Analysis
-
max time kernel
141s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
29-01-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
7f8f5be06bf789146526e520a66be571.exe
Resource
win7-20231129-en
General
-
Target
7f8f5be06bf789146526e520a66be571.exe
-
Size
1.2MB
-
MD5
7f8f5be06bf789146526e520a66be571
-
SHA1
629681e69d3759d2085aa2c037c8c6fca4045ea2
-
SHA256
1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd
-
SHA512
4c396b8dadfd446f11b644ad33042e0c6fa19b418c02d744f4bda5409732b3b1601cc3bff191cb5a8a10f676672d0c662705420a1b4306f142a6a897a09210aa
-
SSDEEP
24576:wAUndkOGbeIL4GZfKiE8q34N+/J8b5uRLDOmY1NY6NDaJm6bPCPR:rAkP0GZnEB4NW8bk1D4TY4
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2668 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2668 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
7f8f5be06bf789146526e520a66be571.exedescription pid process target process PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1732 wrote to memory of 2668 1732 7f8f5be06bf789146526e520a66be571.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1732 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2668
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
101KB
MD517fc0a22c0431ec2f62c3c233f049ff8
SHA1fc5f141ee891f86f172e3b4ee175c33504064616
SHA25628f6b29dd75a1ba32bb40b143cf6823d5f442b7c11d329ca52246250168d8b63
SHA5121726017d48749dbf016c8663e90c102e01214ba55e44161d8cff8e2eff43803891d82cbcfb3d26748d39b96fe0122d77a6ff9aceda2ca17c31c52ad47d547b13
-
Filesize
112KB
MD539b30977b2a15193eb69721a7087cd75
SHA1153d635ff65b60d1b07bfb2e678eeb8b24d37dfc
SHA25671cf6c008dcec79b4d77f850646b96dea065620086b52bf573abc38c173e03c2
SHA5121d60a6d50cb09ea72ebd289ed5d90b1ab1a531852a178bdb06abc9e4f8a230310d9d5ba5ec659a84db8997a7092ba0729c2e484bbd07c635057b666dd44eac77