Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:54
Static task
static1
Behavioral task
behavioral1
Sample
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
Resource
win10-en-20211208
General
-
Target
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
-
Size
19KB
-
MD5
fbf86df341ad8b1fe2c799016e2c8721
-
SHA1
8ac6f44c179921105658cb95003cd3d2d0f09f61
-
SHA256
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674
-
SHA512
db78261bc620779308b5aab6a02b6af366fceb5b011ae4ce71c18f69f94f463b67707c256f6ba765818ab61a57a882335bd2e6e0c66a20dabdb5a1c5169e25c8
Malware Config
Extracted
nworm
v0.3.8
66.70.242.36:8080
127.0.0.0:8080
0b80e527
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
winServices.exepid process 1096 winServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1944 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exewinServices.exepid process 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe 1096 winServices.exe 1096 winServices.exe 1096 winServices.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exewinServices.exedescription pid process Token: SeDebugPrivilege 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe Token: SeDebugPrivilege 1096 winServices.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.execmd.exedescription pid process target process PID 1592 wrote to memory of 596 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe schtasks.exe PID 1592 wrote to memory of 596 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe schtasks.exe PID 1592 wrote to memory of 596 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe schtasks.exe PID 1592 wrote to memory of 820 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe cmd.exe PID 1592 wrote to memory of 820 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe cmd.exe PID 1592 wrote to memory of 820 1592 b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe cmd.exe PID 820 wrote to memory of 1944 820 cmd.exe timeout.exe PID 820 wrote to memory of 1944 820 cmd.exe timeout.exe PID 820 wrote to memory of 1944 820 cmd.exe timeout.exe PID 820 wrote to memory of 1096 820 cmd.exe winServices.exe PID 820 wrote to memory of 1096 820 cmd.exe winServices.exe PID 820 wrote to memory of 1096 820 cmd.exe winServices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe"C:\Users\Admin\AppData\Local\Temp\b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'winServices.exe"' /tr "'C:\Users\Admin\AppData\Roaming\winServices.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp905D.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\winServices.exe"C:\Users\Admin\AppData\Roaming\winServices.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp905D.tmp.batMD5
368e1f9aa37e289794184cc055fffe29
SHA18d9c69ec2c47999db78b39b47309e4325881a999
SHA256dae24c56aa93b1ce5c430fdd12ca1f71ea67d9cf6c14d15f7ff85a8b804ad168
SHA5124b6c5d5eb3f16b4a25540f392dcaa111782b58a4c0ef04b28b6a5c9f04843c4d9dbd258e10b0e9c203109ba859b87d96f68d70196a84cfd0e065de6fb6ecb979
-
C:\Users\Admin\AppData\Roaming\winServices.exeMD5
552277a6d5f19df992c4335171ddf338
SHA14796a3ae147b52aabc92ba6dcbf00f53b65b7e53
SHA25617e86b1bdf15b1191fd3896eaa34560ccff7c39e3efb692da9f984595a7212e2
SHA512b24197d1e849b159ddf68d36c18ddaf62310a2f2d3a4da3a22e93666cad61e8b44a1abcc62935cab287290b6efa54000e26f7088a4c36a3eac8aa24d065c47bf
-
C:\Users\Admin\AppData\Roaming\winServices.exeMD5
552277a6d5f19df992c4335171ddf338
SHA14796a3ae147b52aabc92ba6dcbf00f53b65b7e53
SHA25617e86b1bdf15b1191fd3896eaa34560ccff7c39e3efb692da9f984595a7212e2
SHA512b24197d1e849b159ddf68d36c18ddaf62310a2f2d3a4da3a22e93666cad61e8b44a1abcc62935cab287290b6efa54000e26f7088a4c36a3eac8aa24d065c47bf
-
memory/1096-59-0x00000000010A0000-0x00000000010AC000-memory.dmpFilesize
48KB
-
memory/1096-60-0x000000001AD30000-0x000000001AD32000-memory.dmpFilesize
8KB
-
memory/1592-54-0x0000000001290000-0x000000000129C000-memory.dmpFilesize
48KB
-
memory/1592-55-0x000000001B0F0000-0x000000001B0F2000-memory.dmpFilesize
8KB