Analysis
-
max time kernel
142s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
29-01-2024 16:07
Static task
static1
Behavioral task
behavioral1
Sample
80450a6fd44277fa7c6883ee59093f72.dll
Resource
win7-20231215-en
General
-
Target
80450a6fd44277fa7c6883ee59093f72.dll
-
Size
5.7MB
-
MD5
80450a6fd44277fa7c6883ee59093f72
-
SHA1
d90e1ccec2ff3f552b0e887acd50418a8959c1d1
-
SHA256
ea0af0074cddd3d6de2f641f5f0e7dfb5170dfc44a8661b06075cf32dfc3cf16
-
SHA512
461648a7cba529f6e13da31c1c4f4ad5ce73798a3569d96df65993d1c9c28cdc3750c5b056a1767e45260fd84b76c3fe179ccceea328a17a8182b76a54a0be65
-
SSDEEP
98304:VTH01OZK84868vo7flGArwf9ytPkWQULuYF2YsV3PlokRWS:VTHYiKsAz8ArPqWQULuTykRl
Malware Config
Extracted
danabot
1827
3
23.106.123.141:443
37.220.31.94:443
23.106.123.185:443
192.210.198.12:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 5 1272 RUNDLL32.EXE 18 1272 RUNDLL32.EXE 20 1272 RUNDLL32.EXE 22 1272 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2264 rundll32.exe Token: SeDebugPrivilege 1272 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 4032 wrote to memory of 2264 4032 rundll32.exe rundll32.exe PID 4032 wrote to memory of 2264 4032 rundll32.exe rundll32.exe PID 4032 wrote to memory of 2264 4032 rundll32.exe rundll32.exe PID 2264 wrote to memory of 1272 2264 rundll32.exe RUNDLL32.EXE PID 2264 wrote to memory of 1272 2264 rundll32.exe RUNDLL32.EXE PID 2264 wrote to memory of 1272 2264 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\80450a6fd44277fa7c6883ee59093f72.dll,mGI23⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Applications\Manifest Resources\aghbiahbpaijignceidepookljebhfak\Icons\128.pngFilesize
7KB
MD59f7165e53ce1f7f109be240a7145d96d
SHA108df18922492fe799f75912a100d00f4fb9ed4c4
SHA2567ace7af33ecddb14b0e5870d9c5be28f0218d106f33fb505154d089a5055e9e9
SHA5128fed74e748736b36a9ff33340120a85f722651a877b5404ae79eb650b31885d37b43d8102cfd9eeda4033dbf463d324533ced3bb2418e95fa0662291652db448
-
C:\Users\Admin\AppData\Local\Temp\Gujekofbuuhnk.tmpFilesize
256B
MD547de63aca9e42b79be429a58ab3d0c4e
SHA1b66e011affb9a6c01bd58ca3c208969d62739cba
SHA2566c5e7cd0ea0347f987064f833d7f01396c1dd578f7e80e0785bfd35b64ef0cec
SHA512aa31ce697c5887355d25d77563abbe6bda8d6bda4f12c239c1af9cb4cb327ac95aa100be05674edd6f51dc9815c2be23a42a658fcf66c9ece7ffb758d1f724bf
-
memory/1272-8-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/1272-9-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/1272-5-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/1272-6-0x00000000029E0000-0x00000000029E1000-memory.dmpFilesize
4KB
-
memory/1272-7-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/1272-24-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/1272-19-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/1272-4-0x0000000002320000-0x00000000028DB000-memory.dmpFilesize
5.7MB
-
memory/1272-20-0x0000000002320000-0x00000000028DB000-memory.dmpFilesize
5.7MB
-
memory/1272-23-0x0000000002FE0000-0x0000000003640000-memory.dmpFilesize
6.4MB
-
memory/2264-21-0x0000000002BE0000-0x0000000003240000-memory.dmpFilesize
6.4MB
-
memory/2264-0-0x0000000002090000-0x000000000264B000-memory.dmpFilesize
5.7MB
-
memory/2264-3-0x0000000002BE0000-0x0000000003240000-memory.dmpFilesize
6.4MB
-
memory/2264-2-0x0000000003460000-0x0000000003461000-memory.dmpFilesize
4KB
-
memory/2264-1-0x0000000002BE0000-0x0000000003240000-memory.dmpFilesize
6.4MB