Analysis
-
max time kernel
143s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
6a039943bdc4c62a5a3d76b3edb15deb.exe
Resource
win7-20231215-en
General
-
Target
6a039943bdc4c62a5a3d76b3edb15deb.exe
-
Size
1.1MB
-
MD5
6a039943bdc4c62a5a3d76b3edb15deb
-
SHA1
4de1066b1f65d0acefa02126eec2fb21d0dceb83
-
SHA256
5ac5c98f4e1bbfdeb6a4664bcfa19e9a0d2590d23db544f5fff400db3511ed59
-
SHA512
56b01ac09839aebe0aa720856c131acc3b81f3edd8461d9620e31533fa8f31f9cfa93afa1bccc3fb67d66e52a1045720915b750b9c90fa6b23e221644061fe27
-
SSDEEP
24576:38oiUxjy8WMyPg7fKen8tcLH2TLe4RXo4ND4sY6nvgt3u9n:38AQ4rKe8tmW254N1/Y3a
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2140-8-0x0000000000790000-0x00000000008ED000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\6A0399~1.TMP DanabotLoader2021 behavioral1/memory/2140-11-0x0000000000790000-0x00000000008ED000-memory.dmp DanabotLoader2021 behavioral1/memory/2140-20-0x0000000000790000-0x00000000008ED000-memory.dmp DanabotLoader2021 behavioral1/memory/2140-21-0x0000000000790000-0x00000000008ED000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2140 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2140 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6a039943bdc4c62a5a3d76b3edb15deb.exedescription pid process target process PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 1968 wrote to memory of 2140 1968 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a039943bdc4c62a5a3d76b3edb15deb.exe"C:\Users\Admin\AppData\Local\Temp\6a039943bdc4c62a5a3d76b3edb15deb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6A0399~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6A0399~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2140
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5978ca1ee18d48f8200390cb0df026c9a
SHA1c5e7f7316504e2d80999a42b80d127774167ce88
SHA256971185ac1a90b720446b38e8ae74ec5cd4809b09d1e1ed422883db977ddab316
SHA512771f4ccd233c7ffedb7f51d21dbb50cfb3bd2f176ea0e0794df0970dfdba8cf0c64cdc9db7afb0871fe8b30fd56eaaaca09f42e434e68eb70e76af1079a8a278