Analysis
-
max time kernel
115s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
05-09-2022 03:06
Static task
static1
Behavioral task
behavioral1
Sample
3366d2d7c367362151c83c5b8d270278.exe
Resource
win7-20220812-en
General
-
Target
3366d2d7c367362151c83c5b8d270278.exe
-
Size
741KB
-
MD5
3366d2d7c367362151c83c5b8d270278
-
SHA1
f4b6ae0991337713a80efdaeaa45a54bc039e8c7
-
SHA256
aa29265f5e201b2526817c8dde62991a3bb3bdc1dd80e6b20394fbb3d6ea53ad
-
SHA512
8adaea612d2bf7f209021d9f163662fc28a044c53c41490d12a90d645a1599f0559d12e113b883aa1405613da7d1a64108db840c102d7c2ab4f6ad080cb11a94
-
SSDEEP
12288:+AVF75e1ZCe/tmO9afI7iFPtDSysDj/ZyxmduqGU:JVZ52ZhmwNGPtaExkdGU
Malware Config
Extracted
nanocore
1.2.2.0
rolandlandson149.bounceme.net:1007
127.0.0.1:1007
48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
-
activate_away_mode
true
-
backup_connection_host
127.0.0.1
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-06-13T20:58:05.824762936Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
1007
-
default_group
sepTmAn
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
48099ca8-c1b4-49f3-9fe1-d8dfcbf66c09
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
rolandlandson149.bounceme.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" 3366d2d7c367362151c83c5b8d270278.exe -
Processes:
3366d2d7c367362151c83c5b8d270278.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 3366d2d7c367362151c83c5b8d270278.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exedescription pid process target process PID 4880 set thread context of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe -
Drops file in Program Files directory 2 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exedescription ioc process File created C:\Program Files (x86)\DDP Host\ddphost.exe 3366d2d7c367362151c83c5b8d270278.exe File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe 3366d2d7c367362151c83c5b8d270278.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3292 schtasks.exe 2772 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exepid process 1868 3366d2d7c367362151c83c5b8d270278.exe 1868 3366d2d7c367362151c83c5b8d270278.exe 1868 3366d2d7c367362151c83c5b8d270278.exe 1868 3366d2d7c367362151c83c5b8d270278.exe 1868 3366d2d7c367362151c83c5b8d270278.exe 1868 3366d2d7c367362151c83c5b8d270278.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exepid process 1868 3366d2d7c367362151c83c5b8d270278.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exedescription pid process Token: SeDebugPrivilege 1868 3366d2d7c367362151c83c5b8d270278.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
3366d2d7c367362151c83c5b8d270278.exe3366d2d7c367362151c83c5b8d270278.exedescription pid process target process PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 4880 wrote to memory of 1868 4880 3366d2d7c367362151c83c5b8d270278.exe 3366d2d7c367362151c83c5b8d270278.exe PID 1868 wrote to memory of 3292 1868 3366d2d7c367362151c83c5b8d270278.exe schtasks.exe PID 1868 wrote to memory of 3292 1868 3366d2d7c367362151c83c5b8d270278.exe schtasks.exe PID 1868 wrote to memory of 3292 1868 3366d2d7c367362151c83c5b8d270278.exe schtasks.exe PID 1868 wrote to memory of 2772 1868 3366d2d7c367362151c83c5b8d270278.exe schtasks.exe PID 1868 wrote to memory of 2772 1868 3366d2d7c367362151c83c5b8d270278.exe schtasks.exe PID 1868 wrote to memory of 2772 1868 3366d2d7c367362151c83c5b8d270278.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe"C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe"C:\Users\Admin\AppData\Local\Temp\3366d2d7c367362151c83c5b8d270278.exe"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3AB8.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\3366d2d7c367362151c83c5b8d270278.exe.logFilesize
1KB
MD5e08f822522c617a40840c62e4b0fb45e
SHA1ae516dca4da5234be6676d3f234c19ec55725be7
SHA256bd9d5e9f7fe6fcff17d873555d4077d15f7d6cdda1183e7f7d278b735ffe1fd7
SHA512894a7fb7bbc18ac6ba13378f58a7db80ad00d6080be9a66b01cae8e23e41d9d2d4cd53c1e20669356b73590c8a3ebfda4bdda3258f81240db56c4a81b7313fe4
-
C:\Users\Admin\AppData\Local\Temp\tmp3A0B.tmpFilesize
1KB
MD5419681b40dea5ba2b469a06b53392099
SHA12bd7efad2ac1ce65b401543920f6c444522e8a09
SHA256ab07e147239a03c327b6f0d4f872c3ae86da173fc45df99b5d4813315e3a9b89
SHA512e10d3ef7b1694a7581b181493199face85757f0772a1acb3b3606de327c07b6dded9d717bafe8af7f022e898d60654714092670d54eb6b5b6cb8c5ef40e1f1de
-
C:\Users\Admin\AppData\Local\Temp\tmp3AB8.tmpFilesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
memory/1868-138-0x0000000000000000-mapping.dmp
-
memory/1868-139-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/2772-143-0x0000000000000000-mapping.dmp
-
memory/3292-141-0x0000000000000000-mapping.dmp
-
memory/4880-137-0x0000000008870000-0x00000000088D6000-memory.dmpFilesize
408KB
-
memory/4880-136-0x00000000087D0000-0x000000000886C000-memory.dmpFilesize
624KB
-
memory/4880-132-0x0000000000220000-0x00000000002DE000-memory.dmpFilesize
760KB
-
memory/4880-135-0x0000000004BE0000-0x0000000004BEA000-memory.dmpFilesize
40KB
-
memory/4880-134-0x0000000004B30000-0x0000000004BC2000-memory.dmpFilesize
584KB
-
memory/4880-133-0x0000000005000000-0x00000000055A4000-memory.dmpFilesize
5.6MB