f431ef3e225cccee2e5a0c14a5421b636e2371fd5d86869f795f73bcfe200a79

Analysis

max time kernel
51s
max time network
16s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddv.exe
Size

853KB
MD5

c581187d51ca3b1f7ccf3b7e4ca5c7fb
SHA1

a6ab6616689a0030fd7cbee89e380a8bb9a9a146
SHA256

f431ef3e225cccee2e5a0c14a5421b636e2371fd5d86869f795f73bcfe200a79
SHA512

8357ef5bb070a762de3211f73aebb72140f90b522383b26c8d491cdcf594f05214430ace1a884dd6f599b87bc0754ce0cdfb51b4b505e872bc405f65cf36d345
SSDEEP

12288:brtfG+RxIf3Yu0Cp5WerP+52B4gdEiz3j4cgKwL6Ix7fsL9X4DS+2GN+mCxW5:HtOV/R0ervqXD+bxA

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\taskschd.msc	mmc.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe
Token: 33	1428	mmc.exe
Token: SeIncBasePriorityPrivilege	1428	mmc.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1428	mmc.exe
1428	mmc.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 1428 wrote to memory of 2728	1428	mmc.exe	31
PID 1428 wrote to memory of 2728	1428	mmc.exe	31
PID 1428 wrote to memory of 2728	1428	mmc.exe	31

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ddv.exe
"C:\Users\Admin\AppData\Local\Temp\ddv.exe"
1⤵
PID:2392

C:\Windows\system32\mmc.exe
"C:\Windows\system32\mmc.exe" "C:\Windows\system32\taskschd.msc" /s
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1428
- C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
  dw20.exe -x -s 1136
  2⤵
  PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1428-6-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-0-0x0000000002090000-0x0000000002091000-memory.dmp

Filesize
4KB

Download
memory/1428-2-0x00000000027E0000-0x00000000027FE000-memory.dmp

Filesize
120KB

Download
memory/1428-3-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-4-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-5-0x000000001D810000-0x000000001DB56000-memory.dmp

Filesize
3.3MB

Download
memory/1428-1-0x000007FEF412E000-0x000007FEF412F000-memory.dmp

Filesize
4KB

Download
memory/1428-7-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-10-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-9-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-8-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-11-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/1428-13-0x000007FEF3E70000-0x000007FEF480D000-memory.dmp

Filesize
9.6MB

Download
memory/2728-12-0x0000000000470000-0x0000000000471000-memory.dmp

Filesize
4KB

Download