Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-12-2023 16:12
Static task
static1
Behavioral task
behavioral1
Sample
2c269d932b52ff71a1429e94cd020c9f.exe
Resource
win7-20231215-en
General
-
Target
2c269d932b52ff71a1429e94cd020c9f.exe
-
Size
1.2MB
-
MD5
2c269d932b52ff71a1429e94cd020c9f
-
SHA1
4de5a5fca618479c84e84f27bfdf589b692a5bea
-
SHA256
f231fc321d5bfd7623b731251d4231ebd317916507696795ce0a091cb8e4dead
-
SHA512
4f794cc19fdb840203782351d0b5216d34e8965892b47faa322b75b0b862d8d38362da314b0cd916bd6202f5a0c577bb7e7636042e65b03f1cf50b6730f73119
-
SSDEEP
24576:dHTYEG8wB1j9pMKDe+TJ/IY3G+VYbw8FcIF4aWVTS:d3g9pxDpTJ/IUVYbw8FGaGm
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 13 IoCs
Processes:
resource yara_rule behavioral2/files/0x000a00000002313d-6.dat DanabotLoader2021 behavioral2/memory/3032-9-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/files/0x000a00000002313d-8.dat DanabotLoader2021 behavioral2/files/0x000a00000002313d-7.dat DanabotLoader2021 behavioral2/memory/3032-12-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-20-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-21-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-22-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-23-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-24-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-25-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-26-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 behavioral2/memory/3032-27-0x0000000002300000-0x000000000245F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 145 3032 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 3032 rundll32.exe 3032 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2560 5016 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
2c269d932b52ff71a1429e94cd020c9f.exedescription pid Process procid_target PID 5016 wrote to memory of 3032 5016 2c269d932b52ff71a1429e94cd020c9f.exe 92 PID 5016 wrote to memory of 3032 5016 2c269d932b52ff71a1429e94cd020c9f.exe 92 PID 5016 wrote to memory of 3032 5016 2c269d932b52ff71a1429e94cd020c9f.exe 92
Processes
-
C:\Users\Admin\AppData\Local\Temp\2c269d932b52ff71a1429e94cd020c9f.exe"C:\Users\Admin\AppData\Local\Temp\2c269d932b52ff71a1429e94cd020c9f.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5016 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\2C269D~1.TMP,S C:\Users\Admin\AppData\Local\Temp\2C269D~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3032
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5016 -s 5362⤵
- Program crash
PID:2560
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5016 -ip 50161⤵PID:4800
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD5dfb3f269ae326139a652bb51e51f4cb3
SHA1dc70cf242c7db46e01bd8b7b771c693b7f4f16d9
SHA2566f0f98ed62a6acab035c8bdd80bc8743890fa4d81a947924a6f333f2809f7ae2
SHA5123858f5699da3eab80ee09a70044117f654a45669b244a5779958bd132aa000f9360d2377b796d4b43af9a465a8a30e96e2bd9471dff1662d3b1966d50465481e
-
Filesize
95KB
MD569b0dea23914c6c8f1b2a1634aa43509
SHA103605db0b996b970d2e1708ac422ce157606628f
SHA256b02b0f7bbf745c18297a87c04d726c93282e59559597fdc6aa63fa2c79ab0f9e
SHA51272fe194fbdaab3b35c09cb09b22f75df9266c9ac3fee5b7406fd864d17685a419d0e50b6631e31f0e31710a6ec23373f6555e1c8ff0f9e0083c98dce7b1e5797
-
Filesize
832KB
MD582f08de14c4ef9f7ddc36d377901e50e
SHA142157926674ceded914a35df031271886ad1a271
SHA2568a006c00696880902cb3c26b8f5e96d3aead1aa16c02c43cd2088104de4e7d8a
SHA5126ad7cb75f7fbb1941408c6e67d99fffc3122f3870c6268d85b1739f88ebb236caf65266db7153235e09c35ebdfc1e09c201d4892d5bc2e98cd5943173968e2cf