Malware Analysis Report

2024-11-13 13:55

Sample ID 240219-bvt1vsgg72
Target bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb
SHA256 bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb
Tags
ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb

Threat Level: Known bad

The file bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb was found to be: Known bad.

Malicious Activity Summary

ducktail

Detect Ducktail Third Stage Payload

Ducktail family

Unsigned PE

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-02-19 01:29

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-19 01:28

Reported

2024-02-19 01:31

Platform

win10v2004-20231215-en

Max time kernel

92s

Max time network

97s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe

"C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 9.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 t3o.h.filess.io udp
DE 82.208.23.39:3307 t3o.h.filess.io tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 39.23.208.82.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 35.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 89.135.221.88.in-addr.arpa udp

Files

memory/4512-0-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/4512-4-0x00007FF62BEB0000-0x00007FF62C81E000-memory.dmp

memory/4512-3-0x000001CCB0CD0000-0x000001CCB1981000-memory.dmp

memory/4512-7-0x000001CC8F9E0000-0x000001CC8F9F2000-memory.dmp

memory/4512-10-0x000001CCB00E0000-0x000001CCB01A1000-memory.dmp

memory/4512-13-0x000001CC8F9D0000-0x000001CC8F9DD000-memory.dmp

memory/4512-16-0x000001CCAFF90000-0x000001CCAFFB0000-memory.dmp

memory/4512-19-0x000001CCAFFB0000-0x000001CCAFFC8000-memory.dmp

memory/4512-22-0x000001CCB00C0000-0x000001CCB00D3000-memory.dmp

memory/4512-28-0x000001CCB01E0000-0x000001CCB0201000-memory.dmp

memory/4512-31-0x000001CCB0260000-0x000001CCB02A0000-memory.dmp

memory/4512-34-0x000001CCB03B0000-0x000001CCB04AE000-memory.dmp

memory/4512-37-0x000001CCAFFE0000-0x000001CCAFFE7000-memory.dmp

memory/4512-40-0x000001CCB01D0000-0x000001CCB01DA000-memory.dmp

memory/4512-43-0x000001CCB0560000-0x000001CCB058A000-memory.dmp

memory/4512-46-0x000001CCB05A0000-0x000001CCB05B6000-memory.dmp

memory/4512-49-0x000001CCB5430000-0x000001CCB547E000-memory.dmp

memory/4512-52-0x000001CCB05F0000-0x000001CCB0609000-memory.dmp

memory/4512-55-0x000001CCB54D0000-0x000001CCB550C000-memory.dmp

memory/4512-58-0x000001CCB5ED0000-0x000001CCB5F85000-memory.dmp

memory/4512-61-0x000001CCB5F90000-0x000001CCB6013000-memory.dmp

memory/4512-64-0x000001CCB0CC0000-0x000001CCB0CC7000-memory.dmp

memory/4512-67-0x000001CCB5E10000-0x000001CCB5E46000-memory.dmp

memory/4512-134-0x00007FF62BEB0000-0x00007FF62C81E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-19 01:28

Reported

2024-02-19 01:31

Platform

win7-20240215-en

Max time kernel

118s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe

"C:\Users\Admin\AppData\Local\Temp\bffe0f9b1bfb77ad0625085693d36c0a518587fcc2d1f0c8befe500a212e07bb.exe"

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2364 -s 1356

Network

Country Destination Domain Proto
US 8.8.8.8:53 t3o.h.filess.io udp
DE 82.208.23.39:3307 t3o.h.filess.io tcp
DE 82.208.23.39:3307 t3o.h.filess.io tcp

Files

memory/2364-0-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/2364-4-0x000000013FCD0000-0x000000014063E000-memory.dmp

memory/2364-3-0x0000000023F00000-0x0000000024BB1000-memory.dmp

memory/2364-10-0x0000000022DF0000-0x0000000022EB1000-memory.dmp

memory/2364-7-0x0000000001CA0000-0x0000000001CB2000-memory.dmp

memory/2364-13-0x00000000003D0000-0x00000000003DD000-memory.dmp

memory/2364-16-0x0000000001F70000-0x0000000001F90000-memory.dmp

memory/2364-22-0x0000000002070000-0x0000000002083000-memory.dmp

memory/2364-19-0x0000000001F90000-0x0000000001FA8000-memory.dmp

memory/2364-31-0x0000000022D20000-0x0000000022D60000-memory.dmp

memory/2364-28-0x0000000002090000-0x00000000020B1000-memory.dmp

memory/2364-34-0x0000000023350000-0x000000002344E000-memory.dmp

memory/2364-37-0x0000000002040000-0x0000000002047000-memory.dmp

memory/2364-40-0x0000000001F60000-0x0000000001F6A000-memory.dmp

memory/2364-43-0x0000000022D60000-0x0000000022D8A000-memory.dmp

memory/2364-49-0x0000000022B80000-0x0000000022B96000-memory.dmp

memory/2364-52-0x0000000022F10000-0x0000000022F4C000-memory.dmp

memory/2364-46-0x0000000022EC0000-0x0000000022F0E000-memory.dmp

memory/2364-55-0x0000000022DC0000-0x0000000022DD9000-memory.dmp

memory/2364-61-0x0000000027750000-0x0000000027805000-memory.dmp

memory/2364-58-0x0000000023DC0000-0x0000000023E43000-memory.dmp

memory/2364-64-0x0000000022DE0000-0x0000000022DE7000-memory.dmp

memory/2364-67-0x0000000023540000-0x0000000023576000-memory.dmp

memory/2364-144-0x000000013FCD0000-0x000000014063E000-memory.dmp