Malware Analysis Report

2024-10-19 07:11

Sample ID 240511-kbge4abd85
Target 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
SHA256 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c
Tags
nanocore execution keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c

Threat Level: Known bad

The file 44eae16cf38376d158b41110880be13da97dc492ccec500d8931104d85fd907c was found to be: Known bad.

Malicious Activity Summary

nanocore execution keylogger persistence spyware stealer trojan

NanoCore

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-11 08:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:28

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Host = "C:\\Program Files (x86)\\DDP Host\\ddphost.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4760 set thread context of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Host\ddphost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DDP Host\ddphost.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4760 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4760 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4760 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4760 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4760 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4760 wrote to memory of 4372 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4760 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4760 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4760 wrote to memory of 3220 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 4760 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 2976 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 4760 wrote to memory of 3672 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3672 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 2736 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 3488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 3488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 3672 wrote to memory of 3488 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCB10.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Host" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Host Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpD439.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 26.69.169.192.in-addr.arpa udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/4760-0-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/4760-1-0x00000000005A0000-0x0000000000692000-memory.dmp

memory/4760-2-0x0000000005780000-0x0000000005D24000-memory.dmp

memory/4760-3-0x00000000050C0000-0x0000000005152000-memory.dmp

memory/4760-4-0x0000000005090000-0x000000000509A000-memory.dmp

memory/4760-5-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4760-6-0x0000000005260000-0x000000000527E000-memory.dmp

memory/4760-7-0x00000000052C0000-0x00000000052D0000-memory.dmp

memory/4760-8-0x00000000052F0000-0x0000000005306000-memory.dmp

memory/4760-9-0x0000000006610000-0x000000000668C000-memory.dmp

memory/4760-10-0x0000000008CB0000-0x0000000008D4C000-memory.dmp

memory/4880-16-0x00000000051A0000-0x00000000051D6000-memory.dmp

memory/4760-15-0x0000000074DEE000-0x0000000074DEF000-memory.dmp

memory/4880-18-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/4880-17-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4880-19-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4760-20-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4880-21-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4372-22-0x0000000074DE0000-0x0000000075590000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCB10.tmp

MD5 eb191f331a938125005e0de35289d1be
SHA1 9f036798936f34fa5b483f4e47f3ee80afb72b23
SHA256 04e80553000a88cae1b459ac57cc5977a59766c001d0223a5ff19b7a44a96cd6
SHA512 fbc9bc540c2d420541adba4f15523d0b17045c5833eb9b7d2163c4c95d737a5045a18f3f8cbc7a5b0455df8e06d8f20ccbb0ca85acd0f48b886a19b96122f014

memory/4880-23-0x00000000058B0000-0x00000000058D2000-memory.dmp

memory/4880-27-0x0000000006150000-0x00000000061B6000-memory.dmp

memory/4880-26-0x0000000006030000-0x0000000006096000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pp5kvlzw.2dh.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4880-37-0x00000000061C0000-0x0000000006514000-memory.dmp

memory/4372-25-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/3672-47-0x0000000000400000-0x000000000043A000-memory.dmp

memory/4760-49-0x0000000074DE0000-0x0000000075590000-memory.dmp

memory/4880-50-0x0000000006760000-0x000000000677E000-memory.dmp

memory/4880-53-0x0000000006970000-0x00000000069BC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD13A.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

memory/4372-70-0x0000000006B00000-0x0000000006B1E000-memory.dmp

memory/4372-71-0x00000000076C0000-0x0000000007763000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD439.tmp

MD5 2271642ca970891700e3f48439739ed8
SHA1 cd472df2349f7db9e1e460d0ee28acd97b8a8793
SHA256 7aba66abbcb0b13455609174db23aed495a9adbef0e0acd28baa9c92445eda68
SHA512 4669a4ef8ec28cdb852ffc1401576b1bf9a9d837797d7d92bc88c18b3097404f36854e50167b309706fef400cabc43c876569ce2797ba85eb169a2783b8fe807

memory/4372-59-0x0000000075690000-0x00000000756DC000-memory.dmp

memory/4372-58-0x0000000006A90000-0x0000000006AC2000-memory.dmp

memory/3672-75-0x00000000060A0000-0x00000000060AA000-memory.dmp

memory/4372-76-0x0000000007E40000-0x00000000084BA000-memory.dmp

memory/4372-77-0x00000000077F0000-0x000000000780A000-memory.dmp

memory/3672-74-0x0000000005F60000-0x0000000005F7E000-memory.dmp

memory/4372-78-0x0000000007860000-0x000000000786A000-memory.dmp

memory/3672-73-0x00000000052E0000-0x00000000052EC000-memory.dmp

memory/3672-72-0x0000000005090000-0x000000000509A000-memory.dmp

memory/4372-79-0x0000000007A70000-0x0000000007B06000-memory.dmp

memory/4372-80-0x00000000079F0000-0x0000000007A01000-memory.dmp

memory/4372-81-0x0000000007A20000-0x0000000007A2E000-memory.dmp

memory/4880-83-0x0000000075690000-0x00000000756DC000-memory.dmp

memory/4372-82-0x0000000007A30000-0x0000000007A44000-memory.dmp

memory/4372-93-0x0000000007B30000-0x0000000007B4A000-memory.dmp

memory/4372-94-0x0000000007B10000-0x0000000007B18000-memory.dmp

memory/4372-97-0x0000000074DE0000-0x0000000075590000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e1327af0f324380c862615969e824c24
SHA1 afe9e2eb1904ba0f86c240cd133ec296e69d328d
SHA256 dd5379ed13070c9c1c7878ad560195c8d9c198229cc6b7032e12a0f63d658b93
SHA512 973551374b2c4e1da67c8c4c68dc32fb78fd1a3c453ed6aad4dc7e7fcfef7b355a1e3bf6896791817cc90526ecce2c8d8e5df6b2b9353f7d476603ca9057d652

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/4880-101-0x0000000074DE0000-0x0000000075590000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-11 08:25

Reported

2024-05-11 08:28

Platform

win7-20240221-en

Max time kernel

144s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1336 set thread context of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1336 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\SysWOW64\schtasks.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1336 wrote to memory of 1032 N/A C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1032 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 648 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe
PID 1032 wrote to memory of 2664 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe

"C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\ee66629e98c3278017e7297d3b2b57aac9783a51a46b34046ccc866d10ba4f3c.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\fupTmRCVq.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fupTmRCVq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC42.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF20C.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpF326.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2nd.ddns.net udp
NL 91.92.253.11:65024 december2nd.ddns.net tcp
US 8.8.8.8:53 december2n.duckdns.org udp
US 192.169.69.26:65024 december2n.duckdns.org tcp
US 192.169.69.26:65024 december2n.duckdns.org tcp

Files

memory/1336-0-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

memory/1336-1-0x00000000000E0000-0x00000000001D2000-memory.dmp

memory/1336-2-0x0000000074A00000-0x00000000750EE000-memory.dmp

memory/1336-3-0x0000000000460000-0x000000000047E000-memory.dmp

memory/1336-4-0x00000000004C0000-0x00000000004D0000-memory.dmp

memory/1336-5-0x00000000004D0000-0x00000000004E6000-memory.dmp

memory/1336-6-0x0000000005430000-0x00000000054AC000-memory.dmp

memory/1336-7-0x0000000074A0E000-0x0000000074A0F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEC42.tmp

MD5 0ea57fac1e498dc52d4f7de9746e640c
SHA1 56c3f317642663b7b95e79390c4d0ba983d1198b
SHA256 7bd39ca5926b8596affff53c3665792a6000af71aa959a15d0700d0c7bc6c36b
SHA512 754f1352576f3a1e779871cf632a2d8251dfa75e838fc189b2ea27f69140bb013a690edba67509fbce60459be90da7296456e2e0a8240652f6786eadc5a4e249

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KSBXKZVWVWIYF7JKUTB0.temp

MD5 e91ee7d3b6ef2eeffa8ccd9a744f056e
SHA1 f13f4c75b7bdd432c7e04e1afd6b7f23b805715e
SHA256 8d7b786f411708fddac31bb75c7d1a36a559c4fc2487e8b2a79a913af0f5c83f
SHA512 21397b7b2c20d4416ef20586b3bce9011e2ddc6b51f5badbd8c7ca05f32453e1398bc9d9bfd790286e7db55c4d3580140679e1b784249ca17cf58dc4dbf1c532

memory/1032-20-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1032-31-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1032-30-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1032-29-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1032-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1032-26-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1032-24-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1032-22-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1336-32-0x0000000074A00000-0x00000000750EE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpF20C.tmp

MD5 8cad1b41587ced0f1e74396794f31d58
SHA1 11054bf74fcf5e8e412768035e4dae43aa7b710f
SHA256 3086d914f6b23268f8a12cb1a05516cd5465c2577e1d1e449f1b45c8e5e8f83c
SHA512 99c2ef89029de51a866df932841684b7fc912df21e10e2dd0d09e400203bbdc6cba6319a31780b7bf8b286d2cea8ea3fc7d084348bf2f002ab4f5a34218ccbef

C:\Users\Admin\AppData\Local\Temp\tmpF326.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/1032-40-0x00000000004A0000-0x00000000004AA000-memory.dmp

memory/1032-41-0x00000000004B0000-0x00000000004BC000-memory.dmp

memory/1032-42-0x00000000009C0000-0x00000000009DE000-memory.dmp

memory/1032-43-0x00000000004F0000-0x00000000004FA000-memory.dmp