Analysis
-
max time kernel
50s -
max time network
45s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
13-12-2024 12:20
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
welcome.exe
Resource
win7-20240903-en
windows7-x64
6 signatures
150 seconds
General
-
Target
welcome.exe
-
Size
5.0MB
-
MD5
c1cef312029e582675bc099f2fa9434f
-
SHA1
83e87047513c1108a8d4c192a2a92cda6ff74f99
-
SHA256
6bbb01fdc7ea321da370f73d81e5c5d5d8686e3466c0ee09e157859714ca99ab
-
SHA512
987e08730a6f858b4331da86bb6fa05da051a5b5f5fe0871fdc24b5d10ba5eb3888da20ee590ad4f02736b10809e31118fae8729fb2d08e6d66427ca614073a5
-
SSDEEP
98304:AS8+xOZ4GznX/Bl8+uR2rcR2lCW5Ij2GxS:ft0f7BG/2lH5aS
Malware Config
Extracted
Family
danabot
C2
49.0.50.0:57
51.0.52.0:0
53.0.54.0:1200
55.0.56.0:65535
Attributes
-
type
loader
Signatures
-
Danabot family
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 21 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\VendorIdentifier welcome.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString welcome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 welcome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data welcome.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision welcome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier welcome.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor welcome.exe -
Suspicious use of AdjustPrivilegeToken 42 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2540 WMIC.exe Token: SeSecurityPrivilege 2540 WMIC.exe Token: SeTakeOwnershipPrivilege 2540 WMIC.exe Token: SeLoadDriverPrivilege 2540 WMIC.exe Token: SeSystemProfilePrivilege 2540 WMIC.exe Token: SeSystemtimePrivilege 2540 WMIC.exe Token: SeProfSingleProcessPrivilege 2540 WMIC.exe Token: SeIncBasePriorityPrivilege 2540 WMIC.exe Token: SeCreatePagefilePrivilege 2540 WMIC.exe Token: SeBackupPrivilege 2540 WMIC.exe Token: SeRestorePrivilege 2540 WMIC.exe Token: SeShutdownPrivilege 2540 WMIC.exe Token: SeDebugPrivilege 2540 WMIC.exe Token: SeSystemEnvironmentPrivilege 2540 WMIC.exe Token: SeRemoteShutdownPrivilege 2540 WMIC.exe Token: SeUndockPrivilege 2540 WMIC.exe Token: SeManageVolumePrivilege 2540 WMIC.exe Token: 33 2540 WMIC.exe Token: 34 2540 WMIC.exe Token: 35 2540 WMIC.exe Token: 36 2540 WMIC.exe Token: SeIncreaseQuotaPrivilege 2540 WMIC.exe Token: SeSecurityPrivilege 2540 WMIC.exe Token: SeTakeOwnershipPrivilege 2540 WMIC.exe Token: SeLoadDriverPrivilege 2540 WMIC.exe Token: SeSystemProfilePrivilege 2540 WMIC.exe Token: SeSystemtimePrivilege 2540 WMIC.exe Token: SeProfSingleProcessPrivilege 2540 WMIC.exe Token: SeIncBasePriorityPrivilege 2540 WMIC.exe Token: SeCreatePagefilePrivilege 2540 WMIC.exe Token: SeBackupPrivilege 2540 WMIC.exe Token: SeRestorePrivilege 2540 WMIC.exe Token: SeShutdownPrivilege 2540 WMIC.exe Token: SeDebugPrivilege 2540 WMIC.exe Token: SeSystemEnvironmentPrivilege 2540 WMIC.exe Token: SeRemoteShutdownPrivilege 2540 WMIC.exe Token: SeUndockPrivilege 2540 WMIC.exe Token: SeManageVolumePrivilege 2540 WMIC.exe Token: 33 2540 WMIC.exe Token: 34 2540 WMIC.exe Token: 35 2540 WMIC.exe Token: 36 2540 WMIC.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2836 wrote to memory of 2816 2836 welcome.exe 85 PID 2836 wrote to memory of 2816 2836 welcome.exe 85 PID 2816 wrote to memory of 2540 2816 cmd.exe 87 PID 2816 wrote to memory of 2540 2816 cmd.exe 87
Processes
-
C:\Users\Admin\AppData\Local\Temp\welcome.exe"C:\Users\Admin\AppData\Local\Temp\welcome.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Windows\SYSTEM32\cmd.execmd.exe /C wmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value2⤵
- Suspicious use of WriteProcessMemory
PID:2816 -
C:\Windows\System32\Wbem\WMIC.exewmic diskdrive where "DeviceID=\'c:\'" get SerialNumber /value3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2540
-
-
Network
-
Remote address:8.8.8.8:53Request149.220.183.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request58.55.71.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request217.106.137.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request197.87.175.4.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request206.23.85.13.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
208 B 4
-
208 B 4
-
208 B 4
-
208 B 4
-
73 B 147 B 1 1
DNS Request
149.220.183.52.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
70 B 144 B 1 1
DNS Request
58.55.71.13.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
217.106.137.52.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
197.87.175.4.in-addr.arpa
-
71 B 145 B 1 1
DNS Request
206.23.85.13.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa