Analysis
-
max time kernel
160s -
max time network
173s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
28-12-2023 00:03
Static task
static1
Behavioral task
behavioral1
Sample
bbcc5e3ca7e87e9050071b250a55d59b.exe
Resource
win7-20231215-en
General
-
Target
bbcc5e3ca7e87e9050071b250a55d59b.exe
-
Size
1.2MB
-
MD5
bbcc5e3ca7e87e9050071b250a55d59b
-
SHA1
899efad6150077f3d3a80d82ed567799467bacce
-
SHA256
9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c
-
SHA512
ab676ee81674ac67ad9694c8d29ed59bfac79c0802b671ad87d19bc47532a37e2e1c2c7dfe1a70873107999a75de64d24ba8678194bcf1e6032c1e214d0b99db
-
SSDEEP
24576:Kxlta34iCuLbZu0H8uxttQIIsK3kSfyZvZEC7uW9LFXaw:MNqbZuAxgGSfIBESuCLd
Malware Config
Extracted
danabot
142.11.206.50:443
142.11.244.124:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 154 3748 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 3748 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1680 2760 WerFault.exe 83 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
bbcc5e3ca7e87e9050071b250a55d59b.exedescription pid Process procid_target PID 2760 wrote to memory of 3748 2760 bbcc5e3ca7e87e9050071b250a55d59b.exe 91 PID 2760 wrote to memory of 3748 2760 bbcc5e3ca7e87e9050071b250a55d59b.exe 91 PID 2760 wrote to memory of 3748 2760 bbcc5e3ca7e87e9050071b250a55d59b.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3748
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 5082⤵
- Program crash
PID:1680
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2760 -ip 27601⤵PID:3324
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD513de044c4ce35f2eded6358956fd001b
SHA1bd219d896a2f6ee552335e563fa6f68923fc57fa
SHA2567a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d
SHA512cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb