Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 17:24
Static task
static1
Behavioral task
behavioral1
Sample
80450a6fd44277fa7c6883ee59093f72.dll
Resource
win7-20231129-en
General
-
Target
80450a6fd44277fa7c6883ee59093f72.dll
-
Size
5.7MB
-
MD5
80450a6fd44277fa7c6883ee59093f72
-
SHA1
d90e1ccec2ff3f552b0e887acd50418a8959c1d1
-
SHA256
ea0af0074cddd3d6de2f641f5f0e7dfb5170dfc44a8661b06075cf32dfc3cf16
-
SHA512
461648a7cba529f6e13da31c1c4f4ad5ce73798a3569d96df65993d1c9c28cdc3750c5b056a1767e45260fd84b76c3fe179ccceea328a17a8182b76a54a0be65
-
SSDEEP
98304:VTH01OZK84868vo7flGArwf9ytPkWQULuYF2YsV3PlokRWS:VTHYiKsAz8ArPqWQULuTykRl
Malware Config
Extracted
danabot
1827
3
23.106.123.141:443
37.220.31.94:443
23.106.123.185:443
192.210.198.12:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 2 1996 RUNDLL32.EXE 3 1996 RUNDLL32.EXE 4 1996 RUNDLL32.EXE 5 1996 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s) 4 IoCs
Processes:
RUNDLL32.EXEdescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3I8TNX97\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ACR0LGSN\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini RUNDLL32.EXE File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2948 rundll32.exe Token: SeDebugPrivilege 1996 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2416 wrote to memory of 2948 2416 rundll32.exe rundll32.exe PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE PID 2948 wrote to memory of 1996 2948 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,tmJU3⤵
- Blocklisted process makes network request
- Drops desktop.ini file(s)
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\gxxdafgzd.tmpFilesize
256B
MD581a6acb2c80f76cd12d692565e7c0e66
SHA146fe73ede4821c44ee1d28a65b603533950a6080
SHA25625bb09830e7f69f46194bbf93b2e4b7316a9e744d804d6359b43c3003ba80687
SHA512d38b7f073ffeb4459031acb29897b38bc09e0e101b69b587d6db409826046bbd104f410cc4415a1c2031871163e0f0939a4a13823c74dc538f4e322b61828c9e
-
C:\Users\Admin\AppData\Local\Temp\wmsetup.logFilesize
843B
MD5496c79abac0d1074c2979695199d5f2d
SHA1fa5327469d09ba4f831cd882bd5b889d0b7728df
SHA256b9335a81dd396b09a6520032eb15bcabf26e3dfed05beaef2849fe04638c2631
SHA51206dff47de234a29e8afc26f2abfeb7575aa5173a61c377d48c754277f0b198c81f51018b29316163802ee44b9eab1971570fce76547d4ef47dc386466293d560
-
memory/1996-26-0x00000000020A0000-0x000000000265B000-memory.dmpFilesize
5.7MB
-
memory/1996-12-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-4-0x00000000020A0000-0x000000000265B000-memory.dmpFilesize
5.7MB
-
memory/1996-6-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-8-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-7-0x0000000002840000-0x0000000002841000-memory.dmpFilesize
4KB
-
memory/1996-30-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-29-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-10-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-9-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/1996-28-0x0000000002F00000-0x0000000003560000-memory.dmpFilesize
6.4MB
-
memory/2948-0-0x00000000021F0000-0x00000000027AB000-memory.dmpFilesize
5.7MB
-
memory/2948-5-0x0000000003010000-0x0000000003670000-memory.dmpFilesize
6.4MB
-
memory/2948-2-0x0000000002870000-0x0000000002871000-memory.dmpFilesize
4KB
-
memory/2948-3-0x0000000003010000-0x0000000003670000-memory.dmpFilesize
6.4MB
-
memory/2948-1-0x0000000003010000-0x0000000003670000-memory.dmpFilesize
6.4MB