Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
24-01-2024 23:08
Static task
static1
Behavioral task
behavioral1
Sample
731926fda7aeb87453452a78e89f1c77.exe
Resource
win7-20231215-en
General
-
Target
731926fda7aeb87453452a78e89f1c77.exe
-
Size
1.1MB
-
MD5
731926fda7aeb87453452a78e89f1c77
-
SHA1
f38d24275b8c2b78044d652cac8b56b0961e8a09
-
SHA256
a24a06112f0b98ce05e7bf6ff3d65c242ad34e38c35e9179b313c2bf168119ee
-
SHA512
de14ef6fb04176c4cdedc6a378f20f645d8552b110d527f14f06942654fe9799c66c1acadf99f8f9c1355b8c85db34c96efad40e767db296d58ca16d93eb4c91
-
SSDEEP
24576:2dfcaEwI2KgKrMIc4UbWyuFkNnGlmIBoIbxzywP6uu+LS/M:267wINHMV4UyyuuNnGlmIeZwy
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\731926~1.TMP DanabotLoader2021 behavioral1/memory/2088-9-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-10-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-19-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-20-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-21-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-22-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-23-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-24-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-25-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 behavioral1/memory/2088-26-0x0000000002110000-0x000000000226D000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2088 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2088 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
731926fda7aeb87453452a78e89f1c77.exedescription pid process target process PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe PID 1236 wrote to memory of 2088 1236 731926fda7aeb87453452a78e89f1c77.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe"C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\731926~1.TMP,S C:\Users\Admin\AppData\Local\Temp\731926~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2088
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5bdc533020cedadeef328b0356357e3ed
SHA1ec2fcae1c1757de2e7bbb575fd5272b1504f26e2
SHA256b76b4117dcde1bf0f99b8c3c5e31fa4bc937e137d44fd6f8db6ed5fe7f97fc64
SHA5121d6282d490473f3b6e8c632a49aeb9c0f3695b6cdffb18b6e6f96d88b51eb0cb5e181ff559720bd24f97e9ebfd51c85a3da31f63ec039ccf7c95aa6aafd1ec5c