Analysis
-
max time kernel
158s -
max time network
171s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
Resource
win10-en-20211208
General
-
Target
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe
-
Size
19KB
-
MD5
61c2029fa9b7194a9971ee05e2643bec
-
SHA1
03dbfc548a2fa7e79fe2d5c4433f91a83d8e5c2b
-
SHA256
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c
-
SHA512
c15337b14494258670b440e6dfe3fe4e3387ea5caf35eeeec3528a186172a088364ff9fddd6902d82998c3ccd3077bb4babb1bd8781e530512254a6b153ace89
Malware Config
Extracted
nworm
v0.3.8
24.101.234.141:8087
127.0.0.1:8087
38fc6b9e
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
ntldr.exepid process 4432 ntldr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4336 timeout.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exentldr.exepid process 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe 4432 ntldr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exentldr.exedescription pid process Token: SeDebugPrivilege 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe Token: SeDebugPrivilege 4432 ntldr.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.execmd.exedescription pid process target process PID 3684 wrote to memory of 4212 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe schtasks.exe PID 3684 wrote to memory of 4212 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe schtasks.exe PID 3684 wrote to memory of 1780 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe cmd.exe PID 3684 wrote to memory of 1780 3684 0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe cmd.exe PID 1780 wrote to memory of 4336 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 4336 1780 cmd.exe timeout.exe PID 1780 wrote to memory of 4432 1780 cmd.exe ntldr.exe PID 1780 wrote to memory of 4432 1780 cmd.exe ntldr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe"C:\Users\Admin\AppData\Local\Temp\0c1186bb4c92c71b12cbf855a51efc0cdf41c1774d21ab6b53c5a1746be1c15c.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'ntldr.exe"' /tr "'C:\Users\Admin\AppData\Roaming\ntldr.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6C91.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\ntldr.exe"C:\Users\Admin\AppData\Roaming\ntldr.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6C91.tmp.batMD5
92241606ac3d4c6cf91f15f1658facb5
SHA124f2bf52cd4ab6c04b7729a531b8e03c5fe711bd
SHA2567ef7b540451f95a182d30ead85fdc913687a95c205efae75f09ff40e70de5d04
SHA51245b0993e6916bd2e341da7a21d05eca1acf2a4df55a478d0a83d8c4735b2dc0bb5d51000c75658354a21f4c558cbec7eba95f50189f6ac39c2a538ef781caa12
-
C:\Users\Admin\AppData\Roaming\ntldr.exeMD5
a93112b63a89d896cda7d6c06742cc19
SHA1e6a211045ca9fb59d5210d7cf290750b9bf4218e
SHA2568f59a4fc64f275d1cdd20dbe3e4700b1a2d04399fb60dec62067cb0c4c2fc90d
SHA5129906c51373ae3fac85e03357bb03fda7f92427e3877774907d600630736631418960767ea8231d0086f35e6782f5d2b305ef38928408dcb9dbb0ced0c25f6a24
-
C:\Users\Admin\AppData\Roaming\ntldr.exeMD5
a93112b63a89d896cda7d6c06742cc19
SHA1e6a211045ca9fb59d5210d7cf290750b9bf4218e
SHA2568f59a4fc64f275d1cdd20dbe3e4700b1a2d04399fb60dec62067cb0c4c2fc90d
SHA5129906c51373ae3fac85e03357bb03fda7f92427e3877774907d600630736631418960767ea8231d0086f35e6782f5d2b305ef38928408dcb9dbb0ced0c25f6a24
-
memory/3684-118-0x0000000000520000-0x000000000052C000-memory.dmpFilesize
48KB
-
memory/3684-119-0x0000000000A00000-0x0000000000A80000-memory.dmpFilesize
512KB
-
memory/4432-123-0x000000001B570000-0x000000001B572000-memory.dmpFilesize
8KB