Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 10:12
Static task
static1
Behavioral task
behavioral1
Sample
6651b94fca97496297e88b8f4fa9de77.exe
Resource
win7-20231215-en
General
-
Target
6651b94fca97496297e88b8f4fa9de77.exe
-
Size
1.1MB
-
MD5
6651b94fca97496297e88b8f4fa9de77
-
SHA1
6a32236977388626a6f6c378a1d3b6291f9b7b31
-
SHA256
ba8e97e341fadadb0789c21d7d78b98b5194e3cfeff41c8c7e22b422321c5417
-
SHA512
95343f8ac9dc4a1fdbc6d5ccff8074d4615e0f7e4d84c9025db1313234ef6de799f7637bef4198cae80653b1aa14ff2caa16f704a158e30886c65df8302129aa
-
SSDEEP
24576:osux3BbFLhaJS8B7IVO+VtRl8ERPd0NCcb0wXXsSlyrLz:gdaJS87IVO+Vp8ElSNCMXXXK3
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 10 IoCs
Processes:
resource yara_rule behavioral2/files/0x0008000000023132-5.dat DanabotLoader2021 behavioral2/memory/1748-10-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-18-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-19-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-20-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-21-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-22-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-23-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-24-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1748-25-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 70 1748 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 1748 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 2812 4944 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6651b94fca97496297e88b8f4fa9de77.exedescription pid Process procid_target PID 4944 wrote to memory of 1748 4944 6651b94fca97496297e88b8f4fa9de77.exe 50 PID 4944 wrote to memory of 1748 4944 6651b94fca97496297e88b8f4fa9de77.exe 50 PID 4944 wrote to memory of 1748 4944 6651b94fca97496297e88b8f4fa9de77.exe 50
Processes
-
C:\Users\Admin\AppData\Local\Temp\6651b94fca97496297e88b8f4fa9de77.exe"C:\Users\Admin\AppData\Local\Temp\6651b94fca97496297e88b8f4fa9de77.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 5002⤵
- Program crash
PID:2812
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6651B9~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6651B9~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4944 -ip 49441⤵PID:4616
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e