Analysis
-
max time kernel
148s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
27-12-2023 22:17
Static task
static1
Behavioral task
behavioral1
Sample
b7be87f68035db926317eb59c289fcd3.exe
Resource
win7-20231215-en
General
-
Target
b7be87f68035db926317eb59c289fcd3.exe
-
Size
1.2MB
-
MD5
b7be87f68035db926317eb59c289fcd3
-
SHA1
186f7e4ea34132f74b556de4aa0bb795fb7c6eab
-
SHA256
641ddfbeb79686d53e97f99b043550cde7d19ef91c6e611f02ad80f33daaf4ad
-
SHA512
305a4fc92f4ca5e4e4956c69ed4f105eb2f2b460a768d9e6ed5790ce31aa2335a8573695803dff2b1ac88356d7b6c3b7a676c8912dbfa0aeca751217481b8eff
-
SSDEEP
12288:rVCb/f147wpOPaTWOSPPwzAXK2PA22zmof8job+hg8njpC2GpldNDtlqiZUBbAcr:Sf147s4yR2Pjgf8sKu7p1q9ACwGBa
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 13 IoCs
Processes:
resource yara_rule behavioral2/files/0x000600000002320e-6.dat DanabotLoader2021 behavioral2/memory/3372-9-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/files/0x000600000002320e-8.dat DanabotLoader2021 behavioral2/files/0x000600000002320e-7.dat DanabotLoader2021 behavioral2/memory/3372-11-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-23-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-24-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-25-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-26-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-27-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-28-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-29-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 behavioral2/memory/3372-30-0x0000000000990000-0x0000000000AEF000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 91 3372 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 3372 rundll32.exe 3372 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 5044 4944 WerFault.exe 87 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
b7be87f68035db926317eb59c289fcd3.exedescription pid Process procid_target PID 4944 wrote to memory of 3372 4944 b7be87f68035db926317eb59c289fcd3.exe 90 PID 4944 wrote to memory of 3372 4944 b7be87f68035db926317eb59c289fcd3.exe 90 PID 4944 wrote to memory of 3372 4944 b7be87f68035db926317eb59c289fcd3.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\b7be87f68035db926317eb59c289fcd3.exe"C:\Users\Admin\AppData\Local\Temp\b7be87f68035db926317eb59c289fcd3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:4944 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\B7BE87~1.TMP,S C:\Users\Admin\AppData\Local\Temp\B7BE87~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3372
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4944 -s 5082⤵
- Program crash
PID:5044
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4944 -ip 49441⤵PID:60
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
26KB
MD5c49769e803f407858cc0f6c24d530fd7
SHA1efe427183167ac7d8b68de6ffa9717891e28256e
SHA256547682b17601687a7629cc490155578e7d95010ddb3314bacaec00ad850264ef
SHA512c7a4b6d7fcd821b2e88ea6af0555faf91327b8ce59368edc3f3b99c2ef92a76f192a204c3af52f341694ab093cab4e45a7f7dfab44c871d0e560e3cbc99d0f22
-
Filesize
13KB
MD567440cf53def4937dc6bdf6bc60ca90a
SHA1a5f9d780a52b4d1a04d01cd5d2da15376c9a62ed
SHA256fc934941ce0c42d9b5dcad8193678e59c9911040e3bb0b543d04785faab3d128
SHA512a133a3cd197c8bfea5ce358809edc4562b2f1b8a017aee243b9af4afca02012aebec0aee0684440acc1dc737b5da7942b4e9e5b27f49fe1f6c682ba1e6ae60f7
-
Filesize
16KB
MD51eee096239e805aa6ef52ea669814c6a
SHA1b8a25b36a5f7128ce90d15272e5a125f59c014be
SHA256e8d22138e321e3304a59c958fb8f569fa48ff4c5da42f2222bf02f5109808b33
SHA5129cd079bd32d9f6b5105d9597f0c4ca6b1cde41d160d9ec7b9c2d27da292e8f46cd71697b7a4e5e9c3b35c818d2a4430a27bdb9be534d9f074505c4fbc470f64c