Analysis Overview
SHA256
bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb
Threat Level: Known bad
The file bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb was found to be: Known bad.
Malicious Activity Summary
Detect Ducktail Third Stage Payload
Ducktail family
Unsigned PE
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-02-19 01:29
Signatures
Detect Ducktail Third Stage Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Ducktail family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-19 01:28
Reported
2024-02-19 01:31
Platform
win10v2004-20231215-en
Max time kernel
92s
Max time network
97s
Command Line
Signatures
Processes
C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe
"C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t3o.h.filess.io | udp |
| DE | 82.208.23.39:3307 | t3o.h.filess.io | tcp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.23.208.82.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.135.221.88.in-addr.arpa | udp |
Files
memory/4512-0-0x0000000180000000-0x0000000180A25000-memory.dmp
memory/4512-4-0x00007FF62BEB0000-0x00007FF62C81E000-memory.dmp
memory/4512-3-0x000001CCB0CD0000-0x000001CCB1981000-memory.dmp
memory/4512-7-0x000001CC8F9E0000-0x000001CC8F9F2000-memory.dmp
memory/4512-10-0x000001CCB00E0000-0x000001CCB01A1000-memory.dmp
memory/4512-13-0x000001CC8F9D0000-0x000001CC8F9DD000-memory.dmp
memory/4512-16-0x000001CCAFF90000-0x000001CCAFFB0000-memory.dmp
memory/4512-19-0x000001CCAFFB0000-0x000001CCAFFC8000-memory.dmp
memory/4512-22-0x000001CCB00C0000-0x000001CCB00D3000-memory.dmp
memory/4512-28-0x000001CCB01E0000-0x000001CCB0201000-memory.dmp
memory/4512-31-0x000001CCB0260000-0x000001CCB02A0000-memory.dmp
memory/4512-34-0x000001CCB03B0000-0x000001CCB04AE000-memory.dmp
memory/4512-37-0x000001CCAFFE0000-0x000001CCAFFE7000-memory.dmp
memory/4512-40-0x000001CCB01D0000-0x000001CCB01DA000-memory.dmp
memory/4512-43-0x000001CCB0560000-0x000001CCB058A000-memory.dmp
memory/4512-46-0x000001CCB05A0000-0x000001CCB05B6000-memory.dmp
memory/4512-49-0x000001CCB5430000-0x000001CCB547E000-memory.dmp
memory/4512-52-0x000001CCB05F0000-0x000001CCB0609000-memory.dmp
memory/4512-55-0x000001CCB54D0000-0x000001CCB550C000-memory.dmp
memory/4512-58-0x000001CCB5ED0000-0x000001CCB5F85000-memory.dmp
memory/4512-61-0x000001CCB5F90000-0x000001CCB6013000-memory.dmp
memory/4512-64-0x000001CCB0CC0000-0x000001CCB0CC7000-memory.dmp
memory/4512-67-0x000001CCB5E10000-0x000001CCB5E46000-memory.dmp
memory/4512-134-0x00007FF62BEB0000-0x00007FF62C81E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-19 01:28
Reported
2024-02-19 01:31
Platform
win7-20240215-en
Max time kernel
118s
Max time network
123s
Command Line
Signatures
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2364 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe | C:\Windows\system32\WerFault.exe |
| PID 2364 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe | C:\Windows\system32\WerFault.exe |
| PID 2364 wrote to memory of 2392 | N/A | C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe
"C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 2364 -s 1356
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | t3o.h.filess.io | udp |
| DE | 82.208.23.39:3307 | t3o.h.filess.io | tcp |
| DE | 82.208.23.39:3307 | t3o.h.filess.io | tcp |
Files
memory/2364-0-0x0000000180000000-0x0000000180A25000-memory.dmp
memory/2364-4-0x000000013FCD0000-0x000000014063E000-memory.dmp
memory/2364-3-0x0000000023F00000-0x0000000024BB1000-memory.dmp
memory/2364-10-0x0000000022DF0000-0x0000000022EB1000-memory.dmp
memory/2364-7-0x0000000001CA0000-0x0000000001CB2000-memory.dmp
memory/2364-13-0x00000000003D0000-0x00000000003DD000-memory.dmp
memory/2364-16-0x0000000001F70000-0x0000000001F90000-memory.dmp
memory/2364-22-0x0000000002070000-0x0000000002083000-memory.dmp
memory/2364-19-0x0000000001F90000-0x0000000001FA8000-memory.dmp
memory/2364-31-0x0000000022D20000-0x0000000022D60000-memory.dmp
memory/2364-28-0x0000000002090000-0x00000000020B1000-memory.dmp
memory/2364-34-0x0000000023350000-0x000000002344E000-memory.dmp
memory/2364-37-0x0000000002040000-0x0000000002047000-memory.dmp
memory/2364-40-0x0000000001F60000-0x0000000001F6A000-memory.dmp
memory/2364-43-0x0000000022D60000-0x0000000022D8A000-memory.dmp
memory/2364-49-0x0000000022B80000-0x0000000022B96000-memory.dmp
memory/2364-52-0x0000000022F10000-0x0000000022F4C000-memory.dmp
memory/2364-46-0x0000000022EC0000-0x0000000022F0E000-memory.dmp
memory/2364-55-0x0000000022DC0000-0x0000000022DD9000-memory.dmp
memory/2364-61-0x0000000027750000-0x0000000027805000-memory.dmp
memory/2364-58-0x0000000023DC0000-0x0000000023E43000-memory.dmp
memory/2364-64-0x0000000022DE0000-0x0000000022DE7000-memory.dmp
memory/2364-67-0x0000000023540000-0x0000000023576000-memory.dmp
memory/2364-144-0x000000013FCD0000-0x000000014063E000-memory.dmp