Analysis
-
max time kernel
143s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 23:17
Static task
static1
Behavioral task
behavioral1
Sample
75c4dcd97d040f814f56c6b945b804b3.exe
Resource
win7-20231215-en
General
-
Target
75c4dcd97d040f814f56c6b945b804b3.exe
-
Size
1.0MB
-
MD5
75c4dcd97d040f814f56c6b945b804b3
-
SHA1
0e2a8aca9dfd32316095e82b8f0fd74e53e10bd0
-
SHA256
d3d7ec91eac0c420ad617188669058f0a6a356a0c0d05f50b6643124904365d1
-
SHA512
e7e750ee3d9304c4b8ae861b96a0cbadf6011e17690bb9b98cee1a16598d38b67bf0ff27d7999131aa2b2d0125dc366c42f692d293e02148bc3910f74d938451
-
SSDEEP
24576:dLPtJS6airuEt0bOEXy14Uc+wlPoWjo2eRcaVdn0a0pwi:HQ6DKU0akjh+kPJTeHdn0aSw
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 13 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\75C4DC~1.TMP DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\75C4DC~1.EXE.tmp DanabotLoader2021 behavioral2/memory/5072-9-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\75C4DC~1.EXE.tmp DanabotLoader2021 behavioral2/memory/5072-12-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-20-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-21-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-22-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-23-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-24-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-25-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-26-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 behavioral2/memory/5072-27-0x0000000002470000-0x00000000025CC000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 43 5072 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 5072 rundll32.exe 5072 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3224 3336 WerFault.exe 75c4dcd97d040f814f56c6b945b804b3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
75c4dcd97d040f814f56c6b945b804b3.exedescription pid process target process PID 3336 wrote to memory of 5072 3336 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3336 wrote to memory of 5072 3336 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe PID 3336 wrote to memory of 5072 3336 75c4dcd97d040f814f56c6b945b804b3.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\75c4dcd97d040f814f56c6b945b804b3.exe"C:\Users\Admin\AppData\Local\Temp\75c4dcd97d040f814f56c6b945b804b3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3336 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\75C4DC~1.TMP,S C:\Users\Admin\AppData\Local\Temp\75C4DC~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:5072
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3336 -s 4442⤵
- Program crash
PID:3224
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3336 -ip 33361⤵PID:4052
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD54b713c36e07aad57e6d39429357dc2cf
SHA18c02440e5a4df5b0323280a3f1e71e372b3cdc3c
SHA256058ac7fd6bc46b1d056e932a0d8a00b2d8c8165c79d36ae3c96fc183346dc86f
SHA5129b7401a0f4e85158933bc6e03c2adc6c8cf8eea3ae0841a605c09c30a0eb6e498aaf8ba2f309dc858a7ca23d1cb43bbc822bf4c0cf7bb93e2a711d2400017161
-
Filesize
867KB
MD5dc097ca0d6008fed5b972884a3db3a2b
SHA137c1bf16d52cac49ce8f05f9d5bed728cecd3952
SHA2563c3a05e0ce8f5e91cac061e3edd88b4fc54758c67a512d16422a7af4f0697b26
SHA512a91821841f4e2672f7627cde7fd8b512b2e318f16464b463956c53f709696eb3cdc87bb47fe6c7044421e0ecd581123fbaeadb78f55c7f9990a99f3941728e94
-
Filesize
1024KB
MD5e65ff5ffcd4b7b97ad03a86059a3efb9
SHA1ce5706a1818c4f7e13e49dd9cdbfcb77ce361500
SHA256a83453d1e04a2a94d62b12f5e4545661197206d533b2769f341f6281f7c7f13f
SHA51209a5d803e4c40e64a351ae0cf0a7274f1487c322c24dfc2129ad3a89fb35b7df43f4fd3d520c15ecb5393998b4e3f5f634a45bc5f574e6298b16e9669c7e5d56