Analysis
-
max time kernel
113s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13-09-2024 16:45
Behavioral task
behavioral1
Sample
ec56fe2723f85dead33ab380ae1c2b30N.exe
Resource
win7-20240729-en
General
-
Target
ec56fe2723f85dead33ab380ae1c2b30N.exe
-
Size
4.4MB
-
MD5
ec56fe2723f85dead33ab380ae1c2b30
-
SHA1
f0e046ae1724dd1edda6abbeed36f58c077568e8
-
SHA256
f41d9ca984b9c4efb0f8c375d5393364376c3e0967417a2fdde1d7fddb048cc2
-
SHA512
2b3a0ae0dc40aa37c94702fccaf91d5a6d37f4c92c19174de1c92fd7a70d0801cb763222704adc663242e5e46502ba7c323ab9489f75426afd7a2ec50a97f107
-
SSDEEP
98304:iJl5IIkyXvJE9lp5VjZVv6+cA7Skv2APUo4ZjekK7RR/l2azvMgLAIThFNyM/qR/:UhkyXWdVVvKZsCazNLJ5dqJ6pkG5a
Malware Config
Extracted
danabot
1755
3
172.93.201.39:1024
192.236.192.241:443
167.114.188.34:443
45.147.228.212:443
-
embedded_hash
CF4A570E177DE0D08BB5A391C595CBD7
-
type
main
Signatures
-
Blocklisted process makes network request 4 IoCs
flow pid Process 13 3236 RUNDLL32.EXE 22 3236 RUNDLL32.EXE 23 3236 RUNDLL32.EXE 37 3236 RUNDLL32.EXE -
Loads dropped DLL 4 IoCs
pid Process 2376 rundll32.exe 2376 rundll32.exe 3236 RUNDLL32.EXE 3236 RUNDLL32.EXE -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
resource yara_rule behavioral2/memory/3680-0-0x0000000000400000-0x0000000005010000-memory.dmp upx -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Program crash 1 IoCs
pid pid_target Process procid_target 3020 3680 WerFault.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec56fe2723f85dead33ab380ae1c2b30N.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RUNDLL32.EXE -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2376 rundll32.exe Token: SeDebugPrivilege 3236 RUNDLL32.EXE -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3680 wrote to memory of 2376 3680 ec56fe2723f85dead33ab380ae1c2b30N.exe 86 PID 3680 wrote to memory of 2376 3680 ec56fe2723f85dead33ab380ae1c2b30N.exe 86 PID 3680 wrote to memory of 2376 3680 ec56fe2723f85dead33ab380ae1c2b30N.exe 86 PID 2376 wrote to memory of 3236 2376 rundll32.exe 90 PID 2376 wrote to memory of 3236 2376 rundll32.exe 90 PID 2376 wrote to memory of 3236 2376 rundll32.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\ec56fe2723f85dead33ab380ae1c2b30N.exe"C:\Users\Admin\AppData\Local\Temp\ec56fe2723f85dead33ab380ae1c2b30N.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3680 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Users\Admin\AppData\Local\Temp\EC56FE~1.DLL,Z C:\Users\Admin\AppData\Local\Temp\EC56FE~1.EXE2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Windows\SysWOW64\RUNDLL32.EXEC:\Windows\system32\RUNDLL32.EXE C:\Users\Admin\AppData\Local\Temp\EC56FE~1.DLL,qFFXfDYtAwj43⤵
- Blocklisted process makes network request
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3236
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3680 -s 5402⤵
- Program crash
PID:3020
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 3680 -ip 36801⤵PID:4340
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5313a39a57d2af4e01a8f3894e946c3c0
SHA1033d15208677de395ac2ff2c4536a5a1cecdeafb
SHA25694837ae9f1fdf961a0cbbbd30c54c6ce28aec5c0ee7443b4ed2b78896f970109
SHA512fc21cceaffe8f9843f55f64c55576a6a2b270acfd61cadde56237b4f0f4138365422f06958c9f1352b6d83bc50b39a6f268d75a3514f4bd554abb7d7aa9e1d30
-
Filesize
3.7MB
MD5172575774e2f59cc02f10380717e7fb3
SHA1bea6ca450e7cef5af22605ca1ee74cc816bb9058
SHA25600cbb4405a38539a62e3b91fdc967ad6c2a4c6844bf10fd66f4dece7b1d5dd87
SHA51225dad4befa0d9c96611955798c614498589060353845a132870a0f37f97d31885b8c8cf75aef456e333b94dc2995e439f797a7de2a73737639085e25ce2845cf
-
Filesize
256B
MD50d9e92126d2d2476f5a4f4fc15110bf2
SHA10acfe588de6094266afc758bc73156dc03d720b2
SHA25695335ea0b3df8ea2d83ad55c421e8d3db6fa135c3750136e0495c3a232bcd34d
SHA512c13b0f66dee0a98b01be1704add51d40c740049f6af31a557b262a14038caf62f1caea342657282df343433318e38fb88399049c7440c1a8e2ef7260f61ae585