Overview

overview

10

Static

static

10

0c1186bb4c...5c.exe

windows7_x64

10

0c1186bb4c...5c.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    26-01-2022 14:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe

  • Size

    19KB

  • MD5

    61c2029fa9b7194a9971ee05e2643bec

  • SHA1

    03dbfc548a2fa7e79fe2d5c4433f91a83d8e5c2b

  • SHA256

    0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c

  • SHA512

    c15337b14494258670b440e6dfe3fe4e3387ea5caf35eeeec3528a186172a088364ff9fddd6902d82998c3ccd3077bb4babb1bd8781e530512254a6b153ace89

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

24.101.234.141:8087

127.0.0.1:8087
Mutex

38fc6b9e

Signatures

  • NWorm

    A TrickBot module used to propagate to vulnerable domain controllers.

    wormdownloadernworm
  • Executes dropped EXE 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
    "C:\Users\Admin\AppData\Local\Temp\0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'ntldr.exe"' /tr "'C:\Users\Admin\AppData\Roaming\ntldr.exe"'
      2⤵
      • Creates scheduled task(s)
      PID:1988
    • C:\Windows\system32\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAE87.tmp.bat""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\system32\timeout.exe
        timeout 3
        3⤵
        • Delays execution with timeout.exe
        PID:972
      • C:\Users\Admin\AppData\Roaming\ntldr.exe
        "C:\Users\Admin\AppData\Roaming\ntldr.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1100

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpAE87.tmp.bat
    MD5

    92241606ac3d4c6cf91f15f1658facb5

    SHA1

    24f2bf52cd4ab6c04b7729a531b8e03c5fe711bd

    SHA256

    7ef7b540451f95a182d30ead85fdc913687a95c205efae75f09ff40e70de5d04

    SHA512

    45b0993e6916bd2e341da7a21d05eca1acf2a4df55a478d0a83d8c4735b2dc0bb5d51000c75658354a21f4c558cbec7eba95f50189f6ac39c2a538ef781caa12

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ntldr.exe
    MD5

    d1967cde4f3fa482fad0eedd9ccb9cc1

    SHA1

    ff0381aa2d8796e4ee1d95f5a76e03b278155e18

    SHA256

    b69ce442013d007bc1a7253183097cbfe6efacc516004654e487e392b3014d24

    SHA512

    1b6c30ebeb3f02ba35f2f1e1e41fba91651cada4e8992cf227eaeaab973a42e246f1cf68309620ed61193b0565a1cbd525b6ee117df7d52d46c3b55985de2ead

    Download Submit
  • C:\Users\Admin\AppData\Roaming\ntldr.exe
    MD5

    d1967cde4f3fa482fad0eedd9ccb9cc1

    SHA1

    ff0381aa2d8796e4ee1d95f5a76e03b278155e18

    SHA256

    b69ce442013d007bc1a7253183097cbfe6efacc516004654e487e392b3014d24

    SHA512

    1b6c30ebeb3f02ba35f2f1e1e41fba91651cada4e8992cf227eaeaab973a42e246f1cf68309620ed61193b0565a1cbd525b6ee117df7d52d46c3b55985de2ead

    Download Submit
  • memory/1100-59-0x0000000000DD0000-0x0000000000DDC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1100-60-0x000000001AB60000-0x000000001AB62000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1620-54-0x0000000000DF0000-0x0000000000DFC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/1620-55-0x000000001AAC0000-0x000000001AAC2000-memory.dmp
    Filesize

    8KB

    Download