Analysis Overview
SHA256
9610051a347d56ae5d91e3a3c471a2d90b5a4e02b2aa714f931d4cbe164eb42c
Threat Level: Known bad
The file bbcc5e3ca7e87e9050071b250a55d59b was found to be: Known bad.
Malicious Activity Summary
Danabot
Blocklisted process makes network request
Loads dropped DLL
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-28 00:03
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-28 00:03
Reported
2023-12-29 12:16
Platform
win7-20231215-en
Max time kernel
141s
Max time network
120s
Command Line
Signatures
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe
"C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 142.11.244.124:443 | tcp |
Files
memory/2512-0-0x0000000001E40000-0x0000000001F2B000-memory.dmp
memory/2512-1-0x0000000001E40000-0x0000000001F2B000-memory.dmp
memory/3032-9-0x0000000000A80000-0x0000000000BE0000-memory.dmp
\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
| MD5 | 64c6c92e49abd5f8a5b8c0337c9a6135 |
| SHA1 | 9e393ae8959ef866676ca658d252a87cec8d5167 |
| SHA256 | 1469640285561c485190575d13759739d9d8bbe1666d071fbae49ff55f900435 |
| SHA512 | 8f438d9b404a971faf982cd1c0259449ee3c68b7599b97241973231a3ae7b86c76267265096b0f413c200f935b993b10ce08c5104ef2c47de8d23ca6a8515c70 |
C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
| MD5 | 017b2d1ce34108fbbccb52f494e30c22 |
| SHA1 | f1bc4307a82151da50d987e1375facc37a9ac4dd |
| SHA256 | 9d5930e2cf0d2ecf11d5b3bfade539f4ba75d1345f49512f9ccd51b428dd022f |
| SHA512 | 1a524f5d3b561306a33d3381c186d1738873557b3619beac32b11d3967e046a29401755b4400c49236a2bd8293ccd99f0161c757a5931eef74e972de6cc23f45 |
memory/2512-6-0x0000000000400000-0x0000000000548000-memory.dmp
memory/2512-5-0x0000000000400000-0x0000000000548000-memory.dmp
memory/2512-2-0x0000000001F80000-0x0000000002081000-memory.dmp
memory/3032-10-0x0000000000A80000-0x0000000000BE0000-memory.dmp
memory/3032-18-0x0000000000A80000-0x0000000000BE0000-memory.dmp
memory/3032-19-0x0000000000A80000-0x0000000000BE0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-28 00:03
Reported
2023-12-29 12:17
Platform
win10v2004-20231215-en
Max time kernel
160s
Max time network
173s
Command Line
Signatures
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2760 wrote to memory of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2760 wrote to memory of 3748 | N/A | C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe
"C:\Users\Admin\AppData\Local\Temp\bbcc5e3ca7e87e9050071b250a55d59b.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP,S C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 2760 -ip 2760
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2760 -s 508
Network
| Country | Destination | Domain | Proto |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 19.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 189.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 114.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 190.178.17.96.in-addr.arpa | udp |
| US | 142.11.244.124:443 | tcp | |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.143.182.52.in-addr.arpa | udp |
Files
memory/2760-1-0x0000000002290000-0x0000000002388000-memory.dmp
memory/2760-2-0x0000000002440000-0x0000000002541000-memory.dmp
memory/2760-3-0x0000000000400000-0x0000000000548000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\BBCC5E~1.TMP
| MD5 | 13de044c4ce35f2eded6358956fd001b |
| SHA1 | bd219d896a2f6ee552335e563fa6f68923fc57fa |
| SHA256 | 7a342a7788a4a014febcfaa2c31c584c422807ed91545a90056a86ecffa4f33d |
| SHA512 | cf4f1044c0358a9b2469478c829afee36a4917abccce7eae741e192a34cd5130c873173693a42565bc0f432e2ce0e6e7c26ef2d75ac872ab6371929b9267b9fb |
memory/2760-8-0x0000000000400000-0x0000000000548000-memory.dmp
memory/2760-9-0x0000000002440000-0x0000000002541000-memory.dmp
memory/3748-10-0x0000000000400000-0x0000000000560000-memory.dmp
memory/3748-18-0x0000000000400000-0x0000000000560000-memory.dmp
memory/3748-19-0x0000000000400000-0x0000000000560000-memory.dmp