Analysis Overview
SHA256
a24a06112f0b98ce05e7bf6ff3d65c242ad34e38c35e9179b313c2bf168119ee
Threat Level: Known bad
The file 731926fda7aeb87453452a78e89f1c77 was found to be: Known bad.
Malicious Activity Summary
Danabot
Danabot Loader Component
Blocklisted process makes network request
Loads dropped DLL
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-24 23:08
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-24 23:08
Reported
2024-01-24 23:10
Platform
win7-20231215-en
Max time kernel
141s
Max time network
119s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe
"C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\731926~1.TMP,S C:\Users\Admin\AppData\Local\Temp\731926~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 142.11.244.124:443 | tcp |
Files
memory/1236-0-0x0000000002DC0000-0x0000000002EA9000-memory.dmp
memory/1236-4-0x00000000045F0000-0x00000000046EF000-memory.dmp
memory/1236-1-0x0000000002DC0000-0x0000000002EA9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\731926~1.TMP
| MD5 | bdc533020cedadeef328b0356357e3ed |
| SHA1 | ec2fcae1c1757de2e7bbb575fd5272b1504f26e2 |
| SHA256 | b76b4117dcde1bf0f99b8c3c5e31fa4bc937e137d44fd6f8db6ed5fe7f97fc64 |
| SHA512 | 1d6282d490473f3b6e8c632a49aeb9c0f3695b6cdffb18b6e6f96d88b51eb0cb5e181ff559720bd24f97e9ebfd51c85a3da31f63ec039ccf7c95aa6aafd1ec5c |
memory/1236-7-0x0000000000400000-0x0000000002D4E000-memory.dmp
memory/1236-5-0x0000000000400000-0x0000000002D4E000-memory.dmp
memory/2088-9-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-10-0x0000000002110000-0x000000000226D000-memory.dmp
memory/1236-12-0x0000000000400000-0x0000000002D4E000-memory.dmp
memory/2088-19-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-20-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-21-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-22-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-23-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-24-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-25-0x0000000002110000-0x000000000226D000-memory.dmp
memory/2088-26-0x0000000002110000-0x000000000226D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-24 23:08
Reported
2024-01-24 23:11
Platform
win10v2004-20231215-en
Max time kernel
143s
Max time network
150s
Command Line
Signatures
Danabot
Danabot Loader Component
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2844 wrote to memory of 3384 | N/A | C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2844 wrote to memory of 3384 | N/A | C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2844 wrote to memory of 3384 | N/A | C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe
"C:\Users\Admin\AppData\Local\Temp\731926fda7aeb87453452a78e89f1c77.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\731926~1.TMP,S C:\Users\Admin\AppData\Local\Temp\731926~1.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2844 -ip 2844
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 508
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 79.121.231.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 142.11.244.124:443 | tcp | |
| GB | 96.16.110.41:443 | tcp | |
| SE | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.173.189.20.in-addr.arpa | udp |
Files
memory/2844-1-0x0000000004BC0000-0x0000000004CB7000-memory.dmp
memory/2844-2-0x0000000004CC0000-0x0000000004DBF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\731926~1.TMP
| MD5 | bdc533020cedadeef328b0356357e3ed |
| SHA1 | ec2fcae1c1757de2e7bbb575fd5272b1504f26e2 |
| SHA256 | b76b4117dcde1bf0f99b8c3c5e31fa4bc937e137d44fd6f8db6ed5fe7f97fc64 |
| SHA512 | 1d6282d490473f3b6e8c632a49aeb9c0f3695b6cdffb18b6e6f96d88b51eb0cb5e181ff559720bd24f97e9ebfd51c85a3da31f63ec039ccf7c95aa6aafd1ec5c |
memory/2844-7-0x0000000000400000-0x0000000002D4E000-memory.dmp
memory/2844-8-0x0000000000400000-0x0000000002D4E000-memory.dmp
memory/2844-9-0x0000000004CC0000-0x0000000004DBF000-memory.dmp
memory/3384-10-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-18-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-19-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-20-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-21-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-22-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-23-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-24-0x0000000000400000-0x000000000055D000-memory.dmp
memory/3384-25-0x0000000000400000-0x000000000055D000-memory.dmp