Analysis
-
max time kernel
85s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
03-12-2022 23:21
Static task
static1
Behavioral task
behavioral1
Sample
18cd96c07ff82aa2d322d0e66426734b.exe
Resource
win7-20220812-en
General
-
Target
18cd96c07ff82aa2d322d0e66426734b.exe
-
Size
336KB
-
MD5
18cd96c07ff82aa2d322d0e66426734b
-
SHA1
83feb91f4a28e5b3c01fa2b86d9cbf9926ad6583
-
SHA256
62ef85b80d921282ea82b900e2d2663d75e433470a3236146adeddabd3ac6a38
-
SHA512
e1a8f585e5ebc80d501f614c65e63f1d24829169cc3af6d41fd154ce35b0b7f89c56c3b7cc9d598448b77c7d5465596d76f3a96771fcc284f154a51241dde319
-
SSDEEP
6144:oECmDimAbetPUu/femoEv7a48wn87QMH3xXjqdzUgSpIFaJ7LqwIrF3:Jivy2MfL8wNM4vaJfqwIJ
Malware Config
Extracted
nanocore
1.2.2.0
nasim1.duckdns.org:22102
winter-dew-56140.pktriot.net:22102
aaf67717-0374-4dd5-b84e-fb1bb826519c
-
activate_away_mode
true
-
backup_connection_host
winter-dew-56140.pktriot.net
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2022-09-09T21:16:41.136666036Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
22102
-
default_group
Default
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
aaf67717-0374-4dd5-b84e-fb1bb826519c
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
nasim1.duckdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
false
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
test.exepid process 3180 test.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18cd96c07ff82aa2d322d0e66426734b.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation 18cd96c07ff82aa2d322d0e66426734b.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
test.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Manager = "C:\\Program Files (x86)\\DDP Manager\\ddpmgr.exe" test.exe -
Processes:
test.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA test.exe -
Drops file in Program Files directory 2 IoCs
Processes:
test.exedescription ioc process File created C:\Program Files (x86)\DDP Manager\ddpmgr.exe test.exe File opened for modification C:\Program Files (x86)\DDP Manager\ddpmgr.exe test.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3852 schtasks.exe 2084 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
test.exepid process 3180 test.exe 3180 test.exe 3180 test.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
test.exepid process 3180 test.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
18cd96c07ff82aa2d322d0e66426734b.exetest.exedescription pid process Token: SeDebugPrivilege 3260 18cd96c07ff82aa2d322d0e66426734b.exe Token: SeDebugPrivilege 3180 test.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
18cd96c07ff82aa2d322d0e66426734b.exetest.exedescription pid process target process PID 3260 wrote to memory of 3180 3260 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 3260 wrote to memory of 3180 3260 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 3260 wrote to memory of 3180 3260 18cd96c07ff82aa2d322d0e66426734b.exe test.exe PID 3180 wrote to memory of 3852 3180 test.exe schtasks.exe PID 3180 wrote to memory of 3852 3180 test.exe schtasks.exe PID 3180 wrote to memory of 3852 3180 test.exe schtasks.exe PID 3180 wrote to memory of 2084 3180 test.exe schtasks.exe PID 3180 wrote to memory of 2084 3180 test.exe schtasks.exe PID 3180 wrote to memory of 2084 3180 test.exe schtasks.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18cd96c07ff82aa2d322d0e66426734b.exe"C:\Users\Admin\AppData\Local\Temp\18cd96c07ff82aa2d322d0e66426734b.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\test.exe"C:\Users\Admin\AppData\Local\Temp\test.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3B82.tmp"3⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "DDP Manager Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3CFA.tmp"3⤵
- Creates scheduled task(s)
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
203KB
MD55106b627ddc082155764efe6d0b56882
SHA1b6040cbf5a9751b830322d5972be98c125792e0c
SHA256c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384
SHA512e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094
-
C:\Users\Admin\AppData\Local\Temp\test.exeFilesize
203KB
MD55106b627ddc082155764efe6d0b56882
SHA1b6040cbf5a9751b830322d5972be98c125792e0c
SHA256c756bc7453a57b22def34496d8902b23f4976d8a4f2f3c539607e06130644384
SHA512e2fe5cb3cfb7183ff8c44b4e15db8e458f86c4665e729d8711fc08cb15ffcd1d4d8c19e28d4575068f792647cd23579e664b0693570188b81fa8853c03b0d094
-
C:\Users\Admin\AppData\Local\Temp\tmp3B82.tmpFilesize
1KB
MD5daa959fa3888b5436fb93b6796bc803b
SHA143b8b749c623daede8374165806b8354655fa06c
SHA256da87a4088b0f1dce79ca8128c8275cb6eaf527e571c68a6fb3a0b56576d38344
SHA512aba76a0d311ad0466c64aac0d8f6ed483d2006dc0f14ac78af6af33b9db920a3735fa9478bb6fc5535f4b5eb9621479ec6f8172e05089c27872016ae08f896f0
-
C:\Users\Admin\AppData\Local\Temp\tmp3CFA.tmpFilesize
1KB
MD5677848190631e19222304d1982aa2e1b
SHA1bed6cf97d3458e4ea59ff9823375d915a9b3d682
SHA2568bcf16c788d228932fa707bb4250c05151e099bdf7040adc717e53680601be3d
SHA512f5d41e150011bc63f4c95799e21fe91ffaa25eb05f4ca46ea89f3a3ca5325413ba4e0b7b5d69c0bc189955f3308c4928016a7cc1d6f7c2352639106952e92b1e
-
memory/2084-144-0x0000000000000000-mapping.dmp
-
memory/3180-141-0x000000006FF30000-0x00000000704E1000-memory.dmpFilesize
5.7MB
-
memory/3180-138-0x0000000000000000-mapping.dmp
-
memory/3180-146-0x000000006FF30000-0x00000000704E1000-memory.dmpFilesize
5.7MB
-
memory/3260-137-0x0000000004E30000-0x0000000004E86000-memory.dmpFilesize
344KB
-
memory/3260-136-0x0000000004CF0000-0x0000000004CFA000-memory.dmpFilesize
40KB
-
memory/3260-132-0x00000000002A0000-0x00000000002AE000-memory.dmpFilesize
56KB
-
memory/3260-135-0x0000000004D90000-0x0000000004E22000-memory.dmpFilesize
584KB
-
memory/3260-134-0x00000000052A0000-0x0000000005844000-memory.dmpFilesize
5.6MB
-
memory/3260-133-0x0000000004C10000-0x0000000004CAC000-memory.dmpFilesize
624KB
-
memory/3852-142-0x0000000000000000-mapping.dmp