Analysis
-
max time kernel
149s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
29-12-2023 20:22
Static task
static1
Behavioral task
behavioral1
Sample
02f6cd0c20673f819bba4b21f4d30d44.exe
Resource
win7-20231129-en
General
-
Target
02f6cd0c20673f819bba4b21f4d30d44.exe
-
Size
1.2MB
-
MD5
02f6cd0c20673f819bba4b21f4d30d44
-
SHA1
fbc98200bb30e5fd14b547dc75311f683ae0c875
-
SHA256
463654d4c0ca86dbb8f6babe6f7614ce7475dd195bc1c6ea5b854a0ed7f6108f
-
SHA512
be485b4aed3fe843787d7a944698a4a1d0f0ad7347b0117ad77eccc3539523b4082bb913510d9b4225170108ba0579b074a229974369cf61e2c1c08fc320a66f
-
SSDEEP
24576:w6TleADmI4T1kagXHq96dUEcZeN8VTbmH:LlI1kagFUEcZeOtm
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral2/files/0x000800000002320b-7.dat DanabotLoader2021 behavioral2/files/0x000800000002320b-6.dat DanabotLoader2021 behavioral2/memory/1168-10-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-18-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-19-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-20-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-21-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-22-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-23-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-24-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/1168-25-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 143 1168 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 1168 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3908 2256 WerFault.exe 15 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
02f6cd0c20673f819bba4b21f4d30d44.exedescription pid Process procid_target PID 2256 wrote to memory of 1168 2256 02f6cd0c20673f819bba4b21f4d30d44.exe 32 PID 2256 wrote to memory of 1168 2256 02f6cd0c20673f819bba4b21f4d30d44.exe 32 PID 2256 wrote to memory of 1168 2256 02f6cd0c20673f819bba4b21f4d30d44.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"C:\Users\Admin\AppData\Local\Temp\02f6cd0c20673f819bba4b21f4d30d44.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\02F6CD~1.TMP,S C:\Users\Admin\AppData\Local\Temp\02F6CD~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1168
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2256 -s 5162⤵
- Program crash
PID:3908
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 2256 -ip 22561⤵PID:1972
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
160KB
MD57e0842a28143a9b40f5f63e2b8153f54
SHA13f7daf28976148e55ec55cb7e725c83a04399462
SHA256df94ed67841091979d6c86081f4ceaa6b9d892724307e6574f758b0c5dbee90c
SHA512d82b34308b5573aee84c482cd111cd87160f4eed2154a9d28bc6b4a70c792d607533481ed868a6ae4dc010355bd6f05ae371c92414a6ae6c2cfbaeea918cebcf
-
Filesize
230KB
MD5786b636f727a054829c7c2195d34136c
SHA1a3e8d25f2e96dbd6a6d3dcee48322d9339f2be67
SHA25605e692801356858257006f8c709434b103317509adc47ad0d3cb74eb39a15fd2
SHA5125c3114423cbb547f81ffa28dca437bd0a7fa78f67236506fa460a38a493b9ce24bb27106b4b5b39a5c74ce608e336de77fd0e16f511c4e8fa764569cdb006657