Analysis Overview
SHA256
23d57a913a8c60630d1f26d5f7eba55d8437d7595f562b1dd81b2ebc8d69751c
Threat Level: Known bad
The file 0f188430addd42481937c39756c45b26 was found to be: Known bad.
Malicious Activity Summary
Danabot
Danabot Loader Component
Blocklisted process makes network request
Loads dropped DLL
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2023-12-30 04:51
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-30 04:51
Reported
2023-12-30 23:16
Platform
win10v2004-20231215-en
Max time kernel
144s
Max time network
152s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1960 wrote to memory of 4332 | N/A | C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1960 wrote to memory of 4332 | N/A | C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1960 wrote to memory of 4332 | N/A | C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe
"C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 200 -p 1960 -ip 1960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 524
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0F1884~1.TMP,S C:\Users\Admin\AppData\Local\Temp\0F1884~1.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1960 -ip 1960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1960 -ip 1960
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1960 -s 576
Network
| Country | Destination | Domain | Proto |
| GB | 23.44.234.16:80 | tcp | |
| US | 138.91.171.81:80 | tcp | |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 0.181.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.233.44.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.1.37.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 142.11.244.124:443 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 178.223.142.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.244.11.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/1960-2-0x0000000004B30000-0x0000000004C2E000-memory.dmp
memory/4332-8-0x0000000002410000-0x000000000256C000-memory.dmp
memory/1960-9-0x0000000000400000-0x0000000002D48000-memory.dmp
memory/1960-1-0x0000000004990000-0x0000000004A81000-memory.dmp
memory/1960-11-0x0000000004B30000-0x0000000004C2E000-memory.dmp
memory/1960-10-0x0000000000400000-0x0000000002D48000-memory.dmp
memory/4332-12-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-20-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-21-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-22-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-23-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-24-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-25-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-26-0x0000000002410000-0x000000000256C000-memory.dmp
memory/4332-27-0x0000000002410000-0x000000000256C000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-30 04:51
Reported
2023-12-30 23:17
Platform
win7-20231129-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe
"C:\Users\Admin\AppData\Local\Temp\0f188430addd42481937c39756c45b26.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\0F1884~1.TMP,S C:\Users\Admin\AppData\Local\Temp\0F1884~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 142.11.244.124:443 | tcp |
Files
memory/2396-0-0x00000000002A0000-0x0000000000388000-memory.dmp
memory/2396-1-0x00000000002A0000-0x0000000000388000-memory.dmp
memory/2960-8-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2396-5-0x0000000000400000-0x0000000002D48000-memory.dmp
memory/2396-9-0x0000000000400000-0x0000000002D48000-memory.dmp
memory/2396-10-0x00000000045E0000-0x00000000046DE000-memory.dmp
\Users\Admin\AppData\Local\Temp\0F1884~1.TMP
| MD5 | 1f88394840a08762a2877515800748e5 |
| SHA1 | 6215f8edfb4b3c9a44973dadef4bdfac4d545fde |
| SHA256 | ce91d3fbe840af2a80fe9ef8e41ecb9e28925b6d4653eef83dd7e981511709b6 |
| SHA512 | 62e24dd71c3743a234ea7f640f59696f4804271e4d85dbff415903d36acd4f79aea506f0679a13b86f51c012c9be0bdb357465a43a9f61bef71546fe0edd4c30 |
C:\Users\Admin\AppData\Local\Temp\0F1884~1.TMP
| MD5 | fe49e6a7a896267c4536f0a587136479 |
| SHA1 | 1cb30cc99b0eda8c6ebd9a1684396419d946177f |
| SHA256 | 2e954aa339af82ed8be774b42fbe6809befef39543a7d0c2becd94db9daebd9c |
| SHA512 | 0e1970d044761d4a136a3a0b32d3ff8213f9ca19bff5c18ff17dc8b6b9466963a3e7834c0ef9a9dedb5d865dce3a2b0f954d0e319f27a66669fecd1cd71c88ba |
memory/2396-2-0x00000000045E0000-0x00000000046DE000-memory.dmp
memory/2960-11-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2396-13-0x0000000000400000-0x0000000002D48000-memory.dmp
memory/2960-20-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-21-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-22-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-23-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-24-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-25-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-26-0x0000000000BC0000-0x0000000000D1C000-memory.dmp
memory/2960-27-0x0000000000BC0000-0x0000000000D1C000-memory.dmp