Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe
Resource
win10-en-20211208
General
-
Target
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe
-
Size
83KB
-
MD5
972a4f69140dd4785c051d5e82937404
-
SHA1
5792f489d1337f21b4783aa9d87dd664f4b662bc
-
SHA256
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f
-
SHA512
39fb7b873c325cc7e4a5a73ec9383e8ff604c649a2b1e3dbb410e63d6c66e44a37568e6b9ff475d05b4133cad1c95a246ce831a2075f79189921536c9ea93a6c
Malware Config
Extracted
nworm
v0.3.8
narotomagic.publicvm.com:1170
c31d7883
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
SANTOK.exepid process 540 SANTOK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1132 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exedescription pid process Token: SeDebugPrivilege 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.execmd.exedescription pid process target process PID 1724 wrote to memory of 460 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe schtasks.exe PID 1724 wrote to memory of 460 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe schtasks.exe PID 1724 wrote to memory of 460 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe schtasks.exe PID 1724 wrote to memory of 1248 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe cmd.exe PID 1724 wrote to memory of 1248 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe cmd.exe PID 1724 wrote to memory of 1248 1724 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe cmd.exe PID 1248 wrote to memory of 1132 1248 cmd.exe timeout.exe PID 1248 wrote to memory of 1132 1248 cmd.exe timeout.exe PID 1248 wrote to memory of 1132 1248 cmd.exe timeout.exe PID 1248 wrote to memory of 540 1248 cmd.exe SANTOK.exe PID 1248 wrote to memory of 540 1248 cmd.exe SANTOK.exe PID 1248 wrote to memory of 540 1248 cmd.exe SANTOK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe"C:\Users\Admin\AppData\Local\Temp\34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'SANTOK.exe"' /tr "'C:\Users\Admin\AppData\Roaming\SANTOK.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\SANTOK.exe"C:\Users\Admin\AppData\Roaming\SANTOK.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4F96.tmp.batMD5
1296f9e2ab3bbcb2916adf13e455994f
SHA12fa18742c4a2daff32acfa874bf15e0f6e070a79
SHA256412b339508a0d924a988acda3bd5b3b7c6d93b8db0348f4dcc852f8b555ddc3c
SHA51298c43af2ecf32b367fe42438f9965ec7adad086519f8bf9aa8a9dfe51a0d23fd380196bd8897c058b0af4659dab4c230fb4f56c777b927f66276b0ec3a67c2dc
-
C:\Users\Admin\AppData\Roaming\SANTOK.exeMD5
f3cd50692308908e3589fc9504a93229
SHA1fd3167813e04ab84a8260a6688e8b89cec1f3654
SHA256a4c82be64d4bf02a942da91f27d24eb79aaaca5bf438e3aab99bd6095ba6a582
SHA51225227d8d0e8975d4b57548bd0022baa12c71293ba5f70573a6d62b6e9061d0f10387cdfe4d8276a911c108cec77b404e540e640e7c237ce2a187680be42a5a48
-
C:\Users\Admin\AppData\Roaming\SANTOK.exeMD5
f3cd50692308908e3589fc9504a93229
SHA1fd3167813e04ab84a8260a6688e8b89cec1f3654
SHA256a4c82be64d4bf02a942da91f27d24eb79aaaca5bf438e3aab99bd6095ba6a582
SHA51225227d8d0e8975d4b57548bd0022baa12c71293ba5f70573a6d62b6e9061d0f10387cdfe4d8276a911c108cec77b404e540e640e7c237ce2a187680be42a5a48
-
memory/540-58-0x00000000008C0000-0x00000000008DA000-memory.dmpFilesize
104KB
-
memory/540-59-0x0000000002130000-0x0000000002132000-memory.dmpFilesize
8KB
-
memory/1724-53-0x0000000000C10000-0x0000000000C2A000-memory.dmpFilesize
104KB
-
memory/1724-54-0x000007FEFC451000-0x000007FEFC453000-memory.dmpFilesize
8KB