Analysis
-
max time kernel
144s -
max time network
155s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:53
Static task
static1
Behavioral task
behavioral1
Sample
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
Resource
win10-en-20211208
General
-
Target
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
-
Size
19KB
-
MD5
c722ffe89ecb69db142ecb15bc71c572
-
SHA1
febf301c31f726d00682afda2b33f2776d7b34c2
-
SHA256
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a
-
SHA512
4b396ed48645db4d983bdf8e55755af5bf4613e14a8aeb1881774264c2fb62508ea4fe67fb5d98783107649365c13b1acd32e2aa44d0272b36c2e80f533ffa67
Malware Config
Extracted
nworm
v0.3.8
ofi.dyn.ydns.io:1080
redlan.mywire.org:1080
b0456e7e
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
NetUserDat.exepid process 428 NetUserDat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1224 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exeNetUserDat.exepid process 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe 428 NetUserDat.exe 428 NetUserDat.exe 428 NetUserDat.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exeNetUserDat.exedescription pid process Token: SeDebugPrivilege 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe Token: SeDebugPrivilege 428 NetUserDat.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.execmd.exedescription pid process target process PID 308 wrote to memory of 304 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe schtasks.exe PID 308 wrote to memory of 304 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe schtasks.exe PID 308 wrote to memory of 304 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe schtasks.exe PID 308 wrote to memory of 824 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe cmd.exe PID 308 wrote to memory of 824 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe cmd.exe PID 308 wrote to memory of 824 308 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe cmd.exe PID 824 wrote to memory of 1224 824 cmd.exe timeout.exe PID 824 wrote to memory of 1224 824 cmd.exe timeout.exe PID 824 wrote to memory of 1224 824 cmd.exe timeout.exe PID 824 wrote to memory of 428 824 cmd.exe NetUserDat.exe PID 824 wrote to memory of 428 824 cmd.exe NetUserDat.exe PID 824 wrote to memory of 428 824 cmd.exe NetUserDat.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe"C:\Users\Admin\AppData\Local\Temp\3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'NetUserDat.exe"' /tr "'C:\Users\Admin\AppData\Roaming\NetUserDat.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4B52.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\NetUserDat.exe"C:\Users\Admin\AppData\Roaming\NetUserDat.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4B52.tmp.batMD5
abf17c3a9458f1adea182b49cd17b617
SHA17cf4eaba7aa99d6ccb0d0af6bc0f0e9ed30282f0
SHA25680237041c6c5eaf8e7a42b46d5df52d3b8c9f4a2c1dcd4a91dfe5d5d78dfbbe9
SHA5127a450e8698cb3bd75e385ccf7fe2a5e6f322fdedf7616521bae800efecab457444fe39197195a91dc8ea6307803c20b0345ee46caa93b637b3afff822ab9d837
-
C:\Users\Admin\AppData\Roaming\NetUserDat.exeMD5
2b49fa530456d173471f0c1de64a3997
SHA17c3e94ac692b321d4ea6dcba2907cb8107053ad9
SHA256b399cf366d2c98df3cae6db0ad460bb86fdc5a817673f7ead6a791e3c085ab78
SHA51211c93fec39724cff74031e7ffa7f86a2ad1cf8b5eb2e3e88e8b617bfa4767d07b7293952f81c6d8f4d1287ac649ca1f64b392bf1da1b3eb705c6381a58fafdf4
-
C:\Users\Admin\AppData\Roaming\NetUserDat.exeMD5
2b49fa530456d173471f0c1de64a3997
SHA17c3e94ac692b321d4ea6dcba2907cb8107053ad9
SHA256b399cf366d2c98df3cae6db0ad460bb86fdc5a817673f7ead6a791e3c085ab78
SHA51211c93fec39724cff74031e7ffa7f86a2ad1cf8b5eb2e3e88e8b617bfa4767d07b7293952f81c6d8f4d1287ac649ca1f64b392bf1da1b3eb705c6381a58fafdf4
-
memory/308-54-0x00000000011E0000-0x00000000011EC000-memory.dmpFilesize
48KB
-
memory/308-55-0x000000001B0F0000-0x000000001B0F2000-memory.dmpFilesize
8KB
-
memory/428-59-0x0000000000340000-0x000000000034C000-memory.dmpFilesize
48KB
-
memory/428-60-0x000000001B0C0000-0x000000001B0C2000-memory.dmpFilesize
8KB