Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2420 set thread context of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 set thread context of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2168 set thread context of 2508	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 1964 set thread context of 996	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 3020	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2420 wrote to memory of 1148	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1148	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1148	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1148	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1440	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1440	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1440	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 1440	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2420 wrote to memory of 2616	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 1440 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 1440 wrote to memory of 2628	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2032	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 2032	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 2032	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 2032	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 648	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2032 wrote to memory of 2816	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2816	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2816	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2816	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2840	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2032 wrote to memory of 2820	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 2840 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2840 wrote to memory of 1920	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 2308 wrote to memory of 2168	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 2168	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 2168	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe
PID 2308 wrote to memory of 2168	N/A	C:\Windows\system32\taskeng.exe	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\system32\taskeng.exe

taskeng.exe {78507145-3419-41CB-91AC-98B8F26A667D} S-1-5-21-39690363-730359138-1046745555-1000:EILATWEW\Admin:Interactive:[1]

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	munan.duckdns.org	udp
US	18.210.161.224:3637	munan.duckdns.org	tcp

Files

memory/2420-0-0x0000000074ACE000-0x0000000074ACF000-memory.dmp

memory/2420-1-0x0000000000850000-0x00000000008A0000-memory.dmp

memory/2420-2-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/3020-9-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-6-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-5-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-11-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-13-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-3-0x0000000000400000-0x000000000043A000-memory.dmp

memory/3020-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2420-14-0x0000000074AC0000-0x00000000751AE000-memory.dmp

memory/3020-18-0x0000000000460000-0x000000000046A000-memory.dmp

memory/3020-19-0x0000000000770000-0x000000000077C000-memory.dmp

memory/3020-20-0x00000000004B0000-0x00000000004CE000-memory.dmp

memory/3020-21-0x0000000000A70000-0x0000000000A7A000-memory.dmp

memory/3020-24-0x0000000000A80000-0x0000000000A8C000-memory.dmp

memory/3020-25-0x0000000000BC0000-0x0000000000BDA000-memory.dmp

memory/3020-26-0x0000000000BE0000-0x0000000000BEE000-memory.dmp

memory/3020-30-0x0000000000DC0000-0x0000000000DD4000-memory.dmp

memory/3020-29-0x0000000000DB0000-0x0000000000DBE000-memory.dmp

memory/3020-31-0x0000000000DD0000-0x0000000000DE4000-memory.dmp

memory/3020-28-0x0000000000DA0000-0x0000000000DAC000-memory.dmp

memory/3020-27-0x0000000000D90000-0x0000000000DA2000-memory.dmp

memory/3020-33-0x0000000000FD0000-0x0000000000FFE000-memory.dmp

memory/3020-32-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

memory/3020-34-0x0000000000F10000-0x0000000000F24000-memory.dmp

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

MD5	ec03c8da575fa5ee4745506b340968e6
SHA1	357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA256	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA512	2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

memory/2032-38-0x00000000010A0000-0x00000000010F0000-memory.dmp

memory/1964-65-0x0000000000220000-0x0000000000270000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-30 01:05

Reported

2024-06-30 01:08

Platform

win10v2004-20240508-en

Max time kernel

137s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Detects executables packed with SmartAssembly

Description	Indicator	Process	Target
N/A	N/A	N/A	N/A
N/A	N/A	N/A	N/A

Executes dropped EXE

Description	Indicator	Process	Target
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A
N/A	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	N/A

Checks whether UAC is enabled

evasion trojan

Description	Indicator	Process	Target
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of SetThreadContext

Description	Indicator	Process	Target
PID 2576 set thread context of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 set thread context of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 set thread context of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 set thread context of 4388	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Scheduled Task/Job: Scheduled Task

persistence execution

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A
N/A	N/A	C:\Windows\SysWOW64\schtasks.exe	N/A

Suspicious behavior: EnumeratesProcesses

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious behavior: GetForegroundWindowSpam

Description	Indicator	Process	Target
N/A	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of AdjustPrivilegeToken

Description	Indicator	Process	Target
Token: SeDebugPrivilege	N/A	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	N/A

Suspicious use of WriteProcessMemory

Description	Indicator	Process	Target
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 1312	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 2576 wrote to memory of 4876	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4876	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4876	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4812	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4812	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4812	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4904	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4904	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 2576 wrote to memory of 4904	N/A	C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe	C:\Windows\SysWOW64\cmd.exe
PID 4812 wrote to memory of 1776	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 1776	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4812 wrote to memory of 1776	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 4248	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4480 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 1548	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4128	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4128	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4128	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4448	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4448	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4480 wrote to memory of 4448	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 4128 wrote to memory of 4944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4128 wrote to memory of 4944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4128 wrote to memory of 4944	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2016	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 3180 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 2588	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 3184	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 3184	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 3184	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 5072	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 5072	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3180 wrote to memory of 5072	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\SysWOW64\cmd.exe
PID 3184 wrote to memory of 4108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3184 wrote to memory of 4108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 3184 wrote to memory of 4108	N/A	C:\Windows\SysWOW64\cmd.exe	C:\Windows\SysWOW64\schtasks.exe
PID 4484 wrote to memory of 4388	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 4388	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 4388	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
PID 4484 wrote to memory of 4388	N/A	C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe

"C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Local\Temp\26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\DDfiles"

C:\Windows\SysWOW64\cmd.exe

"cmd" /c schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

C:\Windows\SysWOW64\cmd.exe

"cmd" /c copy "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe" "C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe"

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /sc minute /mo 1 /tn "Nafifas" /tr "'C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe'" /f

Network

Country	Destination	Domain	Proto
US	8.8.8.8:53	munan.duckdns.org	udp
US	18.210.161.224:3637	munan.duckdns.org	tcp
US	8.8.8.8:53	209.205.72.20.in-addr.arpa	udp
US	8.8.8.8:53	224.161.210.18.in-addr.arpa	udp
US	8.8.8.8:53	74.32.126.40.in-addr.arpa	udp
US	8.8.8.8:53	217.106.137.52.in-addr.arpa	udp
US	8.8.8.8:53	103.169.127.40.in-addr.arpa	udp
US	8.8.8.8:53	18.31.95.13.in-addr.arpa	udp
US	8.8.8.8:53	172.210.232.199.in-addr.arpa	udp
US	8.8.8.8:53	144.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	203.107.17.2.in-addr.arpa	udp
US	8.8.8.8:53	14.227.111.52.in-addr.arpa	udp

Files

memory/2576-0-0x0000000074C0E000-0x0000000074C0F000-memory.dmp

memory/2576-1-0x0000000000580000-0x00000000005D0000-memory.dmp

memory/2576-2-0x0000000005480000-0x0000000005A24000-memory.dmp

memory/2576-3-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1312-4-0x0000000000400000-0x000000000043A000-memory.dmp

memory/1312-6-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/2576-7-0x0000000074C00000-0x00000000753B0000-memory.dmp

memory/1312-8-0x0000000004E80000-0x0000000004F12000-memory.dmp

memory/1312-9-0x0000000004F20000-0x0000000004FBC000-memory.dmp

memory/1312-12-0x0000000004E40000-0x0000000004E4A000-memory.dmp

memory/1312-14-0x00000000051C0000-0x00000000051CA000-memory.dmp

memory/1312-16-0x0000000005370000-0x000000000538E000-memory.dmp

memory/1312-15-0x00000000051D0000-0x00000000051DC000-memory.dmp

memory/1312-17-0x0000000005E20000-0x0000000005E2A000-memory.dmp

memory/1312-20-0x00000000065B0000-0x00000000065BC000-memory.dmp

memory/1312-21-0x00000000065C0000-0x00000000065DA000-memory.dmp

memory/1312-23-0x0000000006600000-0x0000000006612000-memory.dmp

memory/1312-26-0x0000000006630000-0x0000000006644000-memory.dmp

memory/1312-25-0x0000000006620000-0x000000000662E000-memory.dmp

memory/1312-24-0x0000000006610000-0x000000000661C000-memory.dmp

memory/1312-22-0x00000000065F0000-0x00000000065FE000-memory.dmp

memory/1312-30-0x00000000066B0000-0x00000000066C4000-memory.dmp

memory/1312-29-0x0000000006680000-0x00000000066AE000-memory.dmp

memory/1312-28-0x0000000006670000-0x000000000667E000-memory.dmp

memory/1312-27-0x0000000006640000-0x0000000006654000-memory.dmp

memory/1312-31-0x0000000006890000-0x00000000068F6000-memory.dmp

C:\Users\Admin\AppData\Roaming\DDfiles\DDfiles.exe

MD5	ec03c8da575fa5ee4745506b340968e6
SHA1	357374aa9b28d6571ebcf3b535b3cd8fe85eebba
SHA256	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
SHA512	2d01fa27ef375f77db7e3a896877db902ea52578aaa13aaec2aef3ce8a0199b1de56ca70602bac24f4fd2278ed5835e2c373c0626a05e95929deb93abb94137a

memory/1312-38-0x0000000074C00000-0x00000000753B0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\DDfiles.exe.log

MD5	03febbff58da1d3318c31657d89c8542
SHA1	c9e017bd9d0a4fe533795b227c855935d86c2092
SHA256	5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4
SHA512	3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegAsm.exe.log

MD5	84e77a587d94307c0ac1357eb4d3d46f
SHA1	83cc900f9401f43d181207d64c5adba7a85edc1e
SHA256	e16024b092a026a9dc00df69d4b9bbcab7b2dc178dc5291fc308a1abc9304a99
SHA512	aefb5c62200b3ed97718d20a89990954d4d8acdc0a6a73c5a420f1bba619cb79e70c2cd0a579b9f52dc6b09e1de2cea6cd6cac4376cfee92d94e2c01d310f691

Sample ID	240630-bfw7nsvckm
Target	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7.exe
SHA256	26321ed18abb4d44668e157dcb9a123debe3b7477d95055d20e5f5d997bf60d7
Tags	nanocore evasion keylogger spyware stealer trojan

Malware Analysis Report

2024-08-06 14:44

Table of Contents

Analysis Overview

Threat Level: Known bad

Malicious Activity Summary

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files