Analysis
-
max time kernel
147s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 06:22
Static task
static1
Behavioral task
behavioral1
Sample
10f49a80de7e85fa33959da15d393f29.exe
Resource
win7-20231215-en
General
-
Target
10f49a80de7e85fa33959da15d393f29.exe
-
Size
1.1MB
-
MD5
10f49a80de7e85fa33959da15d393f29
-
SHA1
4c01b7fb9421818af469b46355603a43fd2339e3
-
SHA256
f5fe7311025d620bccb08dcfb69f03c71620351b35ea8635b798ffc62374423a
-
SHA512
a580433022bd42d7cb8cb69c85b3a16aa861f394456160c1796af9e8835c77a14f2de8b924acaabe3d8b5d4320d87cf421130a5e1075452980fb4c7a624bbdb2
-
SSDEEP
24576:BmAFA8YMYUXozd7t7JaHvvHIpXQ1QVmC19XJ03hWWN:Q0A8R4htdYvw21Q950
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 68 4404 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 4404 rundll32.exe 4404 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 3444 1036 WerFault.exe 14 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
10f49a80de7e85fa33959da15d393f29.exedescription pid Process procid_target PID 1036 wrote to memory of 4404 1036 10f49a80de7e85fa33959da15d393f29.exe 46 PID 1036 wrote to memory of 4404 1036 10f49a80de7e85fa33959da15d393f29.exe 46 PID 1036 wrote to memory of 4404 1036 10f49a80de7e85fa33959da15d393f29.exe 46
Processes
-
C:\Users\Admin\AppData\Local\Temp\10f49a80de7e85fa33959da15d393f29.exe"C:\Users\Admin\AppData\Local\Temp\10f49a80de7e85fa33959da15d393f29.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1036 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\10F49A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\10F49A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4404
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1036 -s 5002⤵
- Program crash
PID:3444
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 1036 -ip 10361⤵PID:3216
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
92KB
MD57518820dd5c42075f95a0a499591a134
SHA1cbb0656d169e70053e1348ba00ef9ccc88df15bf
SHA2564c9ccc43c24ff66cbc2ce73b48aa709895518317e00aeca806890f3fb674a078
SHA512cdd01869fea5102873ff72ae0de45037ce8bbfc662dc892c13da4ffd06a99602802f7d2e98d12c64501e73fbd28b050f048ec82f0a37a9d334a240825781b8b8