Analysis
-
max time kernel
93s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-12-2024 00:15
Behavioral task
behavioral1
Sample
0abcf1b50c908693dc1f5e38e0ea4b00e6b4a6bb77dde445c60d4fe5d5697d1a.dll
Resource
win7-20240729-en
General
-
Target
0abcf1b50c908693dc1f5e38e0ea4b00e6b4a6bb77dde445c60d4fe5d5697d1a.dll
-
Size
6.4MB
-
MD5
4149375666d934304097cfba0bccff3f
-
SHA1
2e310dfcfd0a8f2bc9037798e77fa2d6a7510fc1
-
SHA256
0abcf1b50c908693dc1f5e38e0ea4b00e6b4a6bb77dde445c60d4fe5d5697d1a
-
SHA512
f996bc7093d9f03ee38e6bdf9fb8021fd182acdbc26da95e2c22930ee648f8edce8af433369e279bb27298b3e4c15eea259ace59b669ed47949329f4d50f59de
-
SSDEEP
98304:i6wTym1VTPBiHOQ4QlePzvzYeMs7h3iIVSPq8:i/TygbH7F8
Malware Config
Extracted
danabot
1827
3
192.210.198.12:443
23.106.123.185:443
192.236.147.83:443
23.106.123.141:443
-
embedded_hash
AEF96B4D339B580ABB737F203C2D0F52
-
type
main
Signatures
-
Danabot family
-
Program crash 1 IoCs
pid pid_target Process procid_target 1776 4980 WerFault.exe 83 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 5116 wrote to memory of 4980 5116 rundll32.exe 83 PID 5116 wrote to memory of 4980 5116 rundll32.exe 83 PID 5116 wrote to memory of 4980 5116 rundll32.exe 83
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0abcf1b50c908693dc1f5e38e0ea4b00e6b4a6bb77dde445c60d4fe5d5697d1a.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:5116 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\0abcf1b50c908693dc1f5e38e0ea4b00e6b4a6bb77dde445c60d4fe5d5697d1a.dll,#12⤵
- System Location Discovery: System Language Discovery
PID:4980 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4980 -s 6443⤵
- Program crash
PID:1776
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4980 -ip 49801⤵PID:4764