Analysis
-
max time kernel
149s -
max time network
171s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Resource
win10-en-20211208
General
-
Target
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
-
Size
22KB
-
MD5
01573f1b61b5578c5c87e555e74f75a6
-
SHA1
ade56f4a823f742d7202a72a2fb16384f9711637
-
SHA256
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1
-
SHA512
a27d20a92123afd6302d67368622947d7fb978aa75212be24f3f3a38031c9215b6824044fb728b5bbf557c17d213d1e0ff630c970168837c08bfb50ea38e986a
Malware Config
Extracted
nworm
v0.3.8
185.247.69.194:6333
91.202.169.7:6333
1f09d7c7
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 856 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1816 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exejava.exedescription pid process Token: SeDebugPrivilege 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe Token: SeDebugPrivilege 856 java.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.execmd.exedescription pid process target process PID 1520 wrote to memory of 1928 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe schtasks.exe PID 1520 wrote to memory of 1928 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe schtasks.exe PID 1520 wrote to memory of 1928 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe schtasks.exe PID 1520 wrote to memory of 876 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe cmd.exe PID 1520 wrote to memory of 876 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe cmd.exe PID 1520 wrote to memory of 876 1520 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe cmd.exe PID 876 wrote to memory of 1816 876 cmd.exe timeout.exe PID 876 wrote to memory of 1816 876 cmd.exe timeout.exe PID 876 wrote to memory of 1816 876 cmd.exe timeout.exe PID 876 wrote to memory of 856 876 cmd.exe java.exe PID 876 wrote to memory of 856 876 cmd.exe java.exe PID 876 wrote to memory of 856 876 cmd.exe java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe"C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'java.exe"' /tr "'C:\Users\Admin\AppData\Roaming\java.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F5B.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\java.exe"C:\Users\Admin\AppData\Roaming\java.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp9F5B.tmp.batMD5
30555202bcbb7e6cb72801355e41259d
SHA1a13bdeae264741e1e1205702d87c20180f022558
SHA256da5ef21c4cf5184db5331c82b67a05c806b22281d8d24b0f18c85784382982cc
SHA5124e5648a17a063032376d501731e9e4e1b6bba194cfcbcb26c7f0f66a7ca22f9327bc5bcdf342bce705d5885466ae413d0a2833db94a40c05e8ec6d0cdbf1a040
-
C:\Users\Admin\AppData\Roaming\java.exeMD5
4aa6a16a99e39e4d7fac8b76ae46d087
SHA1011afc32fadd18a0e4f8245600825f3f821b7e21
SHA25683bc87af87e24d8eede311eaa70f982e247c28d5e4c00983a2db1e00bd748b5b
SHA51260e910ea327c11bf3332e43eb27ccf2e6841b144182aa321ee147582c649788c7190410be5af6d3ccc62d3f88d883a1e022fbb5ab4603cdf70c5358092dad7a1
-
C:\Users\Admin\AppData\Roaming\java.exeMD5
4aa6a16a99e39e4d7fac8b76ae46d087
SHA1011afc32fadd18a0e4f8245600825f3f821b7e21
SHA25683bc87af87e24d8eede311eaa70f982e247c28d5e4c00983a2db1e00bd748b5b
SHA51260e910ea327c11bf3332e43eb27ccf2e6841b144182aa321ee147582c649788c7190410be5af6d3ccc62d3f88d883a1e022fbb5ab4603cdf70c5358092dad7a1
-
memory/856-59-0x00000000008D0000-0x00000000008DC000-memory.dmpFilesize
48KB
-
memory/856-60-0x000000001AF80000-0x000000001AF82000-memory.dmpFilesize
8KB
-
memory/1520-54-0x0000000001360000-0x000000000136C000-memory.dmpFilesize
48KB
-
memory/1520-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmpFilesize
8KB