Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
Resource
win10-en-20211208
General
-
Target
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
-
Size
49KB
-
MD5
ef5575dc5a9673885a93816fec5752e3
-
SHA1
981b40105ff0b9d1deafae85517efb2bc03c54cc
-
SHA256
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268
-
SHA512
2979efab620d252ce552ea376878f807860030f33aa1c2265eb24b3ec7e8ba2f7190a61a49655b8ed59e5be583edcf257fccf9bbdb423e6e5d64afe288bbb5a6
Malware Config
Extracted
nworm
v0.3.8
google8.ddns.net:1999
52889f08
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
Adobe.vbs.exepid process 796 Adobe.vbs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 632 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exeAdobe.vbs.exepid process 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe 796 Adobe.vbs.exe 796 Adobe.vbs.exe 796 Adobe.vbs.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exeAdobe.vbs.exedescription pid process Token: SeDebugPrivilege 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe Token: SeDebugPrivilege 796 Adobe.vbs.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.execmd.exedescription pid process target process PID 1908 wrote to memory of 1292 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe schtasks.exe PID 1908 wrote to memory of 1292 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe schtasks.exe PID 1908 wrote to memory of 1292 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe schtasks.exe PID 1908 wrote to memory of 1084 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe cmd.exe PID 1908 wrote to memory of 1084 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe cmd.exe PID 1908 wrote to memory of 1084 1908 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe cmd.exe PID 1084 wrote to memory of 632 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 632 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 632 1084 cmd.exe timeout.exe PID 1084 wrote to memory of 796 1084 cmd.exe Adobe.vbs.exe PID 1084 wrote to memory of 796 1084 cmd.exe Adobe.vbs.exe PID 1084 wrote to memory of 796 1084 cmd.exe Adobe.vbs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe"C:\Users\Admin\AppData\Local\Temp\0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Adobe.vbs.exe"' /tr "'C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp57A2.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe"C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp57A2.tmp.batMD5
081bcae08a5e79c34e6a1d4fc5a844fb
SHA1ba9c5f944367399e6af2a4f8dd3edc09159e3114
SHA256a64e193c62c004eae3f92111d769a3d3dad9f38954fd4ba67732f12313e655e8
SHA51223b4c65af7e881e33a47ba825d16be6a84b053e797a49301a38ee358cdc9ff031ca54294df00903186c4a1bbd02f39433ae09cfa92073b87b00799c81c8ec644
-
C:\Users\Admin\AppData\Roaming\Adobe.vbs.exeMD5
4907430311e1f4fa18d74d91d3490cb7
SHA1e0833e24261ad3edf704ec15c047161dde216337
SHA256260718c69e59a2e2a98a0a09b2d6ada02689af18a0201065064883904a3f7e55
SHA5125bf3b9d43046ae6d3e809e5ac33fe0141411c17332d0355f6891e7450a28384da32c2bbfad6925ef4da41a83c23bb27b1773e13a16c7fd8849d9472e43a1194f
-
C:\Users\Admin\AppData\Roaming\Adobe.vbs.exeMD5
4907430311e1f4fa18d74d91d3490cb7
SHA1e0833e24261ad3edf704ec15c047161dde216337
SHA256260718c69e59a2e2a98a0a09b2d6ada02689af18a0201065064883904a3f7e55
SHA5125bf3b9d43046ae6d3e809e5ac33fe0141411c17332d0355f6891e7450a28384da32c2bbfad6925ef4da41a83c23bb27b1773e13a16c7fd8849d9472e43a1194f
-
memory/796-59-0x0000000000EF0000-0x0000000000F02000-memory.dmpFilesize
72KB
-
memory/796-60-0x0000000000AB0000-0x0000000000AB2000-memory.dmpFilesize
8KB
-
memory/1908-54-0x0000000001200000-0x0000000001212000-memory.dmpFilesize
72KB
-
memory/1908-55-0x000000001AF30000-0x000000001AF32000-memory.dmpFilesize
8KB