Analysis
-
max time kernel
142s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-01-2024 23:17
Static task
static1
Behavioral task
behavioral1
Sample
75c4dcd97d040f814f56c6b945b804b3.exe
Resource
win7-20231215-en
General
-
Target
75c4dcd97d040f814f56c6b945b804b3.exe
-
Size
1.0MB
-
MD5
75c4dcd97d040f814f56c6b945b804b3
-
SHA1
0e2a8aca9dfd32316095e82b8f0fd74e53e10bd0
-
SHA256
d3d7ec91eac0c420ad617188669058f0a6a356a0c0d05f50b6643124904365d1
-
SHA512
e7e750ee3d9304c4b8ae861b96a0cbadf6011e17690bb9b98cee1a16598d38b67bf0ff27d7999131aa2b2d0125dc366c42f692d293e02148bc3910f74d938451
-
SSDEEP
24576:dLPtJS6airuEt0bOEXy14Uc+wlPoWjo2eRcaVdn0a0pwi:HQ6DKU0akjh+kPJTeHdn0aSw
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\75C4DC~1.TMP DanabotLoader2021 \Users\Admin\AppData\Local\Temp\75C4DC~1.TMP DanabotLoader2021 behavioral1/memory/2980-10-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-11-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-19-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-20-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-21-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-22-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-23-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-24-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-25-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 behavioral1/memory/2980-26-0x0000000000820000-0x000000000097C000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2980 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2980 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
75c4dcd97d040f814f56c6b945b804b3.exedescription pid process target process PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3052 wrote to memory of 2980 3052 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c4dcd97d040f814f56c6b945b804b3.exe"C:\Users\Admin\AppData\Local\Temp\75c4dcd97d040f814f56c6b945b804b3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\75C4DC~1.TMP,S C:\Users\Admin\AppData\Local\Temp\75C4DC~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2980
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
500KB
MD531a909c478a243263fa3af7e248c2572
SHA1f54f2fa580ff1341ca64e496320d402e4eeaee11
SHA2568231966fc420aa93bafd72f5b259c91aa1e3abb161142e775117136cb055982f
SHA51298ad0dc629dde94c3818a740ed80cceacf9efb3a9031ee2d424b80ba431c576d801bd5497adf1168716fcf5a0c2dd9368571dec5597b3a6aa572207b30569ddb
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e