Analysis Overview
SHA256
1b6893887051e9bb3155b6a817e71e499dcb5959369391a42b772c0fa75e55fd
Threat Level: Known bad
The file 7f8f5be06bf789146526e520a66be571 was found to be: Known bad.
Malicious Activity Summary
Danabot
Blocklisted process makes network request
Loads dropped DLL
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-01-29 10:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-29 10:05
Reported
2024-01-29 10:08
Platform
win7-20231129-en
Max time kernel
141s
Max time network
121s
Command Line
Signatures
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe
"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE
Network
| Country | Destination | Domain | Proto |
| US | 142.11.244.124:443 | tcp |
Files
memory/1732-0-0x0000000000550000-0x000000000063A000-memory.dmp
memory/1732-1-0x0000000000550000-0x000000000063A000-memory.dmp
memory/1732-5-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1732-6-0x0000000000400000-0x0000000000547000-memory.dmp
memory/2668-11-0x0000000000770000-0x00000000008CE000-memory.dmp
\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
| MD5 | 39b30977b2a15193eb69721a7087cd75 |
| SHA1 | 153d635ff65b60d1b07bfb2e678eeb8b24d37dfc |
| SHA256 | 71cf6c008dcec79b4d77f850646b96dea065620086b52bf573abc38c173e03c2 |
| SHA512 | 1d60a6d50cb09ea72ebd289ed5d90b1ab1a531852a178bdb06abc9e4f8a230310d9d5ba5ec659a84db8997a7092ba0729c2e484bbd07c635057b666dd44eac77 |
memory/1732-9-0x0000000000550000-0x000000000063A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
| MD5 | 17fc0a22c0431ec2f62c3c233f049ff8 |
| SHA1 | fc5f141ee891f86f172e3b4ee175c33504064616 |
| SHA256 | 28f6b29dd75a1ba32bb40b143cf6823d5f442b7c11d329ca52246250168d8b63 |
| SHA512 | 1726017d48749dbf016c8663e90c102e01214ba55e44161d8cff8e2eff43803891d82cbcfb3d26748d39b96fe0122d77a6ff9aceda2ca17c31c52ad47d547b13 |
memory/1732-7-0x0000000001EC0000-0x0000000001FC0000-memory.dmp
memory/1732-2-0x0000000001EC0000-0x0000000001FC0000-memory.dmp
memory/2668-12-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-20-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-21-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-22-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-23-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-24-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-25-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-26-0x0000000000770000-0x00000000008CE000-memory.dmp
memory/2668-27-0x0000000000770000-0x00000000008CE000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-29 10:05
Reported
2024-01-29 10:08
Platform
win10v2004-20231222-en
Max time kernel
142s
Max time network
149s
Command Line
Signatures
Danabot
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1432 wrote to memory of 4368 | N/A | C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1432 wrote to memory of 4368 | N/A | C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1432 wrote to memory of 4368 | N/A | C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe
"C:\Users\Admin\AppData\Local\Temp\7f8f5be06bf789146526e520a66be571.exe"
C:\Windows\SysWOW64\rundll32.exe
C:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP,S C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 1432 -ip 1432
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 540
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 179.178.17.96.in-addr.arpa | udp |
| US | 142.11.244.124:443 | tcp |
Files
memory/1432-1-0x0000000002290000-0x0000000002380000-memory.dmp
memory/1432-2-0x0000000002380000-0x0000000002480000-memory.dmp
memory/1432-3-0x0000000000400000-0x0000000000547000-memory.dmp
memory/4368-9-0x0000000002560000-0x00000000026BE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE.tmp
| MD5 | 86932bc86c44484a1ddef9961d2f26b9 |
| SHA1 | d0c98e82543e2d62fe3ddaaf69f8e5c4da8bd52e |
| SHA256 | 05c4700e7bdfde97198315dd820cfb728a4608c3c7f2d58fd5b2ada87206af3e |
| SHA512 | 9beb70f8edc569bdbce5aec49b9f5a2c8ff820717ba746da6510df2cc02f37ec60dec3ea506015d79ef5516bc902eba190dbeb4b20601063e87b1bb8e0979159 |
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.EXE.tmp
| MD5 | be6ae0e5e56124e4d7988b2fded71593 |
| SHA1 | 590708d08b14a18572cf667d5c3be47bf4c0ee7d |
| SHA256 | 634e9f4707aa6ad15a07aaf1989b139981d192585063b9f107a960d628c36393 |
| SHA512 | aabec19d6eac770b58452bf4112984abcd21e4116f48e6658d8c518342b4359baebaa5cae7da148d96d4918bb4ff24e858f3abc2a3f063b2b6b9f306a5f84f2b |
C:\Users\Admin\AppData\Local\Temp\7F8F5B~1.TMP
| MD5 | 6880ca3d7b614ad190b5e2fc24aff359 |
| SHA1 | 004aa770c9844965127c1089bce83ac40462602f |
| SHA256 | 63c16677467402586ccecc13f44bd1ebe7389163b2a0d44858fe28d3c295e7e8 |
| SHA512 | 762708874af80248bdff74dcc92014772626af23cad8c8d9a904fd163cf43218208e9c4820a6bc2267dce4ab37449e30232e283046876a2a4116ce1f693a1f72 |
memory/1432-10-0x0000000000400000-0x0000000000547000-memory.dmp
memory/1432-11-0x0000000002380000-0x0000000002480000-memory.dmp
memory/4368-12-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-20-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-21-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-22-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-23-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-24-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-25-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-26-0x0000000002560000-0x00000000026BE000-memory.dmp
memory/4368-27-0x0000000002560000-0x00000000026BE000-memory.dmp