Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 10:12
Static task
static1
Behavioral task
behavioral1
Sample
6651b94fca97496297e88b8f4fa9de77.exe
Resource
win7-20231215-en
General
-
Target
6651b94fca97496297e88b8f4fa9de77.exe
-
Size
1.1MB
-
MD5
6651b94fca97496297e88b8f4fa9de77
-
SHA1
6a32236977388626a6f6c378a1d3b6291f9b7b31
-
SHA256
ba8e97e341fadadb0789c21d7d78b98b5194e3cfeff41c8c7e22b422321c5417
-
SHA512
95343f8ac9dc4a1fdbc6d5ccff8074d4615e0f7e4d84c9025db1313234ef6de799f7637bef4198cae80653b1aa14ff2caa16f704a158e30886c65df8302129aa
-
SSDEEP
24576:osux3BbFLhaJS8B7IVO+VtRl8ERPd0NCcb0wXXsSlyrLz:gdaJS87IVO+Vp8ElSNCMXXXK3
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000012243-6.dat DanabotLoader2021 behavioral1/memory/2892-8-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-12-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-20-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-21-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-22-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-23-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-24-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-25-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-26-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 behavioral1/memory/2892-27-0x00000000008E0000-0x0000000000A3F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2892 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2892 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6651b94fca97496297e88b8f4fa9de77.exedescription pid Process procid_target PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28 PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28 PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28 PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28 PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28 PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28 PID 2068 wrote to memory of 2892 2068 6651b94fca97496297e88b8f4fa9de77.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6651b94fca97496297e88b8f4fa9de77.exe"C:\Users\Admin\AppData\Local\Temp\6651b94fca97496297e88b8f4fa9de77.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6651B9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6651B9~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2892
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD500ff83979f4cc5eaf1aa08e4cd33edc6
SHA15f6a6d4d1b34b7f5a46591fe027092c6cc9b3194
SHA256f04c14adc92fcb5c10a00484e705397b5597930c7915cd5a1147b4c742f439da
SHA51264d6158cf9c9c1004bc53391b676e8b8c29264fc6756e47cc13fbc1049a9c58a43af871e4426d9650eb2f447b8599284e770df67ca6a7a2a3fbccd862d007aa6