Analysis
-
max time kernel
143s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
05-02-2024 05:29
Static task
static1
Behavioral task
behavioral1
Sample
9129525b5a79a06dad5e9c6acfb72b8f.exe
Resource
win7-20231215-en
General
-
Target
9129525b5a79a06dad5e9c6acfb72b8f.exe
-
Size
1.1MB
-
MD5
9129525b5a79a06dad5e9c6acfb72b8f
-
SHA1
1c69b60f725609b55c4e8b60b1c4cc2afb05fa97
-
SHA256
967e08d85b9639892fd4bf4ab2d3e6fc7dcd4afe22326e4114df182c8b0a9b5e
-
SHA512
c69c4c60ec88f1fcda7702be8f565641d3b9ea62d40a933bdf9cc1ad85f708aa89bfa672438d4bc79ff7673a7f6072edff2612e41be8712dbba605156fcff256
-
SSDEEP
24576:O49I0d14BsA6i8vzE/WaWSlOXeLuvNH7mE+FMgbZ//u+lD8f2bQR1N:OsAsDiCg+WOXpHKFMgbZXukD8fw
Malware Config
Extracted
danabot
4
142.11.244.124:443
142.11.206.50:443
-
embedded_hash
6AD9FE4F9E491E785665E0D144F61DAB
-
type
loader
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
rundll32.exeflow pid process 2 2448 rundll32.exe -
Loads dropped DLL 1 IoCs
Processes:
rundll32.exepid process 2448 rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
9129525b5a79a06dad5e9c6acfb72b8f.exedescription pid process target process PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe PID 2512 wrote to memory of 2448 2512 9129525b5a79a06dad5e9c6acfb72b8f.exe rundll32.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\9129525b5a79a06dad5e9c6acfb72b8f.exe"C:\Users\Admin\AppData\Local\Temp\9129525b5a79a06dad5e9c6acfb72b8f.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\912952~1.TMP,S C:\Users\Admin\AppData\Local\Temp\912952~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\912952~1.TMPFilesize
1.3MB
MD5fc55d7afa5ad97587a0d02965e69501b
SHA1e485195a77d6ac84189da82c088698e3118d01bb
SHA256dbf7ee1c646a64f9b4aea4b4180b15a91fa4e31b7e35bb2ed2a3e65301db98d6
SHA512e03bb1a1c018811a5f4f93f5206a25c2de8b9de8763b2847e07770cc7fc763300662e5e642706e90ccae6a8ea4ea17ad9ebd8392ee95b5946397605389d5f303
-
memory/2448-22-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-10-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-26-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-25-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-19-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-24-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-23-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-11-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-21-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2448-20-0x0000000000A10000-0x0000000000B6C000-memory.dmpFilesize
1.4MB
-
memory/2512-7-0x0000000000400000-0x00000000014F1000-memory.dmpFilesize
16.9MB
-
memory/2512-0-0x00000000002A0000-0x0000000000388000-memory.dmpFilesize
928KB
-
memory/2512-1-0x00000000002A0000-0x0000000000388000-memory.dmpFilesize
928KB
-
memory/2512-8-0x0000000002E40000-0x0000000002F3E000-memory.dmpFilesize
1016KB
-
memory/2512-5-0x0000000000400000-0x00000000014F1000-memory.dmpFilesize
16.9MB
-
memory/2512-2-0x0000000002E40000-0x0000000002F3E000-memory.dmpFilesize
1016KB