Analysis
-
max time kernel
141s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 11:54
Static task
static1
Behavioral task
behavioral1
Sample
1c52aed4df30df05a45966183eeef3c2.exe
Resource
win7-20231215-en
General
-
Target
1c52aed4df30df05a45966183eeef3c2.exe
-
Size
1010KB
-
MD5
1c52aed4df30df05a45966183eeef3c2
-
SHA1
11f350112bdd668b11b2fb3849ef2b0c7c020bb4
-
SHA256
152265b11b39688bfa5dd656dddacf87c01515f70f62aeb3b1406138a77986d5
-
SHA512
7c30a710cdf9e7f7043b1e4a8a9c1af9e2c70570dd428691451f908b0f81f2f4c3c71f691a2174ba339b1b713baa3ace3f65820402a91225387923f848665ab6
-
SSDEEP
24576:Tq/spU59DWkSn/enEYnXnEdI8UkY621c+9ytgYrToZmYyWa8CX:TqN9ahn/0EYnKI84621fq/AcYHg
Malware Config
Extracted
danabot
15
192.52.166.169:443
173.254.204.95:443
192.52.167.45:443
-
embedded_hash
D6A9A294BFDC6F13BFCC2AB0FA9B54B9
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000e000000012247-3.dat DanabotLoader2021 behavioral1/memory/2200-5-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-6-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-14-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-15-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-16-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-17-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-18-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-19-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-20-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 behavioral1/memory/2200-21-0x00000000020F0000-0x000000000224D000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2200 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2200 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
1c52aed4df30df05a45966183eeef3c2.exedescription pid Process procid_target PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28 PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28 PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28 PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28 PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28 PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28 PID 2436 wrote to memory of 2200 2436 1c52aed4df30df05a45966183eeef3c2.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c52aed4df30df05a45966183eeef3c2.exe"C:\Users\Admin\AppData\Local\Temp\1c52aed4df30df05a45966183eeef3c2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\1C52AE~1.TMP,S C:\Users\Admin\AppData\Local\Temp\1C52AE~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2200
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5c6a1acce3f89edea61b44ecf55dbc003
SHA1c5f07041f44922269d6b343f67683d9d343bda46
SHA2560abf70595efc6d1013e0edc1cc6208df3291db180a41814b367bda9b2f741441
SHA5121d43df1ca71689e4c56b9c6292ccf75165c0724ebc82483d65eda8d4534e15964d53dc99158172457962e2a4850f58b58509bab0d7233d5002d850cd746b1843