Analysis
-
max time kernel
52s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/09/2024, 14:59
Static task
static1
Behavioral task
behavioral1
Sample
551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe
Resource
win7-20240903-en
General
-
Target
551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe
-
Size
1.2MB
-
MD5
aae3bdf6a69bea9f0c318fd6d0d734a9
-
SHA1
8b66f377b26971f7ca04cd195a8b259c0de6af2e
-
SHA256
551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d
-
SHA512
c0cdf71d41b1a932a778b3d654f3e912d387fb67040c5643e083860ee95a6e33526aee3fb210489244708addb2eef69cfe8260f2918f2cceaa6c6a6ef56bdcd1
-
SSDEEP
24576:MOKVUR8pBibV0bNUuKEa39XuktoabwxHnO0cmhMO3z39+aVBYPzP4sEv0:M7mR8pBi50bdKEa1H9b0HWvEzbXYks/
Malware Config
Extracted
danabot
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Signatures
-
Danabot Loader Component 4 IoCs
resource yara_rule behavioral1/files/0x000f000000013a51-7.dat DanabotLoader2021 behavioral1/memory/3040-15-0x0000000001FC0000-0x0000000002121000-memory.dmp DanabotLoader2021 behavioral1/memory/3040-16-0x0000000001FC0000-0x0000000002121000-memory.dmp DanabotLoader2021 behavioral1/memory/2720-18-0x0000000140000000-0x00000001405E8000-memory.dmp DanabotLoader2021 -
Loads dropped DLL 4 IoCs
pid Process 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe 3040 rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious behavior: EnumeratesProcesses 23 IoCs
pid Process 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2720 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2720 taskmgr.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe -
Suspicious use of SendNotifyMessage 51 IoCs
pid Process 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe 2720 taskmgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31 PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31 PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31 PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31 PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31 PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31 PID 2096 wrote to memory of 3040 2096 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe"C:\Users\Admin\AppData\Local\Temp\551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2096 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\551EA1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\551EA1~1.EXE2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:3040
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2720
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD571cef61feea7c6f6018b7d3dadf8ae39
SHA189f2b9575ff3c7017f19200b97a3d63387aaa03b
SHA256c7294508b36e2efdfab438ac38d9a098cc0d08aca5f2bead321a142bda08133e
SHA51208731bd0ffdfeebd7d2ac2e142fe5169d8bd79e61cd6b97ccffdb46ae31c74217d08d1bddcbcd2e5a8ecb3c3e702bd3dec2b8e7dac582c6ab6ee613bb2b95352