Analysis
-
max time kernel
148s -
max time network
126s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
Resource
win10-en-20211208
General
-
Target
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
-
Size
19KB
-
MD5
fb5aabe905c0e8b3d837e91719f7c5cb
-
SHA1
424c260a208e9fa7ff7d4468ffa368fb3bbafb1d
-
SHA256
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44
-
SHA512
28dc13f3c285ad992d750373e446ccb7838d076aad9f72e35f6a5c27b5b721fad25f491a07b62c8e7cea2fd410513ae50e9a5f976a09b02973bb506184f1f6f6
Malware Config
Extracted
nworm
v0.3.8
crownctf.duckdns.org:448
microduck.duckdns.org:448
dbb3c5cc
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
temmp.exepid process 1248 temmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1332 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exetemmp.exedescription pid process Token: SeDebugPrivilege 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe Token: SeDebugPrivilege 1248 temmp.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.execmd.exedescription pid process target process PID 2008 wrote to memory of 2012 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe schtasks.exe PID 2008 wrote to memory of 2012 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe schtasks.exe PID 2008 wrote to memory of 2012 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe schtasks.exe PID 2008 wrote to memory of 704 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe cmd.exe PID 2008 wrote to memory of 704 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe cmd.exe PID 2008 wrote to memory of 704 2008 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe cmd.exe PID 704 wrote to memory of 1332 704 cmd.exe timeout.exe PID 704 wrote to memory of 1332 704 cmd.exe timeout.exe PID 704 wrote to memory of 1332 704 cmd.exe timeout.exe PID 704 wrote to memory of 1248 704 cmd.exe temmp.exe PID 704 wrote to memory of 1248 704 cmd.exe temmp.exe PID 704 wrote to memory of 1248 704 cmd.exe temmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe"C:\Users\Admin\AppData\Local\Temp\20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'temmp.exe"' /tr "'C:\Users\Admin\AppData\Local\Temp\temmp.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp646E.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\temmp.exe"C:\Users\Admin\AppData\Local\Temp\temmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temmp.exeMD5
33a473cb51fa68f4799d4916af8603c9
SHA18cfd463f96162b005945aa6a7998e03c45093b60
SHA256662aceea051668fca3dfe334bc3cc522263fea7b3b674f9b20769a1e41cdcf7d
SHA512a9f46bbf67d7732efcf187ec9c4404ec5451a7317fc4265156a2df09bf291497996af1fe542b2a5131d1ece6fec0d3768d62e18acb7a23c0365538a124a16f26
-
C:\Users\Admin\AppData\Local\Temp\temmp.exeMD5
33a473cb51fa68f4799d4916af8603c9
SHA18cfd463f96162b005945aa6a7998e03c45093b60
SHA256662aceea051668fca3dfe334bc3cc522263fea7b3b674f9b20769a1e41cdcf7d
SHA512a9f46bbf67d7732efcf187ec9c4404ec5451a7317fc4265156a2df09bf291497996af1fe542b2a5131d1ece6fec0d3768d62e18acb7a23c0365538a124a16f26
-
C:\Users\Admin\AppData\Local\Temp\tmp646E.tmp.batMD5
5ebbce1550f4f82e22ba815a5b18f25f
SHA1e4db9a3caeb03cede72b3c0f0908cacf12f804fc
SHA256bb073f512e3bb848f2ce004bc38f150b228b4658430f331187b6b31cb20c21ef
SHA512a0a7c564989b95ddf94efed2bbbd8da21db4ff9810419086f875b43f497f9cd7ebe3c7a08822a10bd5e29c38fecfe7e94c34292a181d495c19fb2b6d3e11cce8
-
memory/1248-60-0x0000000000B00000-0x0000000000B0C000-memory.dmpFilesize
48KB
-
memory/1248-61-0x0000000002270000-0x000000001A7A0000-memory.dmpFilesize
389.2MB
-
memory/2008-55-0x0000000000BE0000-0x0000000000BEC000-memory.dmpFilesize
48KB
-
memory/2008-56-0x000007FEFBF81000-0x000007FEFBF83000-memory.dmpFilesize
8KB