Analysis
-
max time kernel
152s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
Resource
win10-en-20211208
General
-
Target
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
-
Size
19KB
-
MD5
61c2029fa9b7194a9971ee05e2643bec
-
SHA1
03dbfc548a2fa7e79fe2d5c4433f91a83d8e5c2b
-
SHA256
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c
-
SHA512
c15337b14494258670b440e6dfe3fe4e3387ea5caf35eeeec3528a186172a088364ff9fddd6902d82998c3ccd3077bb4babb1bd8781e530512254a6b153ace89
Malware Config
Extracted
nworm
v0.3.8
24.101.234.141:8087
127.0.0.1:8087
38fc6b9e
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
ntldr.exepid process 1100 ntldr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 972 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exentldr.exepid process 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 1100 ntldr.exe 1100 ntldr.exe 1100 ntldr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exentldr.exedescription pid process Token: SeDebugPrivilege 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe Token: SeDebugPrivilege 1100 ntldr.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.execmd.exedescription pid process target process PID 1620 wrote to memory of 1988 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe schtasks.exe PID 1620 wrote to memory of 1988 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe schtasks.exe PID 1620 wrote to memory of 1988 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe schtasks.exe PID 1620 wrote to memory of 1804 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe cmd.exe PID 1620 wrote to memory of 1804 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe cmd.exe PID 1620 wrote to memory of 1804 1620 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe cmd.exe PID 1804 wrote to memory of 972 1804 cmd.exe timeout.exe PID 1804 wrote to memory of 972 1804 cmd.exe timeout.exe PID 1804 wrote to memory of 972 1804 cmd.exe timeout.exe PID 1804 wrote to memory of 1100 1804 cmd.exe ntldr.exe PID 1804 wrote to memory of 1100 1804 cmd.exe ntldr.exe PID 1804 wrote to memory of 1100 1804 cmd.exe ntldr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe"C:\Users\Admin\AppData\Local\Temp\0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'ntldr.exe"' /tr "'C:\Users\Admin\AppData\Roaming\ntldr.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE87.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ntldr.exe"C:\Users\Admin\AppData\Roaming\ntldr.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpAE87.tmp.batMD5
92241606ac3d4c6cf91f15f1658facb5
SHA124f2bf52cd4ab6c04b7729a531b8e03c5fe711bd
SHA2567ef7b540451f95a182d30ead85fdc913687a95c205efae75f09ff40e70de5d04
SHA51245b0993e6916bd2e341da7a21d05eca1acf2a4df55a478d0a83d8c4735b2dc0bb5d51000c75658354a21f4c558cbec7eba95f50189f6ac39c2a538ef781caa12
-
C:\Users\Admin\AppData\Roaming\ntldr.exeMD5
d1967cde4f3fa482fad0eedd9ccb9cc1
SHA1ff0381aa2d8796e4ee1d95f5a76e03b278155e18
SHA256b69ce442013d007bc1a7253183097cbfe6efacc516004654e487e392b3014d24
SHA5121b6c30ebeb3f02ba35f2f1e1e41fba91651cada4e8992cf227eaeaab973a42e246f1cf68309620ed61193b0565a1cbd525b6ee117df7d52d46c3b55985de2ead
-
C:\Users\Admin\AppData\Roaming\ntldr.exeMD5
d1967cde4f3fa482fad0eedd9ccb9cc1
SHA1ff0381aa2d8796e4ee1d95f5a76e03b278155e18
SHA256b69ce442013d007bc1a7253183097cbfe6efacc516004654e487e392b3014d24
SHA5121b6c30ebeb3f02ba35f2f1e1e41fba91651cada4e8992cf227eaeaab973a42e246f1cf68309620ed61193b0565a1cbd525b6ee117df7d52d46c3b55985de2ead
-
memory/1100-59-0x0000000000DD0000-0x0000000000DDC000-memory.dmpFilesize
48KB
-
memory/1100-60-0x000000001AB60000-0x000000001AB62000-memory.dmpFilesize
8KB
-
memory/1620-54-0x0000000000DF0000-0x0000000000DFC000-memory.dmpFilesize
48KB
-
memory/1620-55-0x000000001AAC0000-0x000000001AAC2000-memory.dmpFilesize
8KB