Analysis
-
max time kernel
142s -
max time network
117s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
26-12-2023 18:14
Static task
static1
Behavioral task
behavioral1
Sample
83482a1f9ecee5ec6fd1aa7d19060a07.exe
Resource
win7-20231215-en
General
-
Target
83482a1f9ecee5ec6fd1aa7d19060a07.exe
-
Size
1.2MB
-
MD5
83482a1f9ecee5ec6fd1aa7d19060a07
-
SHA1
5dd641372eeeb49a6b7c0b42db2eb06a7d59e013
-
SHA256
c744f24e87e969e79dd233ac2344679f95451212afc52a8fae455fa7d6df58b1
-
SHA512
c1fafd8dcf4be75c721e80ca7dcda9895f3a019b2a1ffb4f34bde771d9d658362a36c1425e87ee3f99fb0f57e57b217234a79289ad182c0ec86af3ff19eca86f
-
SSDEEP
24576:VeCQ2lMlL0FzwcfU8ri3HzhUOCuFtR1n7peMwGmsnl59VAtA:VyepwcfUakzhUtuFtzoOBl53A
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 2 IoCs
Processes:
resource yara_rule behavioral2/files/0x000700000002315b-7.dat DanabotLoader2021 behavioral2/files/0x000700000002315b-6.dat DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 42 4252 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 4252 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1632 2888 WerFault.exe 16 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
83482a1f9ecee5ec6fd1aa7d19060a07.exedescription pid Process procid_target PID 2888 wrote to memory of 4252 2888 83482a1f9ecee5ec6fd1aa7d19060a07.exe 46 PID 2888 wrote to memory of 4252 2888 83482a1f9ecee5ec6fd1aa7d19060a07.exe 46 PID 2888 wrote to memory of 4252 2888 83482a1f9ecee5ec6fd1aa7d19060a07.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2888 -s 4442⤵
- Program crash
PID:1632
-
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4252
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2888 -ip 28881⤵PID:1444
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5de918e6e2f268923ccbc58a6e5bcad38
SHA1e2fab387fcc38bad12af617915fd1f87fc908d1e
SHA256c21c487739de876cbb5ef2367334975a34c25b9415966190b3f9bf501302a961
SHA512503147b844531f206ed898aa869efb1b93afe7f391480d747a33c8aa47e290411b8dec1fa9f04be30377008a7114ce77e25b57ff990ecd171199e60ec99047e6
-
Filesize
1KB
MD5e7db4cdbe519f019a859007d118b7af8
SHA11a8d76144a39e328803e6b60ea0558ebe4811066
SHA2569f8f9e73fd6f6d90728e3ea241b6597184a33d0b8ed71343faef03aedd909676
SHA5121d110f3de875f4beec97e91c2302e34decd81615d6f34016b532f0b98ef0efe61716c24bf84062bb7019e9f79d78bc3636565f0e5c1b45f1321028a9b69e89fe