Overview
overview
10Static
static
10FOI/Win10Update.exe
windows7-x64
10FOI/Win10Update.exe
windows10-2004-x64
10FOI/Window...er.exe
windows7-x64
10FOI/Window...er.exe
windows10-2004-x64
10FOI/diagsvc.exe
windows7-x64
10FOI/diagsvc.exe
windows10-2004-x64
10FOI/duggan123.exe
windows7-x64
10FOI/duggan123.exe
windows10-2004-x64
10FOI/imapsv.exe
windows7-x64
10FOI/imapsv.exe
windows10-2004-x64
10FOI/sdiagnhost.exe
windows7-x64
10FOI/sdiagnhost.exe
windows10-2004-x64
10FOI/stordiag.exe
windows7-x64
8FOI/stordiag.exe
windows10-2004-x64
8Analysis
-
max time kernel
143s -
max time network
151s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
14-09-2022 01:18
Behavioral task
behavioral1
Sample
FOI/Win10Update.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
FOI/Win10Update.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral3
Sample
FOI/WindowsDefender.exe
Resource
win7-20220812-en
Behavioral task
behavioral4
Sample
FOI/WindowsDefender.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral5
Sample
FOI/diagsvc.exe
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
FOI/diagsvc.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
FOI/duggan123.exe
Resource
win7-20220812-en
Behavioral task
behavioral8
Sample
FOI/duggan123.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral9
Sample
FOI/imapsv.exe
Resource
win7-20220812-en
Behavioral task
behavioral10
Sample
FOI/imapsv.exe
Resource
win10v2004-20220901-en
Behavioral task
behavioral11
Sample
FOI/sdiagnhost.exe
Resource
win7-20220812-en
Behavioral task
behavioral12
Sample
FOI/sdiagnhost.exe
Resource
win10v2004-20220812-en
Behavioral task
behavioral13
Sample
FOI/stordiag.exe
Resource
win7-20220901-en
Behavioral task
behavioral14
Sample
FOI/stordiag.exe
Resource
win10v2004-20220812-en
General
-
Target
FOI/duggan123.exe
-
Size
203KB
-
MD5
ab7edb633a1922984791a268984beb97
-
SHA1
add0328e7f0db7158b5050f4c38724e699f5f638
-
SHA256
eb1ce1b8311231a2e92d9f1caee3cc9672ce8f434a8c004e43548ecbd8825bc5
-
SHA512
4839a5cb53481b9b589e543584919858cd1aca3a339f35fbdba479c26e525d180e4b62fe5c7248b8f90eb1cc5deb66be84e0890191eefe8138ac0eb21872011e
-
SSDEEP
3072:uzEqV6B1jHa6dtJ10jgvzcgi+oG/j9iaMP2s/HIyTUHnWi8DnkE/pnQD/2uDEm+0:uLV6Bta6dtJmakIM5boSDnkEuCuI1Xu
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
duggan123.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files\\UDP Service\\udpsv.exe" duggan123.exe -
Processes:
duggan123.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA duggan123.exe -
Drops file in Program Files directory 2 IoCs
Processes:
duggan123.exedescription ioc process File opened for modification C:\Program Files\UDP Service\udpsv.exe duggan123.exe File created C:\Program Files\UDP Service\udpsv.exe duggan123.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
duggan123.exepid process 1644 duggan123.exe 1644 duggan123.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
duggan123.exepid process 1644 duggan123.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
duggan123.exedescription pid process Token: SeDebugPrivilege 1644 duggan123.exe Token: SeDebugPrivilege 1644 duggan123.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
duggan123.exedescription pid process target process PID 1644 wrote to memory of 112 1644 duggan123.exe schtasks.exe PID 1644 wrote to memory of 112 1644 duggan123.exe schtasks.exe PID 1644 wrote to memory of 112 1644 duggan123.exe schtasks.exe PID 1644 wrote to memory of 840 1644 duggan123.exe schtasks.exe PID 1644 wrote to memory of 840 1644 duggan123.exe schtasks.exe PID 1644 wrote to memory of 840 1644 duggan123.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\FOI\duggan123.exe"C:\Users\Admin\AppData\Local\Temp\FOI\duggan123.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "UDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2DD5.tmp"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\schtasks.exe"schtasks.exe" /create /f /tn "UDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2FE8.tmp"2⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp2DD5.tmpFilesize
1KB
MD550747b1027f367efb00dc4968c97a0f6
SHA163b07d631abcdfdbb5b7d667375c985dd2874f3a
SHA256b0851bef121ed99b181a1a13a63fb40111bd88513dc978725a21933bdcd39f54
SHA512a5bf21a0f30f151f91eaf1150e9797822ef90caea33fb3ec5bd00f96289b4e8f0d1ea54e2f6bdba748ae2f38f6902429d24c5dbc30128d57adc82fe0040c25f4
-
C:\Users\Admin\AppData\Local\Temp\tmp2FE8.tmpFilesize
1KB
MD531094e2ac8d5da3bac50d6916d2eccf1
SHA12f5642df7953e025794aa4b8f77b92ca53e90c2c
SHA25605b2c6d2dd1c27a0097d5dfe313fb3ba571a90522c1eba1455dcbd13c3ea544a
SHA5120c7584213ee4be77ace07aa892133188d97c9834270b6b66c1c450256f774b6cdc97e0e2d0da76d138ad500c307f51df1847fcc7c1e89f6f7f73cec8964b7bbb
-
memory/112-56-0x0000000000000000-mapping.dmp
-
memory/840-59-0x0000000000000000-mapping.dmp
-
memory/1644-54-0x000007FEF3F90000-0x000007FEF49B3000-memory.dmpFilesize
10.1MB
-
memory/1644-55-0x000007FEF2EF0000-0x000007FEF3F86000-memory.dmpFilesize
16.6MB
-
memory/1644-58-0x00000000021B6000-0x00000000021D5000-memory.dmpFilesize
124KB
-
memory/1644-61-0x00000000021B6000-0x00000000021D5000-memory.dmpFilesize
124KB