Analysis
-
max time kernel
142s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
25-01-2024 19:11
Static task
static1
Behavioral task
behavioral1
Sample
754a5f1c3be937da2062cb0a400770ae.exe
Resource
win7-20231129-en
General
-
Target
754a5f1c3be937da2062cb0a400770ae.exe
-
Size
1.2MB
-
MD5
754a5f1c3be937da2062cb0a400770ae
-
SHA1
2c1334d0d98d14d98cc12ea0066c1f023941642c
-
SHA256
7d21d406d52ef30355db1a78f666f298952a41f44458be63b0959eb73e1a8ece
-
SHA512
1c38dc92493fc7bf3875f9073c08cdbd08c346e13e141967aefe0d8db96b8b66934cb27a6678d717a38fb679da5a127f14a00842463be3c8d55e188b1effd6e8
-
SSDEEP
24576:fnWuAlVsChDd0SOPNXzfAzovS8ivblpnCCZ/IshLw2Zge:OVhJdb2fAz1pDlEQNqe
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 13 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\754A5F~1.TMP DanabotLoader2021 behavioral2/memory/1424-8-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\754A5F~1.EXE.tmp DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\754A5F~1.EXE.tmp DanabotLoader2021 behavioral2/memory/1424-11-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-19-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-20-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-21-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-22-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-23-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-24-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-25-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 behavioral2/memory/1424-26-0x0000000002A90000-0x0000000002BEE000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 35 1424 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1424 rundll32.exe 1424 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3976 2496 WerFault.exe 754a5f1c3be937da2062cb0a400770ae.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
754a5f1c3be937da2062cb0a400770ae.exedescription pid process target process PID 2496 wrote to memory of 1424 2496 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2496 wrote to memory of 1424 2496 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe PID 2496 wrote to memory of 1424 2496 754a5f1c3be937da2062cb0a400770ae.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\754a5f1c3be937da2062cb0a400770ae.exe"C:\Users\Admin\AppData\Local\Temp\754a5f1c3be937da2062cb0a400770ae.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2496 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\754A5F~1.TMP,S C:\Users\Admin\AppData\Local\Temp\754A5F~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1424
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2496 -s 4442⤵
- Program crash
PID:3976
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2496 -ip 24961⤵PID:4520
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
547KB
MD5dc37f094b9efec567719563f1130c951
SHA15293568fb38a06d71332e68dc094a58dbcd60833
SHA256d5f27c0341ebb782c602c8bad2ed5eed6160cf6d3c5ff166162c7839f7f74513
SHA512fc556f54fb3fa2e7a04315191bd98a4845974705d042dce01ec0bddc8b444a5f8e3595b481da3e64b95255d7991dae4dbf4c33334b4def5d88d23460af901707
-
Filesize
498KB
MD533b6ff2c4e9217a511c2f843d51dd16b
SHA140b7506723204f7b14752cd3e51d4071d8171746
SHA2560693cb63cf406102471ab3fc33c7a08cd31a56683db4e3bab1f09126e93f5df7
SHA51209d0e75cf35c09893a4a87f8c42e2756979c9353442fc99bf4235a14d7f477291ac0fcc022a063c486fec01a87997f99cb23037bc3cfee6350ed2c0c43077054
-
Filesize
491KB
MD591baf3f1a188a7c19e2ae1381144875e
SHA1994bc82c13715257487cfcaf23d067b4a8b9bc27
SHA256a39b6b181db7d848156c9ba1247e5cd16b097676a883ee8b3056547636995173
SHA512270bd0f449ca74c468c60320b3504af2ff7899a1674440ab984d83aa1a3ae43d153bd14fe59e5454ae7e9913bc9a90d1d78a4ef5b3a48b8fb387bd4208519182