Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
28/02/2025, 06:35
Static task
static1
Behavioral task
behavioral1
Sample
meitneriumatm.dll
Resource
win7-20240903-en
General
-
Target
meitneriumatm.dll
-
Size
7.7MB
-
MD5
043dae1b817ae561da9d6654b6354696
-
SHA1
a9f62f9ca8faa6023c4ef755d3b1f5aed2914516
-
SHA256
9de78011f776d2f3c963c6c3f77bc7af98ac51b4dbd11350850a8416bf767c36
-
SHA512
b7b44df89e93de8f31a35a22ed7b2d292cbad83ef564281af8e50aedade2f3ed4560b1e2ee9d91a5f1b270c407eafbef0f983895f8ed6651428ec5fe7389198e
-
SSDEEP
196608:H1HUS2bBcMYpFirD1s+KHONOXNAEbbTNk3S:HFUSw3o4lstuY9/
Malware Config
Extracted
danabot
-
embedded_hash
5059953BB045843A520147F73664DC78
-
type
loader
Signatures
-
Danabot family
-
Blocklisted process makes network request 1 IoCs
flow pid Process 21 1340 rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 20 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Configuration Data rundll32.exe Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\FeatureSet rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Component Information rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Configuration Data rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Update Revision rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1892 wrote to memory of 1340 1892 rundll32.exe 86 PID 1892 wrote to memory of 1340 1892 rundll32.exe 86 PID 1892 wrote to memory of 1340 1892 rundll32.exe 86
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\meitneriumatm.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\meitneriumatm.dll,#12⤵
- Blocklisted process makes network request
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:1340
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD58ab9bb9c85b740f1f1d0aa05e1d13790
SHA11533aa912c1f388d6145aa1e883105d28c1c6df3
SHA2560450cf39fd2210b0aa3d59bfc853137d6e8bc1e7e91511464d32cb68ac489566
SHA512991135f1942525847857626f5a4403e34529c3ac67a4e2ece7b7f3d504bc0818e42f89cfee16173da8f4c16cc89a674cd52c69ce02aea9d0123d3bb6f0a0201d
-
Filesize
163KB
MD5890541cf533a5e051f39fe52f3819e68
SHA1154030ba1650ffcfdabd000c1c9ccf9117333ae1
SHA256f83ea14306489732cf909a69466ef827dc7108bb8c6c091a08bafba3f8d92625
SHA5121b820b620b97019f8327f9ca599b58d6513d7901d918ba9b580be3bdf146d9c63184b379d909462af51c87671c12d98b370516bd3dd8ecc287fcdb9476d2c5fe
-
Filesize
63KB
MD5e516a60bc980095e8d156b1a99ab5eee
SHA1238e243ffc12d4e012fd020c9822703109b987f6
SHA256543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7
SHA5129b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58