Analysis
-
max time kernel
142s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
20-01-2024 08:57
Static task
static1
Behavioral task
behavioral1
Sample
6a039943bdc4c62a5a3d76b3edb15deb.exe
Resource
win7-20231215-en
General
-
Target
6a039943bdc4c62a5a3d76b3edb15deb.exe
-
Size
1.1MB
-
MD5
6a039943bdc4c62a5a3d76b3edb15deb
-
SHA1
4de1066b1f65d0acefa02126eec2fb21d0dceb83
-
SHA256
5ac5c98f4e1bbfdeb6a4664bcfa19e9a0d2590d23db544f5fff400db3511ed59
-
SHA512
56b01ac09839aebe0aa720856c131acc3b81f3edd8461d9620e31533fa8f31f9cfa93afa1bccc3fb67d66e52a1045720915b750b9c90fa6b23e221644061fe27
-
SSDEEP
24576:38oiUxjy8WMyPg7fKen8tcLH2TLe4RXo4ND4sY6nvgt3u9n:38AQ4rKe8tmW254N1/Y3a
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\6A0399~1.TMP DanabotLoader2021 behavioral2/memory/2672-11-0x0000000000400000-0x000000000055D000-memory.dmp DanabotLoader2021 behavioral2/memory/2672-19-0x0000000000400000-0x000000000055D000-memory.dmp DanabotLoader2021 behavioral2/memory/2672-20-0x0000000000400000-0x000000000055D000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 49 2672 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2672 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5100 2376 WerFault.exe 6a039943bdc4c62a5a3d76b3edb15deb.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
6a039943bdc4c62a5a3d76b3edb15deb.exedescription pid process target process PID 2376 wrote to memory of 2672 2376 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 2376 wrote to memory of 2672 2376 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe PID 2376 wrote to memory of 2672 2376 6a039943bdc4c62a5a3d76b3edb15deb.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6a039943bdc4c62a5a3d76b3edb15deb.exe"C:\Users\Admin\AppData\Local\Temp\6a039943bdc4c62a5a3d76b3edb15deb.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6A0399~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6A0399~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2672
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 5042⤵
- Program crash
PID:5100
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2376 -ip 23761⤵PID:2648
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5978ca1ee18d48f8200390cb0df026c9a
SHA1c5e7f7316504e2d80999a42b80d127774167ce88
SHA256971185ac1a90b720446b38e8ae74ec5cd4809b09d1e1ed422883db977ddab316
SHA512771f4ccd233c7ffedb7f51d21dbb50cfb3bd2f176ea0e0794df0970dfdba8cf0c64cdc9db7afb0871fe8b30fd56eaaaca09f42e434e68eb70e76af1079a8a278