Analysis Overview
SHA256
987f20ff829ea4c324d87ca9b55860111b827d0fdb01499bb704074d9d220016
Threat Level: Known bad
The file 7ee0c1c8f76bd87982f5e238d7cf44d3 was found to be: Known bad.
Malicious Activity Summary
Danabot
Blocklisted process makes network request
Loads dropped DLL
Unsigned PE
Program crash
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-29 04:24
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 04:24
Reported
2024-01-29 04:26
Platform
win7-20231215-en
Max time kernel
147s
Max time network
140s
Command Line
Signatures
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe
"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 23.229.29.48:443 | tcp |
Files
memory/3012-0-0x0000000002490000-0x000000000257F000-memory.dmp
memory/3012-1-0x0000000002490000-0x000000000257F000-memory.dmp
memory/3012-2-0x0000000003CE0000-0x0000000003DE6000-memory.dmp
memory/3012-5-0x0000000000400000-0x000000000248D000-memory.dmp
memory/3012-6-0x0000000000400000-0x000000000248D000-memory.dmp
memory/3012-8-0x0000000003CE0000-0x0000000003DE6000-memory.dmp
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL
| MD5 | 5caf1eb57c3efd67b774c509c43739a1 |
| SHA1 | 7d84ff3efbf98b024d5886322cd32de96f9aed94 |
| SHA256 | 03cab90f7e002834e22cc826e01c37f1d81623e9f65e5dfab6ab591fc54f99f7 |
| SHA512 | 7dae6c9452def66d2af95d7810fc56e87b245a700b246c6d8bcd396c57bd6fc3f6b9157f3b6a59694ad478fc32d2fd30eb1c923000e762eae90a7e984298e7d0 |
C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL
| MD5 | ff8e1b1d905f4e3e92f9844192d7cb36 |
| SHA1 | 8278a8bd4d5d4b4883872f6939938f4a16ae8066 |
| SHA256 | 195901fd26584a95e7851f93df8d21bb51328dad8c4eb2e92bdbae220ab018d6 |
| SHA512 | 7053f9021026d10f06cb7ee7b6880b6d8cfdfac46f89bb4e128ee3d6c5e321f9d9639394be739e819172ca03ebeb2be89af949fce8eb64f798bb00f9d09842ba |
memory/2980-18-0x0000000001F70000-0x00000000020D2000-memory.dmp
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL
| MD5 | 6ec6a40190161b95c184941d28d5efd6 |
| SHA1 | 18a8f39396b713f9287dc24fb7170d86f48eb5a4 |
| SHA256 | 19495a3aac0f4cdc06aab461ccf5d10922764266de594b5b627d8c25475f6f78 |
| SHA512 | 7cc63910f6e70355cc6bd7ef4e7a16cb5e26c4529371bf944c16c09afa12fc5a5ac90bf6148378191a9fa15b874d563b91b332e9c573576ac62bd1427414171e |
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL
| MD5 | 295dc34770ba49bcb23f9c80eea7830f |
| SHA1 | a5eed3d00ebc06242943d736dcb04681c633c62d |
| SHA256 | 6f4cfaa9d6647c81b5f190381c956aa27c57e69ae94e121aefb15adbe30a8346 |
| SHA512 | 6fd011e393a7d809e8cee90d3eae1149caa5b37ba24030ff310c949217c8b4cc2a066890188634140487d9f0d01957d54b154e983ee1cf83be466ef5a8adb511 |
\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL
| MD5 | d016f3e44b1e9e0c2ac74dea34a1d392 |
| SHA1 | 3991345c926597a96b90c23a8111d37cbf744433 |
| SHA256 | 2725fc65da527a545f4b8a31a959c290048254d828e745434e11d1f610f90a4c |
| SHA512 | 307fa3e0c246a64b5e3545cec225b7be307855fea3681be1f4095e3a40198357a9be2d891a5b17ca4f5713b1d69b985f448a63e3453834d30a971c9b59c56da9 |
memory/3012-19-0x0000000000400000-0x000000000248D000-memory.dmp
memory/2980-20-0x0000000001F70000-0x00000000020D2000-memory.dmp
memory/3012-31-0x0000000000400000-0x000000000248D000-memory.dmp
memory/2980-32-0x0000000001F70000-0x00000000020D2000-memory.dmp
memory/2980-33-0x0000000001F70000-0x00000000020D2000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 04:24
Reported
2024-01-29 04:26
Platform
win10v2004-20231222-en
Max time kernel
148s
Max time network
139s
Command Line
Signatures
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 5096 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 5096 wrote to memory of 1444 | N/A | C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe
"C:\Users\Admin\AppData\Local\Temp\7ee0c1c8f76bd87982f5e238d7cf44d3.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 5096 -ip 5096
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 5096 -s 540
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 23.229.29.48:443 | tcp |
Files
memory/5096-1-0x0000000004310000-0x000000000440E000-memory.dmp
memory/5096-2-0x0000000004410000-0x0000000004516000-memory.dmp
memory/5096-5-0x0000000000400000-0x000000000248D000-memory.dmp
memory/5096-6-0x0000000000400000-0x000000000248D000-memory.dmp
memory/5096-7-0x0000000004410000-0x0000000004516000-memory.dmp
memory/5096-9-0x0000000004310000-0x000000000440E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE.dll
| MD5 | 3952f26fd6c69c0c9fbd9b61297620be |
| SHA1 | 2021cd9f36b2ce337e72ea462b263cc8d9d0e23a |
| SHA256 | 8de9d904165326ee53d6c20ca16eeb49d6edb51ddab819c0d01dc5f460f1b2e3 |
| SHA512 | 030fd2fb02324a0172aa1016ea32b3452de1ab2b607bc238db43df33f97fe8900476a959db7a9cd9b4b39f90a4b79bacab717afc252e42e213b6fe97047f3951 |
C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.DLL
| MD5 | fa7d658b3094ef34ae19739b484fea03 |
| SHA1 | 9afe58a02d4035a1cdc4e7be19daae648e49325b |
| SHA256 | 420e9c8370046ddfb78aee19873592b139ee60b86094047a16dab3beab1c7566 |
| SHA512 | f3429dbff0e7724d7aaa363ab27cb9bc2f0caec4c6d636a546ad4ed54dbf3f186a29b21ca2eb328755424c5c053ace7ce8775b76abb37de7c3bd4b8afe8eb038 |
memory/1444-17-0x0000000002080000-0x00000000021E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7EE0C1~1.EXE.dll
| MD5 | 855b8d8136c9ec7e054c3474839c95a6 |
| SHA1 | b22b38d85a8e2dcc818d13e79f7f7896ca85479e |
| SHA256 | 1482500b25fdbe783c8d30f5b1bcb2219fc323706000de7689b5250e78be1d6f |
| SHA512 | c4c39b34d68a52eb8476ee3d459b1b4455d0812d7216d20a4180f171af5204b9dad30fd86cfa773905c07aff44f47bbe309c36db4e07c7128e8a98f7ddeae309 |
memory/5096-18-0x0000000000400000-0x000000000248D000-memory.dmp
memory/1444-19-0x0000000002080000-0x00000000021E2000-memory.dmp
memory/5096-30-0x0000000000400000-0x000000000248D000-memory.dmp
memory/1444-31-0x0000000002080000-0x00000000021E2000-memory.dmp
memory/1444-32-0x0000000002080000-0x00000000021E2000-memory.dmp