Analysis
-
max time kernel
144s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2024 03:07
Static task
static1
Behavioral task
behavioral1
Sample
83482a1f9ecee5ec6fd1aa7d19060a07.exe
Resource
win7-20231215-en
General
-
Target
83482a1f9ecee5ec6fd1aa7d19060a07.exe
-
Size
1.2MB
-
MD5
83482a1f9ecee5ec6fd1aa7d19060a07
-
SHA1
5dd641372eeeb49a6b7c0b42db2eb06a7d59e013
-
SHA256
c744f24e87e969e79dd233ac2344679f95451212afc52a8fae455fa7d6df58b1
-
SHA512
c1fafd8dcf4be75c721e80ca7dcda9895f3a019b2a1ffb4f34bde771d9d658362a36c1425e87ee3f99fb0f57e57b217234a79289ad182c0ec86af3ff19eca86f
-
SSDEEP
24576:VeCQ2lMlL0FzwcfU8ri3HzhUOCuFtR1n7peMwGmsnl59VAtA:VyepwcfUakzhUtuFtzoOBl53A
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Danabot Loader Component 11 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP DanabotLoader2021 C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE.tmp DanabotLoader2021 behavioral2/memory/2216-10-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-18-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-19-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-20-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-21-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-22-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-23-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-24-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 behavioral2/memory/2216-25-0x0000000000400000-0x000000000055F000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 37 2216 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2216 rundll32.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 5080 3200 WerFault.exe 83482a1f9ecee5ec6fd1aa7d19060a07.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
83482a1f9ecee5ec6fd1aa7d19060a07.exedescription pid process target process PID 3200 wrote to memory of 2216 3200 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 3200 wrote to memory of 2216 3200 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe PID 3200 wrote to memory of 2216 3200 83482a1f9ecee5ec6fd1aa7d19060a07.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"C:\Users\Admin\AppData\Local\Temp\83482a1f9ecee5ec6fd1aa7d19060a07.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3200 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\83482A~1.TMP,S C:\Users\Admin\AppData\Local\Temp\83482A~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:2216 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3200 -s 5362⤵
- Program crash
PID:5080
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3200 -ip 32001⤵PID:2132
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD5ee13cc90fabfc6ac9c4e8a00ed3805af
SHA1b50098d0e99a9f0f88624e58701c1a9570e421ae
SHA2563fde70aec3497bc38df7518fcf190ae5ebbdd8c85976c28a17f7a43eaac9e92b
SHA5125d0523bb8753f9bb6043df3d3e62cb0e479581e48b41efd86bc2a2c99c98654f5fcf36aa3366fbf8c30739296269b5b48b1d4d81a364d862e540fe7204ed4537
-
Filesize
72KB
MD5f748130b5c5ce308eb3d942b368b9e80
SHA128bb82301f58f613495612ff78e2ccaa4236a31b
SHA256dcf1a14c91cb2e9fc312d4a69847ffa8266d77acc9ea8a784bf02501dd0f41d9
SHA5125fe269b0d14705de654f462955d3f3f0e42c9cda5a0df76bbacbcd5be324f92d32e36e6d2eee514f27b23a7ed657b28c67f8c2274c49ce805ef90ab4722aeebd