Analysis
-
max time kernel
143s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
31-01-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
83482a1f9ecee5ec6fd1aa7d19060a07.exe
Resource
win7-20231215-en
General
-
Target
83482a1f9ecee5ec6fd1aa7d19060a07.exe
-
Size
1.2MB
-
MD5
83482a1f9ecee5ec6fd1aa7d19060a07
-
SHA1
5dd641372eeeb49a6b7c0b42db2eb06a7d59e013
-
SHA256
c744f24e87e969e79dd233ac2344679f95451212afc52a8fae455fa7d6df58b1
-
SHA512
c1fafd8dcf4be75c721e80ca7dcda9895f3a019b2a1ffb4f34bde771d9d658362a36c1425e87ee3f99fb0f57e57b217234a79289ad182c0ec86af3ff19eca86f
-
SSDEEP
24576:VeCQ2lMlL0FzwcfU8ri3HzhUOCuFtR1n7peMwGmsnl59VAtA:VyepwcfUakzhUtuFtzoOBl53A
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 12 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP DanabotLoader2021 behavioral1/memory/1088-10-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 \Users\Admin\AppData\Local\Temp\83482A~1.TMP DanabotLoader2021 behavioral1/memory/1088-11-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-19-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-20-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-21-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-22-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-23-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-24-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-25-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 behavioral1/memory/1088-26-0x00000000004E0000-0x000000000063F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 1088 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 1088 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
83482a1f9ecee5ec6fd1aa7d19060a07.exedescription pid process target process PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 2032 wrote to memory of 1088 2032 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2032 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:1088
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
81KB
MD5704af132c566a673c42dafeca9b583eb
SHA15f054007a3461aeb6077fccca745882dc7d6eb34
SHA256b54c72a7a27097d756d1cd9a64a5bfa8069ba5af2ed802df15b91e6d1de20057
SHA512b75265abe4464130160a68f5791938a82211732e5118fba398ae3f9b87ea8213ca73786bd6e8b2dc219c92e0d23d53a5bb09d6885f6a8a87a4ef657b4c9c0a5d
-
Filesize
83KB
MD578522096af3e878569cade04602d61f1
SHA102e0d2a3cd0f9c6eea1e490583434057e77c75eb
SHA2560fc30092eb96c40dca2e0dce956d79caa5fa74e0754854107507222af285bcab
SHA5125b5a92f4a4d6a278a46f3377b6b9e2c4aa2f6ae105f819da19a7f7fb704c6fa9900533d0bc1634024d29ddd6650c5e74d51008e5cdca76ee587bc2b589efcfe4