Analysis
-
max time kernel
142s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 10:05
Static task
static1
Behavioral task
behavioral1
Sample
7f8f5be06bf789146526e520a66be571.exe
Resource
win7-20231129-en
General
-
Target
7f8f5be06bf789146526e520a66be571.exe
-
Size
1.2MB
-
MD5
7f8f5be06bf789146526e520a66be571
-
SHA1
629681e69d3759d2085aa2c037c8c6fca4045ea2
-
SHA256
1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd
-
SHA512
4c396b8dadfd446f11b644ad33042e0c6fa19b418c02d744f4bda5409732b3b1601cc3bff191cb5a8a10f676672d0c662705420a1b4306f142a6a897a09210aa
-
SSDEEP
24576:wAUndkOGbeIL4GZfKiE8q34N+/J8b5uRLDOmY1NY6NDaJm6bPCPR:rAkP0GZnEB4NW8bk1D4TY4
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 36 4368 rundll32.exe -
Loads dropped DLL 2 IoCs
Processes:
rundll32.exepid process 4368 rundll32.exe 4368 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3772 1432 WerFault.exe 7f8f5be06bf789146526e520a66be571.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7f8f5be06bf789146526e520a66be571.exedescription pid process target process PID 1432 wrote to memory of 4368 1432 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1432 wrote to memory of 4368 1432 7f8f5be06bf789146526e520a66be571.exe rundll32.exe PID 1432 wrote to memory of 4368 1432 7f8f5be06bf789146526e520a66be571.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1432 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4368 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 5402⤵
- Program crash
PID:3772
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1432 -ip 14321⤵PID:4196
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
456KB
MD5be6ae0e5e56124e4d7988b2fded71593
SHA1590708d08b14a18572cf667d5c3be47bf4c0ee7d
SHA256634e9f4707aa6ad15a07aaf1989b139981d192585063b9f107a960d628c36393
SHA512aabec19d6eac770b58452bf4112984abcd21e4116f48e6658d8c518342b4359baebaa5cae7da148d96d4918bb4ff24e858f3abc2a3f063b2b6b9f306a5f84f2b
-
Filesize
372KB
MD586932bc86c44484a1ddef9961d2f26b9
SHA1d0c98e82543e2d62fe3ddaaf69f8e5c4da8bd52e
SHA25605c4700e7bdfde97198315dd820cfb728a4608c3c7f2d58fd5b2ada87206af3e
SHA5129beb70f8edc569bdbce5aec49b9f5a2c8ff820717ba746da6510df2cc02f37ec60dec3ea506015d79ef5516bc902eba190dbeb4b20601063e87b1bb8e0979159
-
Filesize
540KB
MD56880ca3d7b614ad190b5e2fc24aff359
SHA1004aa770c9844965127c1089bce83ac40462602f
SHA25663c16677467402586ccecc13f44bd1ebe7389163b2a0d44858fe28d3c295e7e8
SHA512762708874af80248bdff74dcc92014772626af23cad8c8d9a904fd163cf43218208e9c4820a6bc2267dce4ab37449e30232e283046876a2a4116ce1f693a1f72