Analysis
-
max time kernel
149s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 06:19
Static task
static1
Behavioral task
behavioral1
Sample
592b072b05d4144f9e5242c8e9a1c88c.exe
Resource
win7-20231215-en
General
-
Target
592b072b05d4144f9e5242c8e9a1c88c.exe
-
Size
1.1MB
-
MD5
592b072b05d4144f9e5242c8e9a1c88c
-
SHA1
8294c8a81684a35a9a8e155788c2ccabad8b657c
-
SHA256
745ae9caf8a38023905ad52a4e81d085cef62fc4a14aacf2536c9e54cd1845f8
-
SHA512
9ee062e1380094efed830a46df76377d446a41f88c179a13a3b09bb47a145ebc5351dd02e3374d3d19de274dd0ddfdb0c11df18bc720ff171a478386eed2619a
-
SSDEEP
24576:vv2NFRfdDf+CRwEHhjLsWLcOeb9oQvU7/9EJojbfH0vZEr:mRf+Cy65My/KeHYu
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral2/files/0x000800000002304b-7.dat DanabotLoader2021 behavioral2/files/0x000800000002304b-6.dat DanabotLoader2021 behavioral2/memory/2340-10-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-18-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-19-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-20-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-21-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-22-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-23-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-24-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 behavioral2/memory/2340-25-0x0000000000400000-0x000000000055E000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 137 2340 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2340 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 4444 4152 WerFault.exe 70 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
592b072b05d4144f9e5242c8e9a1c88c.exedescription pid Process procid_target PID 4152 wrote to memory of 2340 4152 592b072b05d4144f9e5242c8e9a1c88c.exe 95 PID 4152 wrote to memory of 2340 4152 592b072b05d4144f9e5242c8e9a1c88c.exe 95 PID 4152 wrote to memory of 2340 4152 592b072b05d4144f9e5242c8e9a1c88c.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\592b072b05d4144f9e5242c8e9a1c88c.exe"C:\Users\Admin\AppData\Local\Temp\592b072b05d4144f9e5242c8e9a1c88c.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4152 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 5402⤵
- Program crash
PID:4444
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\592B07~1.TMP,S C:\Users\Admin\AppData\Local\Temp\592B07~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2340
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 4152 -ip 41521⤵PID:4972
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5cd5044245235a5945e8bf1aad2a4f930
SHA13f00bab9e9f5eb6780f580270f379730bab5ad5e
SHA25661c58ac85bba0a9602d20b908dfb954743e48358e8e9b28037cda2771918025d
SHA51268b57ced0e51deb88da60432b40e621ff9c537415b4d4a3abcec2b4ce68eef24564ad9ed0ca2cf586e92eb32e64392627df7de16e8e0a6522c172f6f152b97c0
-
Filesize
1.1MB
MD54b81bc6f7f127c80433c7a406040a00e
SHA139a17b7818de16c87d2d7eb21384fd8a009eca98
SHA2567127be903a72c447df067ca868725c8ab2b1eadf83e2d66de33d94c56a5a4203
SHA512b44a8ac221d6a97ad80685cc8788390c06ef3f6a783db4ab3db53449e42ec89165784e39cd7a4be33540b89a5b2d26d6b44315d7443a499da4b3ae598414e87b