Analysis
-
max time kernel
141s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
20-01-2024 20:21
Static task
static1
Behavioral task
behavioral1
Sample
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
Resource
win7-20231129-en
General
-
Target
6b60f7cbc0c04e3110ea9da7f9321fe3.exe
-
Size
1.1MB
-
MD5
6b60f7cbc0c04e3110ea9da7f9321fe3
-
SHA1
5051291ed1160c0f5bdd79f1d5706807f2d7512b
-
SHA256
73330db1f35105b797d13d85b7e372cd0fc8a7eab0ed05ba1d864457d0e7666c
-
SHA512
bf61735f3ee94390c69348dbe9c78bc0a1d56e7c64ce2b9ecedd10147ccb6db8aed677f24a8d32fabc8ab308ab33861d4eb383addcc1ec43d7bbcd453b943b0c
-
SSDEEP
24576:RIcECYHIt8+5eZ+conosN6FOf8qtRfJ6a6BPA:RIxvHrSEcJgU8yfJ6NBI
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule behavioral1/memory/3040-9-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\6B60F7~1.TMP DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\6B60F7~1.TMP DanabotLoader2021 behavioral1/memory/3040-10-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-18-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-19-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-20-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-21-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-22-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-23-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-24-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-25-0x0000000000790000-0x00000000008EE000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 3040 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 3040 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
6b60f7cbc0c04e3110ea9da7f9321fe3.exedescription pid process target process PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe PID 1936 wrote to memory of 3040 1936 6b60f7cbc0c04e3110ea9da7f9321fe3.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"C:\Users\Admin\AppData\Local\Temp\6b60f7cbc0c04e3110ea9da7f9321fe3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\6B60F7~1.TMP,S C:\Users\Admin\AppData\Local\Temp\6B60F7~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:3040
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
163KB
MD529c6104d82c20b30da0c86a4e0e64b74
SHA1b79c61732baea26a51a1ae207161bdd3791a7a03
SHA25640b090e246acbb09d124d40650d36e2e3526485f70f8758068873dc0044b66cd
SHA512f33758c8581dc433b5f3c7d22aac89b9957a41eb62b11e936862877eef5191b47a7813b4833bf82eb5166d39b3c74b1e4a2eb651ef9f9183efac3458b4f20084
-
Filesize
123KB
MD5d769ad0fe32da8fcbdbd384296322a3e
SHA18ea7a85ea420a2aa3d13026ddaad7800905c8af4
SHA2568b00862df017b5507675fbd37a4f02644620cbfe446281bf07883123a8c7d1ec
SHA51277371c640449651564a8f4d4c6f1b63239a92d0f52f34e6bae6534aa641ce2d7d575daa4fb075296ec7b690db1dedff6c5763b78d19713499a027983bd084790