Analysis
-
max time kernel
149s -
max time network
132s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 14:54
Static task
static1
Behavioral task
behavioral1
Sample
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
Resource
win10-en-20211208
General
-
Target
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
-
Size
33KB
-
MD5
7341966dff36665a31185cb2b4331f0d
-
SHA1
02572e87b124474b1553e9bc418f7c8a4248be70
-
SHA256
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e
-
SHA512
94e4be60b3508a3e9868ffee630f37c21104be85a8c412c8edc7924af8b60f73bdd183eba89133afb54d01cfe88ec26b68cff1870b86cf3459e8c7505c229a93
Malware Config
Extracted
nworm
v0.3.8
Jonathin8068-24257.portmap.host:60149
9c5336ac
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
omegalol.exepid process 1284 omegalol.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 624 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exeomegalol.exepid process 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe 1284 omegalol.exe 1284 omegalol.exe 1284 omegalol.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exeomegalol.exedescription pid process Token: SeDebugPrivilege 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe Token: SeDebugPrivilege 1284 omegalol.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.execmd.exedescription pid process target process PID 1296 wrote to memory of 1868 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe schtasks.exe PID 1296 wrote to memory of 1868 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe schtasks.exe PID 1296 wrote to memory of 1868 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe schtasks.exe PID 1296 wrote to memory of 1604 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe cmd.exe PID 1296 wrote to memory of 1604 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe cmd.exe PID 1296 wrote to memory of 1604 1296 d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe cmd.exe PID 1604 wrote to memory of 624 1604 cmd.exe timeout.exe PID 1604 wrote to memory of 624 1604 cmd.exe timeout.exe PID 1604 wrote to memory of 624 1604 cmd.exe timeout.exe PID 1604 wrote to memory of 1284 1604 cmd.exe omegalol.exe PID 1604 wrote to memory of 1284 1604 cmd.exe omegalol.exe PID 1604 wrote to memory of 1284 1604 cmd.exe omegalol.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe"C:\Users\Admin\AppData\Local\Temp\d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'omegalol.exe"' /tr "'C:\Users\Admin\AppData\Roaming\omegalol.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5457.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\omegalol.exe"C:\Users\Admin\AppData\Roaming\omegalol.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5457.tmp.batMD5
1a335f403cfb8b5a12d69018f6bd8401
SHA107f07c892aaed746c59ddcc39d28420450bfd4e5
SHA25657b74d0b678363af804129efcf04dd1145c00847eb42add9ad42308bfa46ba55
SHA5124061ca8ec4e27dac8d5b30a5abf5740f22bb205f8bf91cc64197cf91219ae89c590e76db8a7220da28d6855f93812f6111dcaa96793bd89cc52f864eb3b4f9f0
-
C:\Users\Admin\AppData\Roaming\omegalol.exeMD5
8ce119db9848a23b97c5846974103aed
SHA1ddfba68a1d85e5b3370e641d2b44c2187c634901
SHA256176f1c306e1ecd39b238274f0fe1065107802d82e2ee6437e1fecb83d3f9223d
SHA5128e6471ae0040cc7fb176264d68ead4902746d4942da7bab6c5a4c46fee612b74298ff8e084cef067c869305ad721cfa24825a28db97bf659c27a55a78ed84805
-
C:\Users\Admin\AppData\Roaming\omegalol.exeMD5
8ce119db9848a23b97c5846974103aed
SHA1ddfba68a1d85e5b3370e641d2b44c2187c634901
SHA256176f1c306e1ecd39b238274f0fe1065107802d82e2ee6437e1fecb83d3f9223d
SHA5128e6471ae0040cc7fb176264d68ead4902746d4942da7bab6c5a4c46fee612b74298ff8e084cef067c869305ad721cfa24825a28db97bf659c27a55a78ed84805
-
memory/1284-59-0x0000000000FB0000-0x0000000000FBE000-memory.dmpFilesize
56KB
-
memory/1284-60-0x000000001AD50000-0x000000001AD52000-memory.dmpFilesize
8KB
-
memory/1296-54-0x0000000000F40000-0x0000000000F4E000-memory.dmpFilesize
56KB
-
memory/1296-55-0x0000000000D50000-0x0000000000F40000-memory.dmpFilesize
1.9MB