Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
103s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
03/09/2024, 14:59
Static task
static1
Behavioral task
behavioral1
Sample
551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe
Resource
win7-20240903-en
General
-
Target
551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe
-
Size
1.2MB
-
MD5
aae3bdf6a69bea9f0c318fd6d0d734a9
-
SHA1
8b66f377b26971f7ca04cd195a8b259c0de6af2e
-
SHA256
551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d
-
SHA512
c0cdf71d41b1a932a778b3d654f3e912d387fb67040c5643e083860ee95a6e33526aee3fb210489244708addb2eef69cfe8260f2918f2cceaa6c6a6ef56bdcd1
-
SSDEEP
24576:MOKVUR8pBibV0bNUuKEa39XuktoabwxHnO0cmhMO3z39+aVBYPzP4sEv0:M7mR8pBi50bdKEa1H9b0HWvEzbXYks/
Malware Config
Extracted
danabot
4
192.119.110.73:443
192.236.147.159:443
192.210.222.88:443
-
embedded_hash
F4711E27D559B4AEB1A081A1EB0AC465
-
type
loader
Signatures
-
Danabot Loader Component 6 IoCs
resource yara_rule behavioral2/files/0x0002000000022f9b-6.dat DanabotLoader2021 behavioral2/memory/4360-24-0x0000000000400000-0x0000000000561000-memory.dmp DanabotLoader2021 behavioral2/memory/4360-33-0x0000000000400000-0x0000000000561000-memory.dmp DanabotLoader2021 behavioral2/memory/4360-34-0x0000000000400000-0x0000000000561000-memory.dmp DanabotLoader2021 behavioral2/memory/4360-35-0x0000000000400000-0x0000000000561000-memory.dmp DanabotLoader2021 behavioral2/memory/4360-36-0x0000000000400000-0x0000000000561000-memory.dmp DanabotLoader2021 -
Blocklisted process makes network request 1 IoCs
flow pid Process 41 4360 rundll32.exe -
Loads dropped DLL 1 IoCs
pid Process 4360 rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3948 1268 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2924 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2924 taskmgr.exe Token: SeSystemProfilePrivilege 2924 taskmgr.exe Token: SeCreateGlobalPrivilege 2924 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe 2924 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1268 wrote to memory of 4360 1268 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 87 PID 1268 wrote to memory of 4360 1268 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 87 PID 1268 wrote to memory of 4360 1268 551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe"C:\Users\Admin\AppData\Local\Temp\551ea1010363920b9d9edcc1c85de2a55ac0d9d193f7ca93110c1fc27d59951d.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\551EA1~1.DLL,s C:\Users\Admin\AppData\Local\Temp\551EA1~1.EXE2⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4360
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1268 -s 5122⤵
- Program crash
PID:3948
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 1268 -ip 12681⤵PID:1192
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2924
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.3MB
MD51896bffd24796fef9a353b8aa753b8d3
SHA135b2db1be26229916b8ec054668a72550b4ef607
SHA25696a0bb84e724bdba99667e321fcb4d51c49091a74f4d8bdefa56de3095e394e8
SHA512d2177b40c192543a7a363e7e5b20a2654878792ae3e1cce45195eec1ff77d38010e4eba751e963a7948ae0708ac4ca28febea3a9f8c1e12f2c201d5e4de2d909