Analysis

  • max time kernel
    50s
  • max time network
    45s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-12-2024 12:20

General

  • Target

    welcome.exe

  • Size

    5.0MB

  • MD5

    c1cef312029e582675bc099f2fa9434f

  • SHA1

    83e87047513c1108a8d4c192a2a92cda6ff74f99

  • SHA256

    6bbb01fdc7ea321da370f73d81e5c5d5d8686e3466c0ee09e157859714ca99ab

  • SHA512

    987e08730a6f858b4331da86bb6fa05da051a5b5f5fe0871fdc24b5d10ba5eb3888da20ee590ad4f02736b10809e31118fae8729fb2d08e6d66427ca614073a5

  • SSDEEP

    98304:AS8+xOZ4GznX/Bl8+uR2rcR2lCW5Ij2GxS:ft0f7BG/2lH5aS

Score
10/10

Malware Config

Extracted

Family

danabot

C2

49.0.50.0:57

51.0.52.0:0

53.0.54.0:1200

55.0.56.0:65535

Attributes
  • type

    loader

Signatures

  • Danabot

    Danabot is a modular banking Trojan that has been linked with other malware.

  • Danabot family
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 21 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 42 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\welcome.exe
    "C:\Users\Admin\AppData\Local\Temp\welcome.exe"
    1⤵
    • Checks processor information in registry
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2816
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2540

Network

  • flag-us
    DNS
    149.220.183.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    149.220.183.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.210.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.210.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    58.55.71.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    58.55.71.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    197.87.175.4.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    197.87.175.4.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    206.23.85.13.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    206.23.85.13.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • 107.189.15.154:443
    welcome.exe
    208 B
    4
  • 172.86.75.226:443
    welcome.exe
    208 B
    4
  • 193.93.153.33:443
    welcome.exe
    208 B
    4
  • 107.189.15.154:443
    welcome.exe
    208 B
    4
  • 8.8.8.8:53
    149.220.183.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    149.220.183.52.in-addr.arpa

  • 8.8.8.8:53
    172.210.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.210.232.199.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
    144 B
    1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    58.55.71.13.in-addr.arpa
    dns
    70 B
    144 B
    1
    1

    DNS Request

    58.55.71.13.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
    147 B
    1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    197.87.175.4.in-addr.arpa
    dns
    71 B
    157 B
    1
    1

    DNS Request

    197.87.175.4.in-addr.arpa

  • 8.8.8.8:53
    206.23.85.13.in-addr.arpa
    dns
    71 B
    145 B
    1
    1

    DNS Request

    206.23.85.13.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
    128 B
    1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2836-2-0x0000000002470000-0x00000000025B0000-memory.dmp

    Filesize

    1.2MB

  • memory/2836-1-0x0000000002470000-0x00000000025B0000-memory.dmp

    Filesize

    1.2MB

  • memory/2836-3-0x0000000002470000-0x00000000025B0000-memory.dmp

    Filesize

    1.2MB

  • memory/2836-0-0x00007FFB106B0000-0x00007FFB106B1000-memory.dmp

    Filesize

    4KB

  • memory/2836-4-0x0000000003090000-0x0000000003833000-memory.dmp

    Filesize

    7.6MB

  • memory/2836-5-0x0000000003090000-0x0000000003833000-memory.dmp

    Filesize

    7.6MB

  • memory/2836-7-0x000000006E400000-0x000000006E49E000-memory.dmp

    Filesize

    632KB

  • memory/2836-6-0x0000000063080000-0x0000000063301000-memory.dmp

    Filesize

    2.5MB

  • memory/2836-9-0x000000006E400000-0x000000006E49E000-memory.dmp

    Filesize

    632KB

  • memory/2836-8-0x0000000063080000-0x0000000063301000-memory.dmp

    Filesize

    2.5MB

  • memory/2836-10-0x0000000003090000-0x0000000003833000-memory.dmp

    Filesize

    7.6MB

  • memory/2836-12-0x0000000003090000-0x0000000003833000-memory.dmp

    Filesize

    7.6MB

  • memory/2836-13-0x0000000002470000-0x00000000025B0000-memory.dmp

    Filesize

    1.2MB

  • memory/2836-14-0x0000000000400000-0x0000000000903000-memory.dmp

    Filesize

    5.0MB

  • memory/2836-15-0x0000000003090000-0x0000000003833000-memory.dmp

    Filesize

    7.6MB

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.