Analysis
-
max time kernel
168s -
max time network
178s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-12-2023 07:14
Static task
static1
Behavioral task
behavioral1
Sample
11e11143ef5713077396f32f3fafd109.exe
Resource
win7-20231215-en
General
-
Target
11e11143ef5713077396f32f3fafd109.exe
-
Size
1.2MB
-
MD5
11e11143ef5713077396f32f3fafd109
-
SHA1
d2d8950d848129ab460439d3e4a0615f5f2d10c3
-
SHA256
0d6b46f8c96f69555ad79d7fdfd91c2eb24e3baa5b89dea1b3a024f28cb40be7
-
SHA512
92afb5046efb98ea7d930132481226eb8ad6250b363d670450c0e972e1253a59d958df7a4fffb99d20017bae4246b5a86fa03bf9865a2da155e1d03e9bbb3fc9
-
SSDEEP
24576:NLmxtn8xbSdKS1c6x62DAHzisGqQLlrwAta5Hsr8Ft5M6:Nw8xbEdx6sH9LlUAtaRnn
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral2/files/0x000600000002322d-6.dat DanabotLoader2021 behavioral2/files/0x000600000002322d-8.dat DanabotLoader2021 behavioral2/memory/4580-9-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/files/0x000600000002322d-7.dat DanabotLoader2021 behavioral2/memory/4580-12-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-20-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-21-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-22-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-23-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-24-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-25-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 behavioral2/memory/4580-26-0x0000000001F20000-0x000000000207F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid Process 60 4580 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid Process 4580 rundll32.exe 4580 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target Process procid_target 1884 1972 WerFault.exe 88 -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
11e11143ef5713077396f32f3fafd109.exedescription pid Process procid_target PID 1972 wrote to memory of 4580 1972 11e11143ef5713077396f32f3fafd109.exe 93 PID 1972 wrote to memory of 4580 1972 11e11143ef5713077396f32f3fafd109.exe 93 PID 1972 wrote to memory of 4580 1972 11e11143ef5713077396f32f3fafd109.exe 93
Processes
-
C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"C:\Users\Admin\AppData\Local\Temp\11e11143ef5713077396f32f3fafd109.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1972 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\11E111~1.TMP,S C:\Users\Admin\AppData\Local\Temp\11E111~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4580
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 5362⤵
- Program crash
PID:1884
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 1972 -ip 19721⤵PID:1140
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
419KB
MD5ff97c1c652c8698094acccf11aa77bf7
SHA190b5c1f98324adaf84a4e2424fb1a3f91e9cda33
SHA2564370202bbf13aee6f8d93648b5d649ea08dc1f7e0dfad46aaf86c15781258ec7
SHA512dfdb50e1559eaf8ceb92463edaee225962721160148dc3fc1258a0e8758438005d869ddff37bb459f3e7131a5ff94ca854dda84b244c87d6f8f95509eff34e50
-
Filesize
894KB
MD53c03b1c67fbf9c771b826058947dd0f7
SHA1b209c9b6cd5de796073f16af7d8f56ee1fd37363
SHA256378da9bfb98d564e5555322ca855e9e5c48152a4126d47befcae77aca2a8d468
SHA51230d14a73e7db254dcca1f775ad9691c4f8cbfa39d113b2e31b093576ae221a334e1be0e2fff23c8c8ccf5bcb24adbd8bdfab507fa52d960837b2cd3b38783d8f
-
Filesize
1.2MB
MD5bfa17d48f7c282a3d758bdbb2079e067
SHA1610cbd992dc186b0bb909e9499269a6618e353de
SHA256347b5d5fdd4d0c0c4174d832481e7079e0c096bed60c2ed95e0306f468cc2dae
SHA512e3ee96cdd526cd8e11ca1c8c163a6185dc806372a2d997f6a6fe17914251fb8954b89700ab25a0a1142d89558ce4cd379c27f82aca3452370c0eb948677bd2af