Analysis
-
max time kernel
90s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
15-09-2022 08:28
Static task
static1
Behavioral task
behavioral1
Sample
2.exe
Resource
win7-20220812-en
General
-
Target
2.exe
-
Size
935KB
-
MD5
0b8f3695483e73596116685a0559a905
-
SHA1
6b779e00915d671c7fca6833f56091173b275f01
-
SHA256
6c8576cf231fd3e4c6812399704820c6b9d462e99d696181adf071015b92ea27
-
SHA512
d13353828ff7d79e200a9625a02ec196cd658cff9186afafac11fda4e77a2bbb68e14d0c5debde37b045098e29744c5cf5e67564f1e205f6072e4918ff629b13
-
SSDEEP
12288:YSPCmh8lylSx1bAtzrwgqcWB4HrkB6slio+7ySrmqB5PREbXbM58fj0jXBm1U8Qd:YSPC9RMWiHyco8yN0SM580jXB4yBjr
Malware Config
Extracted
nanocore
1.2.2.0
brewsterchristophe.ddns.net:5899
194,147,5,75:5899
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
activate_away_mode
true
-
backup_connection_host
194,147,5,75
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-04-29T03:26:40.572298236Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
5899
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
b8aebc29-8c64-444f-99e6-dc4122e9bbfc
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
brewsterchristophe.ddns.net
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation 2.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
2.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" 2.exe -
Processes:
2.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 2.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2.exedescription pid process target process PID 5044 set thread context of 3052 5044 2.exe 2.exe -
Drops file in Program Files directory 2 IoCs
Processes:
2.exedescription ioc process File created C:\Program Files (x86)\DDP Host\ddphost.exe 2.exe File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exeschtasks.exepid process 3600 schtasks.exe 3900 schtasks.exe 3296 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
2.exepid process 3052 2.exe 3052 2.exe 3052 2.exe 3052 2.exe 3052 2.exe 3052 2.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2.exepid process 3052 2.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
2.exedescription pid process Token: SeDebugPrivilege 3052 2.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
2.exe2.exedescription pid process target process PID 5044 wrote to memory of 3600 5044 2.exe schtasks.exe PID 5044 wrote to memory of 3600 5044 2.exe schtasks.exe PID 5044 wrote to memory of 3600 5044 2.exe schtasks.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 5044 wrote to memory of 3052 5044 2.exe 2.exe PID 3052 wrote to memory of 3900 3052 2.exe schtasks.exe PID 3052 wrote to memory of 3900 3052 2.exe schtasks.exe PID 3052 wrote to memory of 3900 3052 2.exe schtasks.exe PID 3052 wrote to memory of 3296 3052 2.exe schtasks.exe PID 3052 wrote to memory of 3296 3052 2.exe schtasks.exe PID 3052 wrote to memory of 3296 3052 2.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\YyfhUwSgAP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF84F.tmp"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\2.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFCD3.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpFD32.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\2.exe.logFilesize
1KB
MD584e77a587d94307c0ac1357eb4d3d46f
SHA183cc900f9401f43d181207d64c5adba7a85edc1e
SHA256e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691
-
C:\Users\Admin\AppData\Local\Temp\tmpF84F.tmpFilesize
1KB
MD5b82d837ac9b8f6fd99e50d531309e6fb
SHA10b2efeae8e68f9630c3fb37e83902899c1cc5a1d
SHA256aa5c49c89d3b73c3922304f4328db2e2c66d5750b39237b17082ad361dd23dd4
SHA5125d121199e138c34c5545a64753f8f640e7ebbb4f1370f51be10247ef81a03e3e31779181a69b4aed6eb53e8a4c904055a55ec29c306aca6b74dd323510a8f3ff
-
C:\Users\Admin\AppData\Local\Temp\tmpFCD3.tmpFilesize
1KB
MD51c7a53cdeb6870948f4610b272abf015
SHA1525d54be54c6b4dc0b6c5f331d52668f663c48a1
SHA256eec146cb0e09f66742cb9fd6bda108bd61278ecc7e25e6b9fb4e1da4c69bfb4d
SHA51234e630b3bae600f2bdb9fd505255e49c863377b071576ff5e9d1b446ed17ba82577ea876e03ce4263cfefc479ff1dfd2433a1e7551145fb777ddd1625c214877
-
C:\Users\Admin\AppData\Local\Temp\tmpFD32.tmpFilesize
1KB
MD52271642ca970891700e3f48439739ed8
SHA1cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA2567aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA5124669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807
-
memory/3052-140-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3052-139-0x0000000000000000-mapping.dmp
-
memory/3052-146-0x00000000069F0000-0x0000000006A56000-memory.dmpFilesize
408KB
-
memory/3296-144-0x0000000000000000-mapping.dmp
-
memory/3600-137-0x0000000000000000-mapping.dmp
-
memory/3900-142-0x0000000000000000-mapping.dmp
-
memory/5044-132-0x00000000002A0000-0x0000000000390000-memory.dmpFilesize
960KB
-
memory/5044-134-0x0000000004C60000-0x0000000004CF2000-memory.dmpFilesize
584KB
-
memory/5044-133-0x0000000005210000-0x00000000057B4000-memory.dmpFilesize
5.6MB
-
memory/5044-136-0x0000000004BE0000-0x0000000004BEA000-memory.dmpFilesize
40KB
-
memory/5044-135-0x0000000004D00000-0x0000000004D9C000-memory.dmpFilesize
624KB