1576 rundll32.exe rundll32.exe PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE PID 1748 wrote to memory of 1924 1748 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3720f6761683944e9ff72e547aca0d961ae4954b5f9a4bed711231af244b3e17.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3720f6761683944e9ff72e547aca0d961ae4954b5f9a4bed711231af244b3e17.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\3720f6761683944e9ff72e547aca0d961ae4954b5f9a4bed711231af244b3e17.dll,YVoHNJ8m3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000002Filesize
50B
MD522bf0e81636b1b45051b138f48b3d148
SHA156755d203579ab356e5620ce7e85519ad69d614a
SHA256e292f241daafc3df90f3e2d339c61c6e2787a0d0739aac764e1ea9bb8544ee97
SHA512a4cf1f5c74e0df85dda8750be9070e24e19b8be15c6f22f0c234ef8423ef9ca3db22ba9ef777d64c33e8fd49fada6fcca26c1a14ba18e8472370533a1c65d8d0
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Temp\Hahkf.tmpFilesize
256B
MD5f0cb275a75f5ec583a291c8468ec80e4
SHA1ffd12d2816ba80ec4dde4a89267e95613fa40e44
SHA2562b9c3fd2a4de86be7ecc472b9c9748cd4287e47845f7235c4237db5cb1943b39
SHA512ce47062470b16f951932275105a5187d34c6323d35d0c671264654100ec0948f04b2bdd5b23d893883c7702556484076cacf01e835251b832d24ac109a5e5f4c
-
memory/1748-55-0x0000000002A20000-0x0000000003082000-memory.dmpFilesize
6.4MB
-
memory/1748-56-0x00000000030E0000-0x00000000030E1000-memory.dmpFilesize
4KB
-
memory/1748-54-0x0000000001FB0000-0x000000000256B000-memory.dmpFilesize
5.7MB
-
memory/1924-58-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-61-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-84-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-85-0x0000000001F30000-0x00000000024EB000-memory.dmpFilesize
5.7MB
-
memory/1924-87-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-88-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-60-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-117-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-118-0x00000000029C0000-0x0000000003022000-memory.dmpFilesize
6.4MB
-
memory/1924-59-0x0000000002690000-0x0000000002691000-memory.dmpFilesize
4KB
-
memory/1924-57-0x0000000001F30000-0x00000000024EB000-memory.dmpFilesize
5.7MB