Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 16:12
Static task
static1
Behavioral task
behavioral1
Sample
2c269d932b52ff71a1429e94cd020c9f.exe
Resource
win7-20231215-en
General
-
Target
2c269d932b52ff71a1429e94cd020c9f.exe
-
Size
1.2MB
-
MD5
2c269d932b52ff71a1429e94cd020c9f
-
SHA1
4de5a5fca618479c84e84f27bfdf589b692a5bea
-
SHA256
f231fc321d5bfd7623b731251d4231ebd317916507696795ce0a091cb8e4dead
-
SHA512
4f794cc19fdb840203782351d0b5216d34e8965892b47faa322b75b0b862d8d38362da314b0cd916bd6202f5a0c577bb7e7636042e65b03f1cf50b6730f73119
-
SSDEEP
24576:dHTYEG8wB1j9pMKDe+TJ/IY3G+VYbw8FcIF4aWVTS:d3g9pxDpTJ/IUVYbw8FGaGm
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral1/files/0x000b00000001224c-8.dat DanabotLoader2021 behavioral1/memory/2460-10-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/files/0x000b00000001224c-9.dat DanabotLoader2021 behavioral1/memory/2460-11-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-19-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-20-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-21-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-22-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-23-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-24-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-25-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 behavioral1/memory/2460-26-0x00000000009F0000-0x0000000000B4F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2460 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2460 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
2c269d932b52ff71a1429e94cd020c9f.exedescription pid Process procid_target PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28 PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28 PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28 PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28 PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28 PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28 PID 1704 wrote to memory of 2460 1704 2c269d932b52ff71a1429e94cd020c9f.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c269d932b52ff71a1429e94cd020c9f.exe"C:\Users\Admin\AppData\Local\Temp\2c269d932b52ff71a1429e94cd020c9f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1704 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2C269D~1.TMP,S C:\Users\Admin\AppData\Local\Temp\2C269D~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2460
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
724KB
MD5ed6e984e8a2834fb7742450fffdb4b26
SHA18426af06f9cd8aa7860ecf34b049928caf216216
SHA2568465d23d0c317efe5c98ace493dce44b6c4d500d1ac2c232ef36e969fc980d80
SHA512af2c47f601779eb503566bcbbeb3f4a5a630811e7a849ad37f596b6980d634ee8d1d9f60fcaca114ca684378f93ad8f0757aa98ca67756643edd7e5ec29811c1
-
Filesize
381KB
MD554217ccd4c3a52c9cda072569a377825
SHA1d19188397959d9c1cdfeae111a953803b12f8d85
SHA256788a42718787794e3a84663af00c7c9c0129aaff331e753e049e11fb2a80cc12
SHA51214ba8c9817d86594602d8f716c993395d7744164fb96cc1cb0cadf244df669d0d7225dc278b46c6e8d8aca603d9a175e986b7b5ce40e45fb586512896d373364