Analysis
-
max time kernel
111s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
15-07-2024 23:02
Static task
static1
Behavioral task
behavioral1
Sample
261f8b9ee047f2e9ff3437b55b228c50N.dll
Resource
win7-20240705-en
General
-
Target
261f8b9ee047f2e9ff3437b55b228c50N.dll
-
Size
3.7MB
-
MD5
261f8b9ee047f2e9ff3437b55b228c50
-
SHA1
b121fbabb9729635dc0f2f9f99c3c8b839d3589e
-
SHA256
c833f5951c3e22b358388cb256676ecd44f38ae2025c0e48bb717200f5eced09
-
SHA512
5c3de5b66c8852446fc9d6b4b218ac5073bb9365be387191ef69430027ce59fff0140482d58fb85d7890f64a974bbb236cd66bccd2bf867b1de59eb6e9d3580f
-
SSDEEP
98304:A0GrDh3DM50y37vVpRMYRF8fmB+XmJsvfS8rw9YXh:ARh450y3zKYRWfY+W6vf3h
Malware Config
Extracted
danabot
1755
3
78.138.98.136:443
134.119.186.199:443
192.236.192.238:443
172.93.201.39:443
-
embedded_hash
82C66843DE542BC5CB88F713DE39B52B
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
Processes:
RUNDLL32.EXEflow pid process 12 4292 RUNDLL32.EXE 16 4292 RUNDLL32.EXE 17 4292 RUNDLL32.EXE 31 4292 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
rundll32.exeRUNDLL32.EXEdescription pid process Token: SeDebugPrivilege 2572 rundll32.exe Token: SeDebugPrivilege 4292 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 1508 wrote to memory of 2572 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2572 1508 rundll32.exe rundll32.exe PID 1508 wrote to memory of 2572 1508 rundll32.exe rundll32.exe PID 2572 wrote to memory of 4292 2572 rundll32.exe RUNDLL32.EXE PID 2572 wrote to memory of 4292 2572 rundll32.exe RUNDLL32.EXE PID 2572 wrote to memory of 4292 2572 rundll32.exe RUNDLL32.EXE
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,#12⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2572 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\261f8b9ee047f2e9ff3437b55b228c50N.dll,Yz0mZA==3⤵
- Blocklisted process makes network request
- Suspicious use of AdjustPrivilegeToken
PID:4292
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
256B
MD56c844def9a13070e416d22bb49c98f26
SHA1610e8acdde24091d8fb7ade257a15962c9f77172
SHA25684491810eba3b7513fa08210f7577c1eebc5dcae456739cd055663de9ff4ccce
SHA5128a96b75851936af882ae4fef755c6bf65e28704f6b1bee0ad86d5b67495822097e26166fa921a7dbf30c7832081fe685486e1f590a3b7f156fc13ed5df83a4ae