Analysis Overview
SHA256
d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62
Threat Level: Known bad
The file d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62 was found to be: Known bad.
Malicious Activity Summary
Detect Ducktail Third Stage Payload
Ducktail family
Legitimate hosting services abused for malware hosting/C2
Program crash
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-12-12 02:12
Signatures
Detect Ducktail Third Stage Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ducktail family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-12-12 02:10
Reported
2023-12-12 02:15
Platform
win7-20231130-en
Max time kernel
117s
Max time network
121s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 852 wrote to memory of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 852 wrote to memory of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 852 wrote to memory of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe | C:\Windows\SysWOW64\WerFault.exe |
| PID 852 wrote to memory of 2736 | N/A | C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe | C:\Windows\SysWOW64\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe
"C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 852 -s 1268
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
Files
memory/852-0-0x00000000069B0000-0x0000000007339000-memory.dmp
memory/852-3-0x00000000069B0000-0x0000000007339000-memory.dmp
memory/852-5-0x0000000000B70000-0x00000000013D8000-memory.dmp
memory/852-4-0x0000000007F30000-0x0000000008B19000-memory.dmp
memory/852-9-0x0000000002800000-0x0000000002811000-memory.dmp
memory/852-12-0x0000000002800000-0x0000000002811000-memory.dmp
memory/852-25-0x0000000002880000-0x0000000002895000-memory.dmp
memory/852-28-0x0000000002880000-0x0000000002895000-memory.dmp
memory/852-32-0x0000000002A90000-0x0000000002AA2000-memory.dmp
memory/852-55-0x0000000002AC0000-0x0000000002AC9000-memory.dmp
memory/852-52-0x0000000002AC0000-0x0000000002AC9000-memory.dmp
memory/852-51-0x0000000002AD0000-0x0000000002AD6000-memory.dmp
memory/852-48-0x0000000002AD0000-0x0000000002AD6000-memory.dmp
memory/852-47-0x0000000006500000-0x00000000065E9000-memory.dmp
memory/852-59-0x0000000006050000-0x0000000006078000-memory.dmp
memory/852-56-0x0000000006050000-0x0000000006078000-memory.dmp
memory/852-67-0x0000000006820000-0x0000000006844000-memory.dmp
memory/852-64-0x0000000006820000-0x0000000006844000-memory.dmp
memory/852-63-0x00000000064D0000-0x00000000064E3000-memory.dmp
memory/852-60-0x00000000064D0000-0x00000000064E3000-memory.dmp
memory/852-44-0x0000000006500000-0x00000000065E9000-memory.dmp
memory/852-43-0x0000000005E50000-0x0000000005E8A000-memory.dmp
memory/852-40-0x0000000005E50000-0x0000000005E8A000-memory.dmp
memory/852-39-0x0000000002AE0000-0x0000000002AFD000-memory.dmp
memory/852-36-0x0000000002AE0000-0x0000000002AFD000-memory.dmp
memory/852-29-0x0000000002A90000-0x0000000002AA2000-memory.dmp
memory/852-24-0x0000000002830000-0x000000000284F000-memory.dmp
memory/852-21-0x0000000002830000-0x000000000284F000-memory.dmp
memory/852-20-0x0000000002850000-0x000000000285C000-memory.dmp
memory/852-17-0x0000000002850000-0x000000000285C000-memory.dmp
memory/852-16-0x0000000006350000-0x0000000006404000-memory.dmp
memory/852-13-0x0000000006350000-0x0000000006404000-memory.dmp
memory/852-8-0x0000000007F30000-0x0000000008B19000-memory.dmp
memory/852-144-0x0000000000B70000-0x00000000013D8000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-12-12 02:10
Reported
2023-12-12 02:15
Platform
win10v2004-20231130-en
Max time kernel
140s
Max time network
152s
Command Line
Signatures
Legitimate hosting services abused for malware hosting/C2
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe
"C:\Users\Admin\AppData\Local\Temp\d103d06dabbf9e74d9b89d4d2b3436b150078bcbabbb715a7765b3b0c3fa8a62.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 1428 -ip 1428
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1428 -s 1848
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
Files
memory/1428-0-0x0000000006F10000-0x0000000007899000-memory.dmp
memory/1428-3-0x0000000006F10000-0x0000000007899000-memory.dmp
memory/1428-4-0x0000000008490000-0x0000000009079000-memory.dmp
memory/1428-6-0x00000000003A0000-0x0000000000C08000-memory.dmp
memory/1428-8-0x0000000008490000-0x0000000009079000-memory.dmp
memory/1428-9-0x0000000006740000-0x0000000006751000-memory.dmp
memory/1428-25-0x0000000006790000-0x00000000067A5000-memory.dmp
memory/1428-24-0x0000000006720000-0x000000000673F000-memory.dmp
memory/1428-36-0x00000000069D0000-0x00000000069ED000-memory.dmp
memory/1428-48-0x0000000006A10000-0x0000000006A16000-memory.dmp
memory/1428-51-0x0000000006A10000-0x0000000006A16000-memory.dmp
memory/1428-47-0x0000000006AE0000-0x0000000006BC9000-memory.dmp
memory/1428-55-0x0000000006A70000-0x0000000006A79000-memory.dmp
memory/1428-52-0x0000000006A70000-0x0000000006A79000-memory.dmp
memory/1428-44-0x0000000006AE0000-0x0000000006BC9000-memory.dmp
memory/1428-43-0x0000000006830000-0x000000000686A000-memory.dmp
memory/1428-40-0x0000000006830000-0x000000000686A000-memory.dmp
memory/1428-39-0x00000000069D0000-0x00000000069ED000-memory.dmp
memory/1428-32-0x00000000067E0000-0x00000000067F2000-memory.dmp
memory/1428-29-0x00000000067E0000-0x00000000067F2000-memory.dmp
memory/1428-28-0x0000000006790000-0x00000000067A5000-memory.dmp
memory/1428-56-0x0000000008450000-0x0000000008478000-memory.dmp
memory/1428-60-0x000000000C7A0000-0x000000000C7C4000-memory.dmp
memory/1428-67-0x000000000C7D0000-0x000000000C7E3000-memory.dmp
memory/1428-64-0x000000000C7D0000-0x000000000C7E3000-memory.dmp
memory/1428-63-0x000000000C7A0000-0x000000000C7C4000-memory.dmp
memory/1428-59-0x0000000008450000-0x0000000008478000-memory.dmp
memory/1428-21-0x0000000006720000-0x000000000673F000-memory.dmp
memory/1428-20-0x0000000006760000-0x000000000676C000-memory.dmp
memory/1428-17-0x0000000006760000-0x000000000676C000-memory.dmp
memory/1428-16-0x0000000006910000-0x00000000069C4000-memory.dmp
memory/1428-13-0x0000000006910000-0x00000000069C4000-memory.dmp
memory/1428-12-0x0000000006740000-0x0000000006751000-memory.dmp
memory/1428-144-0x00000000003A0000-0x0000000000C08000-memory.dmp