Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
30-12-2023 07:14
Static task
static1
Behavioral task
behavioral1
Sample
11e11143ef5713077396f32f3fafd109.exe
Resource
win7-20231215-en
General
-
Target
11e11143ef5713077396f32f3fafd109.exe
-
Size
1.2MB
-
MD5
11e11143ef5713077396f32f3fafd109
-
SHA1
d2d8950d848129ab460439d3e4a0615f5f2d10c3
-
SHA256
0d6b46f8c96f69555ad79d7fdfd91c2eb24e3baa5b89dea1b3a024f28cb40be7
-
SHA512
92afb5046efb98ea7d930132481226eb8ad6250b363d670450c0e972e1253a59d958df7a4fffb99d20017bae4246b5a86fa03bf9865a2da155e1d03e9bbb3fc9
-
SSDEEP
24576:NLmxtn8xbSdKS1c6x62DAHzisGqQLlrwAta5Hsr8Ft5M6:Nw8xbEdx6sH9LlUAtaRnn
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule behavioral1/files/0x000d000000012731-9.dat DanabotLoader2021 behavioral1/memory/2304-10-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-11-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-19-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-20-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-21-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-22-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-23-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-24-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-25-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 behavioral1/memory/2304-26-0x0000000001DC0000-0x0000000001F1F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 2 2304 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid Process 2304 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
11e11143ef5713077396f32f3fafd109.exedescription pid Process procid_target PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28 PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28 PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28 PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28 PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28 PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28 PID 2204 wrote to memory of 2304 2204 11e11143ef5713077396f32f3fafd109.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2204 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP,S C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2304
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD542f86633a7005d0beb369c7658bd6344
SHA1046e4bfb1ca72a4c137e3915230530879d23249c
SHA256642f76e4b7931fffd18fc9015456b074144ba343f7af8ee787235e1657acefbd
SHA512fb32e8ce8521bad085b3f2c9740ecb2ebabf1678e81a3c9d5a6e4b0e909edbfa26a571d3ab855252d4654345b13b7c87fe90c5314305bc160d74790846c051e9