Analysis
-
max time kernel
148s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
30-01-2024 10:11
Static task
static1
Behavioral task
behavioral1
Sample
822ad0916ed57b9f8e4a9610aabb56e2.exe
Resource
win7-20231129-en
General
-
Target
822ad0916ed57b9f8e4a9610aabb56e2.exe
-
Size
1.2MB
-
MD5
822ad0916ed57b9f8e4a9610aabb56e2
-
SHA1
1d662a74d9ea2467ee66c29f3b000134527a4d4d
-
SHA256
853ece062f75bc68b24c5ee05093b3c344787fbbeba3006146e1b1186738dabb
-
SHA512
dee71882ee4bab4b9a4c3ed203dec4a8078ea381b8afca0374b19fb5bbd4f3d360c493919041db3822f401b1022688d8a71f870a7aee0247dda83802ea6393bd
-
SSDEEP
24576:e6VU2jJSKjdbfHtHzIhtIwzPIiFTOvYiKAT1X6t+cGwmKNy:/vGtIMavhZm6uy
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 50 4888 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 4888 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3928 2872 WerFault.exe 822ad0916ed57b9f8e4a9610aabb56e2.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
822ad0916ed57b9f8e4a9610aabb56e2.exedescription pid process target process PID 2872 wrote to memory of 4888 2872 822ad0916ed57b9f8e4a9610aabb56e2.exe rundll32.exe PID 2872 wrote to memory of 4888 2872 822ad0916ed57b9f8e4a9610aabb56e2.exe rundll32.exe PID 2872 wrote to memory of 4888 2872 822ad0916ed57b9f8e4a9610aabb56e2.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\822ad0916ed57b9f8e4a9610aabb56e2.exe"C:\Users\Admin\AppData\Local\Temp\822ad0916ed57b9f8e4a9610aabb56e2.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\822AD0~1.TMP,S C:\Users\Admin\AppData\Local\Temp\822AD0~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:4888 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2872 -s 4482⤵
- Program crash
PID:3928
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 2872 -ip 28721⤵PID:928
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD543d8af7ac782cd224707869027dc3225
SHA172e26d7d76fe48ab4871decadf82508750e61704
SHA2566976f0e684aa623560779004e591bbab031bf300496c065670128f1139fa7acb
SHA51204056526cef005519fcb8cd258c7b94f5a618e6a6cb17071634175f436ecb7be6690006b04685ad323d3f2aa70244c08bb6351220a7a9a8fef0ec8ab445f6123