Analysis Overview
SHA256
c0cc05dd4b5399522304d246e3cd7cdd017f36699678e62a83fb30cf44979dbb
Threat Level: Known bad
The file P.O. DARLLY-029-11-2022,pdf.exe was found to be: Known bad.
Malicious Activity Summary
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-14 10:41
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-14 10:41
Reported
2022-11-14 10:43
Platform
win10v2004-20220812-en
Max time kernel
146s
Max time network
149s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3144 set thread context of 3636 | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Host\ddphost.exe | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Host\ddphost.exe | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"
C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4C7A.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp54B8.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 95.101.78.106:80 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 20.44.10.122:443 | tcp | |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 104.110.191.133:80 | tcp | |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
Files
memory/3144-132-0x0000000000FF0000-0x0000000001098000-memory.dmp
memory/3144-133-0x0000000005FD0000-0x0000000006574000-memory.dmp
memory/3144-134-0x0000000005AC0000-0x0000000005B52000-memory.dmp
memory/3144-135-0x0000000005A50000-0x0000000005A5A000-memory.dmp
memory/3144-136-0x00000000096E0000-0x000000000977C000-memory.dmp
memory/3636-137-0x0000000000000000-mapping.dmp
memory/3636-138-0x0000000000400000-0x000000000043A000-memory.dmp
memory/3432-139-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp4C7A.tmp
| MD5 | ddba6df11ce0826c227768ada6246301 |
| SHA1 | 460842f994327b94ba2f9ba8393c23440e785609 |
| SHA256 | 1a5cf1a672396a05694b122b4c4be02e61b5409ab1e8af41c63182ecae0204d4 |
| SHA512 | 9c3ac8562b9c4772692ca474c677bef70543929b346e653544d5a7bb94e093d5a60494fad3a1712ef8c7da4b488852321227583e135544696f655c19b11d3d79 |
memory/2260-141-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmp54B8.tmp
| MD5 | 2271642ca970891700e3f48439739ed8 |
| SHA1 | cd472df2349f7db9e1e460d0ee28acd97b8a8793 |
| SHA256 | 7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68 |
| SHA512 | 4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807 |
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-14 10:41
Reported
2022-11-14 10:43
Platform
win7-20220812-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\NTFS Monitor = "C:\\Program Files (x86)\\NTFS Monitor\\ntfsmon.exe" | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1756 set thread context of 2012 | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\NTFS Monitor\ntfsmon.exe | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"
C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\P.O. DARLLY-029-11-2022,pdf.exe"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor" /xml "C:\Users\Admin\AppData\Local\Temp\tmpDEEB.tmp"
C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /create /f /tn "NTFS Monitor Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpE024.tmp"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 79.134.225.71:7480 | tcp | |
| N/A | 8.8.8.8:53 | albertsamco76.ddns.net | udp |
| N/A | 8.8.4.4:53 | albertsamco76.ddns.net | udp |
Files
memory/1756-54-0x0000000000E10000-0x0000000000EB8000-memory.dmp
memory/1756-55-0x0000000076871000-0x0000000076873000-memory.dmp
memory/1756-56-0x00000000004F0000-0x0000000000508000-memory.dmp
memory/1756-57-0x0000000000480000-0x000000000048C000-memory.dmp
memory/1756-58-0x0000000007EE0000-0x0000000007F6A000-memory.dmp
memory/1756-59-0x0000000000DB0000-0x0000000000DFE000-memory.dmp
memory/2012-60-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2012-61-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2012-63-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2012-64-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2012-66-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2012-67-0x000000000041E792-mapping.dmp
memory/2012-69-0x0000000000400000-0x000000000043A000-memory.dmp
memory/2012-71-0x0000000000400000-0x000000000043A000-memory.dmp
memory/276-73-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpDEEB.tmp
| MD5 | ddba6df11ce0826c227768ada6246301 |
| SHA1 | 460842f994327b94ba2f9ba8393c23440e785609 |
| SHA256 | 1a5cf1a672396a05694b122b4c4be02e61b5409ab1e8af41c63182ecae0204d4 |
| SHA512 | 9c3ac8562b9c4772692ca474c677bef70543929b346e653544d5a7bb94e093d5a60494fad3a1712ef8c7da4b488852321227583e135544696f655c19b11d3d79 |
memory/1312-75-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\tmpE024.tmp
| MD5 | 981e126601526eaa5b0ad45c496c4465 |
| SHA1 | d610d6a21a8420cc73fcd3e54ddae75a5897b28b |
| SHA256 | 11ae277dfa39e7038b782ca6557339e7fe88533fe83705c356a1500a1402d527 |
| SHA512 | a59fb704d931ccb7e1ec1a7b98e24ccd8708be529066c6de4b673098cdebef539f7f50d9e051c43954b5a8e7f810862b3a4ede170f131e080dadc3e763ed4bdb |
memory/2012-77-0x00000000003D0000-0x00000000003DA000-memory.dmp
memory/2012-78-0x00000000003E0000-0x00000000003FE000-memory.dmp
memory/2012-79-0x00000000004C0000-0x00000000004CA000-memory.dmp