Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 11:38
Static task
static1
Behavioral task
behavioral1
Sample
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
Resource
win7-20231215-en
General
-
Target
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
-
Size
1.1MB
-
MD5
6b60f7cbc0c04e3110ea9da7f9321fe3
-
SHA1
5051291ed1160c0f5bdd79f1d5706807f2d7512b
-
SHA256
73330db1f35105b797d13d85b7e372cd0fc8a7eab0ed05ba1d864457d0e7666c
-
SHA512
bf61735f3ee94390c69348dbe9c78bc0a1d56e7c64ce2b9ecedd10147ccb6db8aed677f24a8d32fabc8ab308ab33861d4eb383addcc1ec43d7bbcd453b943b0c
-
SSDEEP
24576:RIcECYHIt8+5eZ+conosN6FOf8qtRfJ6a6BPA:RIxvHrSEcJgU8yfJ6NBI
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000a000000012252-7.dat DanabotLoader2021 behavioral1/memory/852-10-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-11-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-19-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-20-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-21-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-22-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-23-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-24-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-25-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 behavioral1/memory/852-26-0x0000000001C00000-0x0000000001D5E000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 852 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 852 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6b60f7cbc0c04e3110ea9da7f9321fe3.exedescription pid Process procid_target PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28 PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28 PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28 PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28 PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28 PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28 PID 660 wrote to memory of 852 660 6b60f7cbc0c04e3110ea9da7f9321fe3.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6B60F7~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6B60F7~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:852
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5048c99a09fff8d58f078827119dfd652
SHA19d1dc7f2f4ab3a5273a21072c1121527d42de414
SHA256d87d64d9c402d5e16db212cc7f8d3e28cc4f32d6cae922ee158ec979d352f6b5
SHA512a4ffa0eb3bb24423dd27bbce753557ee3224850c3f350a05770440892f723f9a1bfb99897dce964de0fc26eddc79769b8134eb456cf022a86716301afbaa82d9