Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
29-09-2022 20:32
Static task
static1
Behavioral task
behavioral1
Sample
Scancontract103.exe
Resource
win7-20220812-en
General
-
Target
Scancontract103.exe
-
Size
834KB
-
MD5
9d2a2b596cd979fc9674824d2aa731df
-
SHA1
015e8ae0f838e0fba35643297530a5b9a66e4186
-
SHA256
c4a2c953833c8d6b5d2ef71b997700559ecc9f23573d89072d205f963e46956c
-
SHA512
768843f52697ac5a8e8ff71ff5a66bca977cc6fad9da349ce77eee431aa5252ec07187d52bce92bd50bbcec1a10b6ce1a9123dbafa1e34d7a36ac2a9e511cef3
-
SSDEEP
12288:sx9I2iNl/joW7EsJ2uM1DgC9tqGdpb5QyXYzvtMdADqjJ5ns:N1fEW7T4RDgvGdpHYzQjrs
Malware Config
Extracted
nanocore
1.2.2.0
79.134.225.6:60110
c5cb65e3-79c3-43dc-bde0-43ed679c8c9b
-
activate_away_mode
false
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-07-10T15:30:03.481099636Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
60110
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
c5cb65e3-79c3-43dc-bde0-43ed679c8c9b
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
79.134.225.6
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
false
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Scancontract103.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" Scancontract103.exe -
Processes:
Scancontract103.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Scancontract103.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
Scancontract103.exedescription pid process target process PID 4972 set thread context of 2968 4972 Scancontract103.exe Scancontract103.exe -
Drops file in Program Files directory 2 IoCs
Processes:
Scancontract103.exedescription ioc process File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe Scancontract103.exe File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe Scancontract103.exe -
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3200 schtasks.exe 3584 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
Scancontract103.exepid process 2968 Scancontract103.exe 2968 Scancontract103.exe 2968 Scancontract103.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Scancontract103.exepid process 2968 Scancontract103.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Scancontract103.exedescription pid process Token: SeDebugPrivilege 2968 Scancontract103.exe Token: SeDebugPrivilege 2968 Scancontract103.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
Scancontract103.exeScancontract103.exedescription pid process target process PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 4972 wrote to memory of 2968 4972 Scancontract103.exe Scancontract103.exe PID 2968 wrote to memory of 3200 2968 Scancontract103.exe schtasks.exe PID 2968 wrote to memory of 3200 2968 Scancontract103.exe schtasks.exe PID 2968 wrote to memory of 3200 2968 Scancontract103.exe schtasks.exe PID 2968 wrote to memory of 3584 2968 Scancontract103.exe schtasks.exe PID 2968 wrote to memory of 3584 2968 Scancontract103.exe schtasks.exe PID 2968 wrote to memory of 3584 2968 Scancontract103.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Scancontract103.exe"C:\Users\Admin\AppData\Local\Temp\Scancontract103.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Scancontract103.exe"{path}"2⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp57D4.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp58CF.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Scancontract103.exe.logFilesize
1KB
MD5568cff9ba1570565b45bf9ef7e636f7f
SHA1d07d800e4334c2566181d3fcf9d644512a5a992e
SHA256b094cb1ef7da4d1a6ed0b9dc687619033e44b960f4be00652a46fe945398bc09
SHA512623e2fc4ba85f3465744dcd3e52cfa9e83009d18d5a8f4239842b2ddd0b0c91cd447072f7844cd9e6f8ef571f38743b22820f5cc741f9e55823d241146f9830b
-
C:\Users\Admin\AppData\Local\Temp\tmp57D4.tmpFilesize
1KB
MD5f93beca352476d9d25192e8d00f063a6
SHA11e0a33163a62bce987350dace888dc5c42f1bfb8
SHA2560dbe2542d69ac20608ea7233dc0b9d5aa435580804607ce326aa6f91b432dda3
SHA512161fe9b236d5b03bad942af7dc4890c22dd8f151d4226ad1a2142347e24529b2e778b633f032021cbba9623dd0f993130660bed6d76b798a252b7faac95d25f8
-
C:\Users\Admin\AppData\Local\Temp\tmp58CF.tmpFilesize
1KB
MD5677848190631e19222304d1982aa2e1b
SHA1bed6cf97d3458e4ea59ff9823375d915a9b3d682
SHA2568bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d
SHA512f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e
-
memory/2968-137-0x0000000000000000-mapping.dmp
-
memory/2968-138-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/3200-140-0x0000000000000000-mapping.dmp
-
memory/3584-142-0x0000000000000000-mapping.dmp
-
memory/4972-132-0x0000000000700000-0x00000000007D6000-memory.dmpFilesize
856KB
-
memory/4972-133-0x0000000005790000-0x0000000005D34000-memory.dmpFilesize
5.6MB
-
memory/4972-134-0x00000000051E0000-0x0000000005272000-memory.dmpFilesize
584KB
-
memory/4972-135-0x0000000005280000-0x000000000531C000-memory.dmpFilesize
624KB
-
memory/4972-136-0x00000000051B0000-0x00000000051BA000-memory.dmpFilesize
40KB