Analysis Overview
SHA256
534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e
Threat Level: Known bad
The file 534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e was found to be: Known bad.
Malicious Activity Summary
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Suspicious use of SetThreadContext
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-26 23:15
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-26 23:15
Reported
2022-11-27 17:00
Platform
win10v2004-20220812-en
Max time kernel
158s
Max time network
162s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 800 set thread context of 4648 | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Manager\ddpmgr.exe | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Manager\ddpmgr.exe | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe
"C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe"
C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe
"C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 52.168.117.170:443 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 209.197.3.8:80 | tcp | |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
Files
memory/800-132-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/800-133-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/4648-134-0x0000000000000000-mapping.dmp
memory/4648-135-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4648-136-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4648-137-0x0000000000400000-0x0000000000438000-memory.dmp
memory/4648-139-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/800-140-0x0000000074EC0000-0x0000000075471000-memory.dmp
memory/4648-141-0x0000000074EC0000-0x0000000075471000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-26 23:15
Reported
2022-11-27 16:59
Platform
win7-20220901-en
Max time kernel
150s
Max time network
155s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\AGP Manager = "C:\\Program Files (x86)\\AGP Manager\\agpmgr.exe" | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1724 set thread context of 2028 | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\AGP Manager\agpmgr.exe | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
| File opened for modification | C:\Program Files (x86)\AGP Manager\agpmgr.exe | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe
"C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe"
C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe
"C:\Users\Admin\AppData\Local\Temp\534e8c82674ceb71cc3fb0da8e2757a2b04f77ff5369c788a64d3cb7e312e46e.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.8.8:53 | connectbackto.twilightparadox.com | udp |
| N/A | 8.8.4.4:53 | connectbackto.twilightparadox.com | udp |
Files
memory/1724-54-0x0000000074B51000-0x0000000074B53000-memory.dmp
memory/1724-55-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/2028-56-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2028-57-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2028-59-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2028-61-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1724-63-0x0000000002156000-0x0000000002167000-memory.dmp
memory/2028-65-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2028-67-0x000000000041E792-mapping.dmp
memory/2028-69-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2028-71-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1724-73-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/1724-74-0x0000000002156000-0x0000000002167000-memory.dmp
memory/2028-75-0x00000000742A0000-0x000000007484B000-memory.dmp
memory/2028-76-0x00000000742A0000-0x000000007484B000-memory.dmp