Analysis
-
max time kernel
145s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Resource
win10-en-20211208
General
-
Target
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
-
Size
22KB
-
MD5
01573f1b61b5578c5c87e555e74f75a6
-
SHA1
ade56f4a823f742d7202a72a2fb16384f9711637
-
SHA256
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1
-
SHA512
a27d20a92123afd6302d67368622947d7fb978aa75212be24f3f3a38031c9215b6824044fb728b5bbf557c17d213d1e0ff630c970168837c08bfb50ea38e986a
Malware Config
Extracted
nworm
v0.3.8
185.247.69.194:6333
91.202.169.7:6333
1f09d7c7
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
java.exepid process 1632 java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1120 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exejava.exedescription pid process Token: SeDebugPrivilege 616 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe Token: SeDebugPrivilege 1632 java.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.execmd.exedescription pid process target process PID 616 wrote to memory of 2992 616 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe schtasks.exe PID 616 wrote to memory of 2992 616 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe schtasks.exe PID 616 wrote to memory of 2760 616 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe cmd.exe PID 616 wrote to memory of 2760 616 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe cmd.exe PID 2760 wrote to memory of 1120 2760 cmd.exe timeout.exe PID 2760 wrote to memory of 1120 2760 cmd.exe timeout.exe PID 2760 wrote to memory of 1632 2760 cmd.exe java.exe PID 2760 wrote to memory of 1632 2760 cmd.exe java.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe"C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'java.exe"' /tr "'C:\Users\Admin\AppData\Roaming\java.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC09.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\java.exe"C:\Users\Admin\AppData\Roaming\java.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpBC09.tmp.batMD5
30555202bcbb7e6cb72801355e41259d
SHA1a13bdeae264741e1e1205702d87c20180f022558
SHA256da5ef21c4cf5184db5331c82b67a05c806b22281d8d24b0f18c85784382982cc
SHA5124e5648a17a063032376d501731e9e4e1b6bba194cfcbcb26c7f0f66a7ca22f9327bc5bcdf342bce705d5885466ae413d0a2833db94a40c05e8ec6d0cdbf1a040
-
C:\Users\Admin\AppData\Roaming\java.exeMD5
48a6d3c455536ef54f7d31c7ea893515
SHA138da31e73e9a4f54d6763dd9e7706d5dcfa0b5f2
SHA256227f03e971b681f509ad059afaf05eae74782b58fde1f9dffbb9d5592b42bec9
SHA512c7e4aed148bd3c1dd3ad1918adad7393f66da0312121403ce077d50a271f1874fed2b5ed6be4d733f5ebc3cebb84ab6b584b23448a5dcf6226ef1e730324c02a
-
C:\Users\Admin\AppData\Roaming\java.exeMD5
48a6d3c455536ef54f7d31c7ea893515
SHA138da31e73e9a4f54d6763dd9e7706d5dcfa0b5f2
SHA256227f03e971b681f509ad059afaf05eae74782b58fde1f9dffbb9d5592b42bec9
SHA512c7e4aed148bd3c1dd3ad1918adad7393f66da0312121403ce077d50a271f1874fed2b5ed6be4d733f5ebc3cebb84ab6b584b23448a5dcf6226ef1e730324c02a
-
memory/616-115-0x0000000000580000-0x000000000058C000-memory.dmpFilesize
48KB
-
memory/1632-119-0x000000001B430000-0x000000001B432000-memory.dmpFilesize
8KB