Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
26-12-2023 18:14
Static task
static1
Behavioral task
behavioral1
Sample
83482a1f9ecee5ec6fd1aa7d19060a07.exe
Resource
win7-20231215-en
General
-
Target
83482a1f9ecee5ec6fd1aa7d19060a07.exe
-
Size
1.2MB
-
MD5
83482a1f9ecee5ec6fd1aa7d19060a07
-
SHA1
5dd641372eeeb49a6b7c0b42db2eb06a7d59e013
-
SHA256
c744f24e87e969e79dd233ac2344679f95451212afc52a8fae455fa7d6df58b1
-
SHA512
c1fafd8dcf4be75c721e80ca7dcda9895f3a019b2a1ffb4f34bde771d9d658362a36c1425e87ee3f99fb0f57e57b217234a79289ad182c0ec86af3ff19eca86f
-
SSDEEP
24576:VeCQ2lMlL0FzwcfU8ri3HzhUOCuFtR1n7peMwGmsnl59VAtA:VyepwcfUakzhUtuFtzoOBl53A
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral1/files/0x000c000000012251-7.dat DanabotLoader2021 behavioral1/memory/2320-9-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/files/0x000c000000012251-8.dat DanabotLoader2021 behavioral1/memory/2320-10-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-18-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-19-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-20-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-21-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-22-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-23-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-24-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 behavioral1/memory/2320-25-0x0000000001EB0000-0x000000000200F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2320 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2320 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
83482a1f9ecee5ec6fd1aa7d19060a07.exedescription pid Process procid_target PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28 PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28 PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28 PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28 PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28 PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28 PID 2144 wrote to memory of 2320 2144 83482a1f9ecee5ec6fd1aa7d19060a07.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2144 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2320
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD582fa5de6a1c155c1b4c7f495add025bc
SHA1eb1a1216ef499e9819af722439e41edb3f1f97e8
SHA256223b5f84954f4e05817e2984a84ae0689cf03b5d17a50e845f7fb11160044d2d
SHA5126aebcc9aab0ce3986873055823ec432d86fdc4ab5c5efefe5db72a8c16caaf3c432ff551f7c7e47a5da6c6aff7e4d03132f9601519d3bca3ca20efa0d9af7f56
-
Filesize
381KB
MD572d6392e0853f335d0cce4700b100857
SHA128a45d180907b3d701325f9bad937988d350397d
SHA25669a232767bdcc24a1067dd4c496ace4ced6e08ed4e77dd90c02ff240ea0ee05a
SHA51231549981973e10418b2c249acafdaeb7cea992dc63c7a0e72383724ddbcd56b3f3d11f401dcc404ec2df9b76752a8601bd2a4eead26d1084425251be050ae740