Analysis
-
max time kernel
148s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 04:24
Static task
static1
Behavioral task
behavioral1
Sample
7ee0c1c8f76bd87982f5e238d7cf44d3.exe
Resource
win7-20231215-en
General
-
Target
7ee0c1c8f76bd87982f5e238d7cf44d3.exe
-
Size
1.1MB
-
MD5
7ee0c1c8f76bd87982f5e238d7cf44d3
-
SHA1
6f476c2ac0b7e83605ed9eeafdd0461c807240ac
-
SHA256
987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
-
SHA512
a0eefc162bd60a1c7a6770f9b017a94ba185c9802acb975f56372026851b1fff5192f5faed61aff1a4854587c5941fd1456821621fc72bf6fdc0f46e379ed06c
-
SSDEEP
24576:27l+B6syClv2eGZCFNJ0/CuDOAzKskZJFdyjxzpJDgmvNsXL:eRCl9GZqs/CgxyFI17kmvaXL
Malware Config
Extracted
danabot
4
23.229.29.48:443
5.9.224.204:443
192.210.222.81:443
-
embedded_hash
0E1A7A1479C37094441FA911262B322A
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 44 1444 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 1444 rundll32.exe 1444 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3864 5096 WerFault.exe 7ee0c1c8f76bd87982f5e238d7cf44d3.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7ee0c1c8f76bd87982f5e238d7cf44d3.exedescription pid process target process PID 5096 wrote to memory of 1444 5096 7ee0c1c8f76bd87982f5e238d7cf44d3.exe rundll32.exe PID 5096 wrote to memory of 1444 5096 7ee0c1c8f76bd87982f5e238d7cf44d3.exe rundll32.exe PID 5096 wrote to memory of 1444 5096 7ee0c1c8f76bd87982f5e238d7cf44d3.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:5096 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1444 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 5402⤵
- Program crash
PID:3864
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5096 -ip 50961⤵PID:2024
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.2MB
MD5fa7d658b3094ef34ae19739b484fea03
SHA19afe58a02d4035a1cdc4e7be19daae648e49325b
SHA256420e9c8370046ddfb78aee19873592b139ee60b86094047a16dab3beab1c7566
SHA512f3429dbff0e7724d7aaa363ab27cb9bc2f0caec4c6d636a546ad4ed54dbf3f186a29b21ca2eb328755424c5c053ace7ce8775b76abb37de7c3bd4b8afe8eb038
-
Filesize
1.2MB
MD53952f26fd6c69c0c9fbd9b61297620be
SHA12021cd9f36b2ce337e72ea462b263cc8d9d0e23a
SHA2568de9d904165326ee53d6c20ca16eeb49d6edb51ddab819c0d01dc5f460f1b2e3
SHA512030fd2fb02324a0172aa1016ea32b3452de1ab2b607bc238db43df33f97fe8900476a959db7a9cd9b4b39f90a4b79bacab717afc252e42e213b6fe97047f3951
-
Filesize
701KB
MD5855b8d8136c9ec7e054c3474839c95a6
SHA1b22b38d85a8e2dcc818d13e79f7f7896ca85479e
SHA2561482500b25fdbe783c8d30f5b1bcb2219fc323706000de7689b5250e78be1d6f
SHA512c4c39b34d68a52eb8476ee3d459b1b4455d0812d7216d20a4180f171af5204b9dad30fd86cfa773905c07aff44f47bbe309c36db4e07c7128e8a98f7ddeae309