Analysis
-
max time kernel
1786s -
max time network
1806s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
23-07-2024 11:59
Behavioral task
behavioral1
Sample
ddpsvc.exe
Resource
win7-20240704-en
windows7-x64
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
ddpsvc.exe
Resource
win10-20240404-en
windows10-1703-x64
7 signatures
1800 seconds
Behavioral task
behavioral3
Sample
ddpsvc.exe
Resource
win10v2004-20240709-en
windows10-2004-x64
7 signatures
1800 seconds
General
-
Target
ddpsvc.exe
-
Size
256KB
-
MD5
d2b160bf5dbcd67bf70abcbf750cb343
-
SHA1
64c1cbb8c1ba03d3ed9fc543353761d82011d005
-
SHA256
e3780c56125cc734e1aa099762909dca33ccb17be0a6c510733b762c1092fe7b
-
SHA512
315cfee7a997016152d41d3016cfa05215581d08972dd9c226a5dd5e740217d9524787eaf4810e9c48c28624776d775d2ded476ca0491ff3a49d239aadfee816
-
SSDEEP
6144:jYtUoG/WtqLTr9bNMizsaq6cu8ygDkmvpEH9J0Z/a:j0U9Tj0YH8ygDkuEJ0Zy
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
ddpsvc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SMTP Monitor = "C:\\Program Files (x86)\\SMTP Monitor\\smtpmon.exe" ddpsvc.exe -
Processes:
ddpsvc.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ddpsvc.exe -
Drops file in Program Files directory 2 IoCs
Processes:
ddpsvc.exedescription ioc process File created C:\Program Files (x86)\SMTP Monitor\smtpmon.exe ddpsvc.exe File opened for modification C:\Program Files (x86)\SMTP Monitor\smtpmon.exe ddpsvc.exe -
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
ddpsvc.exepid process 2280 ddpsvc.exe 2280 ddpsvc.exe 2280 ddpsvc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
ddpsvc.exepid process 2280 ddpsvc.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
ddpsvc.exedescription pid process Token: SeDebugPrivilege 2280 ddpsvc.exe Token: SeDebugPrivilege 2280 ddpsvc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ddpsvc.exe"C:\Users\Admin\AppData\Local\Temp\ddpsvc.exe"1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2280