Malware Analysis Report

2024-11-13 13:55

Sample ID 240711-bw9gyatekb
Target b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b
SHA256 b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b
Tags
ducktail
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b

Threat Level: Known bad

The file b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b was found to be: Known bad.

Malicious Activity Summary

ducktail

Detect Ducktail Third Stage Payload

Ducktail family

Unsigned PE

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-11 01:31

Signatures

Detect Ducktail Third Stage Payload

Description Indicator Process Target
N/A N/A N/A N/A

Ducktail family

ducktail

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-11 01:30

Reported

2024-07-11 01:34

Platform

win10v2004-20240709-en

Max time kernel

91s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b.exe

"C:\Users\Admin\AppData\Local\Temp\b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 147.142.123.92.in-addr.arpa udp
IE 52.111.236.22:443 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/3896-1-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/3896-3-0x00007FF72F56E000-0x00007FF72F56F000-memory.dmp

memory/3896-4-0x00000185E19F0000-0x00000185E26A1000-memory.dmp

memory/3896-10-0x00000185E0E00000-0x00000185E0EC1000-memory.dmp

memory/3896-7-0x00000185C0230000-0x00000185C0242000-memory.dmp

memory/3896-16-0x00000185C0260000-0x00000185C0280000-memory.dmp

memory/3896-13-0x00000185BE950000-0x00000185BE95D000-memory.dmp

memory/3896-34-0x00000185E0FE0000-0x00000185E10DE000-memory.dmp

memory/3896-43-0x00000185E11A0000-0x00000185E1255000-memory.dmp

memory/3896-40-0x00000185E0DE0000-0x00000185E0DEA000-memory.dmp

memory/3896-31-0x00000185E0CE0000-0x00000185E0D20000-memory.dmp

memory/3896-28-0x00000185E0D30000-0x00000185E0D51000-memory.dmp

memory/3896-22-0x00000185E0CC0000-0x00000185E0CD3000-memory.dmp

memory/3896-19-0x00000185E0CA0000-0x00000185E0CB8000-memory.dmp

memory/3896-37-0x00000185E0C80000-0x00000185E0C87000-memory.dmp

memory/3896-46-0x00000185E19A0000-0x00000185E19CA000-memory.dmp

memory/3896-49-0x00000185E1140000-0x00000185E1145000-memory.dmp

memory/3896-52-0x00000185E1150000-0x00000185E116D000-memory.dmp

memory/3896-55-0x00000185E19D0000-0x00000185E19E6000-memory.dmp

memory/3896-58-0x00000185E8340000-0x00000185E83C3000-memory.dmp

memory/3896-61-0x00000185E82F0000-0x00000185E832E000-memory.dmp

memory/3896-64-0x00000185E1190000-0x00000185E1199000-memory.dmp

memory/3896-67-0x00000185E2CD0000-0x00000185E2CE6000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-11 01:30

Reported

2024-07-11 01:34

Platform

win7-20240704-en

Max time kernel

119s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b.exe

"C:\Users\Admin\AppData\Local\Temp\b023aaf055d9c4ea3bf04da5016b36581e5f267f668a8a9c6ebdf8dcf02d5d8b.exe"

Network

N/A

Files

memory/2052-0-0x0000000180000000-0x0000000180A25000-memory.dmp

memory/2052-3-0x000000014046E000-0x000000014046F000-memory.dmp

memory/2052-10-0x0000000002B70000-0x0000000002C31000-memory.dmp

memory/2052-7-0x0000000001D50000-0x0000000001D62000-memory.dmp

memory/2052-4-0x0000000004300000-0x0000000004FB1000-memory.dmp

memory/2052-43-0x0000000003700000-0x00000000037B5000-memory.dmp

memory/2052-40-0x0000000001DC0000-0x0000000001DCA000-memory.dmp

memory/2052-37-0x0000000000660000-0x0000000000667000-memory.dmp

memory/2052-34-0x0000000002230000-0x000000000232E000-memory.dmp

memory/2052-31-0x00000000021F0000-0x0000000002230000-memory.dmp

memory/2052-28-0x0000000002060000-0x0000000002081000-memory.dmp

memory/2052-22-0x0000000001D90000-0x0000000001DA3000-memory.dmp

memory/2052-19-0x0000000000680000-0x0000000000698000-memory.dmp

memory/2052-16-0x0000000001D70000-0x0000000001D90000-memory.dmp

memory/2052-13-0x00000000003A0000-0x00000000003AD000-memory.dmp

memory/2052-46-0x0000000002960000-0x000000000298A000-memory.dmp

memory/2052-49-0x00000000021D0000-0x00000000021D5000-memory.dmp

memory/2052-52-0x00000000029C0000-0x00000000029DD000-memory.dmp

memory/2052-55-0x0000000002FF0000-0x0000000003006000-memory.dmp

memory/2052-58-0x0000000003640000-0x00000000036C3000-memory.dmp

memory/2052-61-0x0000000003050000-0x000000000308E000-memory.dmp

memory/2052-64-0x00000000029E0000-0x00000000029E9000-memory.dmp

memory/2052-67-0x00000000030B0000-0x00000000030C6000-memory.dmp