Analysis
-
max time kernel
141s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
28-12-2023 00:03
Static task
static1
Behavioral task
behavioral1
Sample
bbcc5e3ca7e87e9050071b250a55d59b.exe
Resource
win7-20231215-en
General
-
Target
bbcc5e3ca7e87e9050071b250a55d59b.exe
-
Size
1.2MB
-
MD5
bbcc5e3ca7e87e9050071b250a55d59b
-
SHA1
899efad6150077f3d3a80d82ed567799467bacce
-
SHA256
9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c
-
SHA512
ab676ee81674ac67ad9694c8d29ed59bfac79c0802b671ad87d19bc47532a37e2e1c2c7dfe1a70873107999a75de64d24ba8678194bcf1e6032c1e214d0b99db
-
SSDEEP
24576:Kxlta34iCuLbZu0H8uxttQIIsK3kSfyZvZEC7uW9LFXaw:MNqbZuAxgGSfIBESuCLd
Malware Config
Extracted
danabot
142.11.206.50:443
142.11.244.124:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 3032 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 3032 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
bbcc5e3ca7e87e9050071b250a55d59b.exedescription pid Process procid_target PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28 PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28 PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28 PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28 PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28 PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28 PID 2512 wrote to memory of 3032 2512 bbcc5e3ca7e87e9050071b250a55d59b.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3032
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
23KB
MD5017b2d1ce34108fbbccb52f494e30c22
SHA1f1bc4307a82151da50d987e1375facc37a9ac4dd
SHA2569d5930e2cf0d2ecf11d5b3bfade539f4ba75d1345f49512f9ccd51b428dd022f
SHA5121a524f5d3b561306a33d3381c186d1738873557b3619beac32b11d3967e046a29401755b4400c49236a2bd8293ccd99f0161c757a5931eef74e972de6cc23f45
-
Filesize
34KB
MD564c6c92e49abd5f8a5b8c0337c9a6135
SHA19e393ae8959ef866676ca658d252a87cec8d5167
SHA2561469640285561c485190575d13759739d9d8bbe1666d071fbae49ff55f900435
SHA5128f438d9b404a971faf982cd1c0259449ee3c68b7599b97241973231a3ae7b86c76267265096b0f413c200f935b993b10ce08c5104ef2c47de8d23ca6a8515c70