Analysis Overview
SHA256
ad2c6dbce9ba2f0e44e632fea78a573eba6ebfb6f70303653b4ac046b32604eb
Threat Level: Known bad
The file 4cd3122ecb4da50429a0967972e0592e was found to be: Known bad.
Malicious Activity Summary
Danabot
Danabot Loader Component
Blocklisted process makes network request
Loads dropped DLL
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-09 00:12
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-09 00:12
Reported
2024-01-09 00:15
Platform
win7-20231215-en
Max time kernel
151s
Max time network
128s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe
"C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP,S C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE
Network
| Country | Destination | Domain | Proto |
| NL | 193.34.167.138:443 | tcp |
Files
memory/2244-0-0x0000000000C10000-0x0000000000CF9000-memory.dmp
memory/2244-1-0x0000000000C10000-0x0000000000CF9000-memory.dmp
memory/2244-2-0x0000000000D00000-0x0000000000DFF000-memory.dmp
memory/2244-5-0x0000000000400000-0x00000000009DD000-memory.dmp
memory/2244-7-0x0000000000D00000-0x0000000000DFF000-memory.dmp
memory/2244-8-0x0000000000400000-0x00000000009DD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP
| MD5 | 2cc9381935c5fe678fd34492a79bd415 |
| SHA1 | ea3339b3f548e019cb2d133dc774de880cf29e87 |
| SHA256 | c5ca9acbb7446804cd8074e63e0aa0c6a0293f8948ac99deccce1e730ecfbbd5 |
| SHA512 | e3126b03b4cc84b9b366f9821c7c2f72859bc8b34b5aecc18b50185a21508c32862f2b0f7a05f5e84bef0eb2061f0795fbe96863be9f85165a087c2aa9c4e762 |
memory/2448-10-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-11-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2244-13-0x0000000000400000-0x00000000009DD000-memory.dmp
memory/2448-20-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-21-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-22-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-23-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-24-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-25-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-26-0x00000000007C0000-0x000000000091D000-memory.dmp
memory/2448-27-0x00000000007C0000-0x000000000091D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-09 00:12
Reported
2024-01-09 00:15
Platform
win10v2004-20231222-en
Max time kernel
149s
Max time network
148s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5000 wrote to memory of 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5000 wrote to memory of 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5000 wrote to memory of 1192 | N/A | C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe
"C:\Users\Admin\AppData\Local\Temp\4cd3122ecb4da50429a0967972e0592e.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5000 -s 508
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 5000 -ip 5000
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP,S C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 21.53.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.241.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 119.110.54.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 176.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 211.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | 32.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| NL | 193.34.167.138:443 | tcp | |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.167.34.193.in-addr.arpa | udp |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| GB | 96.17.178.174:80 | tcp | |
| US | 8.8.8.8:53 | udp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| US | 204.79.197.200:443 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp | |
| GB | 96.17.178.174:80 | tcp |
Files
memory/5000-1-0x0000000000C60000-0x0000000000D50000-memory.dmp
memory/5000-2-0x0000000000D60000-0x0000000000E5F000-memory.dmp
memory/5000-5-0x0000000000400000-0x00000000009DD000-memory.dmp
memory/1192-9-0x00000000008B0000-0x0000000000A0D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE.tmp
| MD5 | d6d1c2db31bb00d9996e94bbb752be86 |
| SHA1 | 504b480f55f1c9a1000d9d8952826793523b99ec |
| SHA256 | 572e95c7d235bdb5398d01f1be77772abe21a4b24e4c698b35edc7e4c608e5bd |
| SHA512 | 26acf327814c4becd03eed02c46304e83ee9e1d5c7dc8d5857db518c3ad06b090f8c1891151e7e1f6c1d2167f90d7a6804be5a780de49bc27ab6bab62f8559de |
C:\Users\Admin\AppData\Local\Temp\4CD312~1.EXE.tmp
| MD5 | 19ef0a10a98fc4c3ab8e212b0769b113 |
| SHA1 | dc7bec254d12fe47d524161b314f9f9d86fa61a0 |
| SHA256 | 99fb886799bf12e075483073cec12e3a337c9312aeee9443533badd5463652f7 |
| SHA512 | 06a4361054771ba8bfebccd811b241c873eb73ccba415a986a9933f75b479f391b2735af31b74ab0d1b65513c3e489e0dd8c1ceab561bab94244bd0d0aaa22d0 |
C:\Users\Admin\AppData\Local\Temp\4CD312~1.TMP
| MD5 | 10ffa9f465b9bcef33023d8e52b2c782 |
| SHA1 | 5004029a9d70002c2ef7e456ba4f2047bd094480 |
| SHA256 | 1892dfb65582faa3155e095d247eed19b3f579608cc270e9c0c5fe11ae9d7201 |
| SHA512 | e39ade405e6bf048f9bcbf3c655a260945659591edae28cdaf15dd81580696b3a8f49c76d33de7b43f9cf1e4e4f3065a857b4c1e60ff996f89e2dfa1358c24c9 |
memory/5000-11-0x0000000000D60000-0x0000000000E5F000-memory.dmp
memory/5000-10-0x0000000000400000-0x00000000009DD000-memory.dmp
memory/1192-12-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-20-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-21-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-22-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-23-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-24-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-25-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-26-0x00000000008B0000-0x0000000000A0D000-memory.dmp
memory/1192-27-0x00000000008B0000-0x0000000000A0D000-memory.dmp