Analysis
-
max time kernel
178s -
max time network
188s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 08:25
Static task
static1
Behavioral task
behavioral1
Sample
11e11143ef5713077396f32f3fafd109.exe
Resource
win7-20231129-en
General
-
Target
11e11143ef5713077396f32f3fafd109.exe
-
Size
1.2MB
-
MD5
11e11143ef5713077396f32f3fafd109
-
SHA1
d2d8950d848129ab460439d3e4a0615f5f2d10c3
-
SHA256
0d6b46f8c96f69555ad79d7fdfd91c2eb24e3baa5b89dea1b3a024f28cb40be7
-
SHA512
92afb5046efb98ea7d930132481226eb8ad6250b363d670450c0e972e1253a59d958df7a4fffb99d20017bae4246b5a86fa03bf9865a2da155e1d03e9bbb3fc9
-
SSDEEP
24576:NLmxtn8xbSdKS1c6x62DAHzisGqQLlrwAta5Hsr8Ft5M6:Nw8xbEdx6sH9LlUAtaRnn
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 10 IoCs
Processes:
resource yara_rule behavioral2/files/0x0007000000023242-6.dat DanabotLoader2021 behavioral2/memory/4628-10-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-18-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-19-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-20-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-21-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-22-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-23-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-24-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/4628-25-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 90 4628 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 4628 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4776 2332 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
11e11143ef5713077396f32f3fafd109.exedescription pid Process procid_target PID 2332 wrote to memory of 4628 2332 11e11143ef5713077396f32f3fafd109.exe 93 PID 2332 wrote to memory of 4628 2332 11e11143ef5713077396f32f3fafd109.exe 93 PID 2332 wrote to memory of 4628 2332 11e11143ef5713077396f32f3fafd109.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2332 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP,S C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4628
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2332 -s 5082⤵
- Program crash
PID:4776
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 2332 -ip 23321⤵PID:4552
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5219e20b69d099cab64444334e0874da8
SHA1b3ea46e786a2826f4c01c807fee22934aeeb5c7b
SHA256d50cbc7b8894f96af15f5e150bac2b7e74346dda50e9cd88ede07b56042e35a4
SHA512063a4105306c1eb8c0a4ab46f0c2788ba1419da0fab62e44520c972b5c1b0ff17b1233e8f61a46c5520d42ae184253ec8b716ae2ba7e2f05f423a2f6233221bb