Analysis
-
max time kernel
151s -
max time network
145s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
Resource
win10-en-20211208
General
-
Target
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
-
Size
19KB
-
MD5
fb5aabe905c0e8b3d837e91719f7c5cb
-
SHA1
424c260a208e9fa7ff7d4468ffa368fb3bbafb1d
-
SHA256
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44
-
SHA512
28dc13f3c285ad992d750373e446ccb7838d076aad9f72e35f6a5c27b5b721fad25f491a07b62c8e7cea2fd410513ae50e9a5f976a09b02973bb506184f1f6f6
Malware Config
Extracted
nworm
v0.3.8
crownctf.duckdns.org:448
microduck.duckdns.org:448
dbb3c5cc
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
temmp.exepid process 1072 temmp.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1660 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exetemmp.exedescription pid process Token: SeDebugPrivilege 812 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe Token: SeDebugPrivilege 1072 temmp.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.execmd.exedescription pid process target process PID 812 wrote to memory of 436 812 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe schtasks.exe PID 812 wrote to memory of 436 812 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe schtasks.exe PID 812 wrote to memory of 1788 812 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe cmd.exe PID 812 wrote to memory of 1788 812 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe cmd.exe PID 1788 wrote to memory of 1660 1788 cmd.exe timeout.exe PID 1788 wrote to memory of 1660 1788 cmd.exe timeout.exe PID 1788 wrote to memory of 1072 1788 cmd.exe temmp.exe PID 1788 wrote to memory of 1072 1788 cmd.exe temmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe"C:\Users\Admin\AppData\Local\Temp\20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'temmp.exe"' /tr "'C:\Users\Admin\AppData\Local\Temp\temmp.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3573.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Local\Temp\temmp.exe"C:\Users\Admin\AppData\Local\Temp\temmp.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\temmp.exeMD5
817214118f22c47d43c697d14b66cab3
SHA117687f77c7c128fc13a8368364f34f990fd4ea14
SHA2562d4d1921457831964db12303909279abff68fc157585a3a6feb2082e26e9560d
SHA51245e5c1799f3ea75b7c8eb4c89a76f20e8180771ce24de05a72159f188661481356909a1351ec8fada6f25215ab40db0a9cbf2b74a8996080132e6379a5670e02
-
C:\Users\Admin\AppData\Local\Temp\temmp.exeMD5
817214118f22c47d43c697d14b66cab3
SHA117687f77c7c128fc13a8368364f34f990fd4ea14
SHA2562d4d1921457831964db12303909279abff68fc157585a3a6feb2082e26e9560d
SHA51245e5c1799f3ea75b7c8eb4c89a76f20e8180771ce24de05a72159f188661481356909a1351ec8fada6f25215ab40db0a9cbf2b74a8996080132e6379a5670e02
-
C:\Users\Admin\AppData\Local\Temp\tmp3573.tmp.batMD5
5ebbce1550f4f82e22ba815a5b18f25f
SHA1e4db9a3caeb03cede72b3c0f0908cacf12f804fc
SHA256bb073f512e3bb848f2ce004bc38f150b228b4658430f331187b6b31cb20c21ef
SHA512a0a7c564989b95ddf94efed2bbbd8da21db4ff9810419086f875b43f497f9cd7ebe3c7a08822a10bd5e29c38fecfe7e94c34292a181d495c19fb2b6d3e11cce8
-
memory/812-118-0x0000000000330000-0x000000000033C000-memory.dmpFilesize
48KB
-
memory/1072-122-0x000000001B860000-0x000000001B862000-memory.dmpFilesize
8KB