Analysis Overview
SHA256
b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377
Threat Level: Known bad
The file b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377 was found to be: Known bad.
Malicious Activity Summary
Nanocore family
NanoCore
Adds Run key to start application
Checks whether UAC is enabled
Drops file in Program Files directory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2022-11-27 00:00
Signatures
Nanocore family
Analysis: behavioral1
Detonation Overview
Submitted
2022-11-27 00:00
Reported
2022-11-27 17:38
Platform
win7-20220812-en
Max time kernel
167s
Max time network
184s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SCSI Service = "C:\\Program Files (x86)\\SCSI Service\\scsisvc.exe" | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\SCSI Service\scsisvc.exe | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
| File created | C:\Program Files (x86)\SCSI Service\scsisvc.exe | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe
"C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | asshost.duckdns.org | udp |
| N/A | 191.96.6.55:333 | asshost.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | asshost.duckdns.org | udp |
| N/A | 191.96.6.55:333 | asshost.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | asshost.duckdns.org | udp |
| N/A | 191.96.6.55:333 | asshost.duckdns.org | tcp |
Files
memory/1976-54-0x0000000076321000-0x0000000076323000-memory.dmp
memory/1976-55-0x0000000074830000-0x0000000074DDB000-memory.dmp
memory/1976-56-0x0000000074830000-0x0000000074DDB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2022-11-27 00:00
Reported
2022-11-27 17:38
Platform
win10v2004-20220812-en
Max time kernel
179s
Max time network
186s
Command Line
Signatures
NanoCore
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\DDP Host\ddphost.exe | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
| File opened for modification | C:\Program Files (x86)\DDP Host\ddphost.exe | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe
"C:\Users\Admin\AppData\Local\Temp\b4f5c995616b6fcf2365f902247d36552179b8cfd7a3895a1e9222bc37db0377.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 20.44.10.122:443 | tcp | |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 104.110.191.140:80 | tcp | |
| N/A | 104.110.191.140:80 | tcp | |
| N/A | 104.110.191.140:80 | tcp | |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | 176.122.125.40.in-addr.arpa | udp |
| N/A | 8.8.8.8:53 | asshost.duckdns.org | udp |
| N/A | 191.96.6.55:333 | asshost.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | asshost.duckdns.org | udp |
| N/A | 191.96.6.55:333 | asshost.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | asshost.duckdns.org | udp |
| N/A | 191.96.6.55:333 | asshost.duckdns.org | tcp |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
| N/A | 8.8.8.8:53 | asshost.ydns.eu | udp |
| N/A | 191.96.6.55:333 | asshost.ydns.eu | tcp |
Files
memory/4956-132-0x00000000745F0000-0x0000000074BA1000-memory.dmp
memory/4956-133-0x00000000745F0000-0x0000000074BA1000-memory.dmp