Analysis
-
max time kernel
137s -
max time network
149s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe
Resource
win10-en-20211208
General
-
Target
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe
-
Size
83KB
-
MD5
972a4f69140dd4785c051d5e82937404
-
SHA1
5792f489d1337f21b4783aa9d87dd664f4b662bc
-
SHA256
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f
-
SHA512
39fb7b873c325cc7e4a5a73ec9383e8ff604c649a2b1e3dbb410e63d6c66e44a37568e6b9ff475d05b4133cad1c95a246ce831a2075f79189921536c9ea93a6c
Malware Config
Extracted
nworm
v0.3.8
narotomagic.publicvm.com:1170
c31d7883
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
SANTOK.exepid process 4368 SANTOK.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 4380 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exedescription pid process Token: SeDebugPrivilege 3652 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.execmd.exedescription pid process target process PID 3652 wrote to memory of 4268 3652 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe schtasks.exe PID 3652 wrote to memory of 4268 3652 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe schtasks.exe PID 3652 wrote to memory of 4384 3652 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe cmd.exe PID 3652 wrote to memory of 4384 3652 34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe cmd.exe PID 4384 wrote to memory of 4380 4384 cmd.exe timeout.exe PID 4384 wrote to memory of 4380 4384 cmd.exe timeout.exe PID 4384 wrote to memory of 4368 4384 cmd.exe SANTOK.exe PID 4384 wrote to memory of 4368 4384 cmd.exe SANTOK.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe"C:\Users\Admin\AppData\Local\Temp\34a01c5a55d7f77a53d694af2dcd284b259530a34a3ac8caa279cccc4959710f.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'SANTOK.exe"' /tr "'C:\Users\Admin\AppData\Roaming\SANTOK.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1818.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\SANTOK.exe"C:\Users\Admin\AppData\Roaming\SANTOK.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp1818.tmp.batMD5
1296f9e2ab3bbcb2916adf13e455994f
SHA12fa18742c4a2daff32acfa874bf15e0f6e070a79
SHA256412b339508a0d924a988acda3bd5b3b7c6d93b8db0348f4dcc852f8b555ddc3c
SHA51298c43af2ecf32b367fe42438f9965ec7adad086519f8bf9aa8a9dfe51a0d23fd380196bd8897c058b0af4659dab4c230fb4f56c777b927f66276b0ec3a67c2dc
-
C:\Users\Admin\AppData\Roaming\SANTOK.exeMD5
b4550711522273f6531cf1b03441c373
SHA1a6678cae3edee0f47f80d189deade266499d74f5
SHA2568bda248c6b2d8faaa44d7bf1b1678d2530a9180d63d3bcb7818f66840a4016c2
SHA51223d746191ee326c26b7b515114b7889e1e767d52debd88757db25c740d7de8466c64e802ea59655e15bd8d3783b0aa704c92c75fbccdec98f7b261028ded7858
-
C:\Users\Admin\AppData\Roaming\SANTOK.exeMD5
b4550711522273f6531cf1b03441c373
SHA1a6678cae3edee0f47f80d189deade266499d74f5
SHA2568bda248c6b2d8faaa44d7bf1b1678d2530a9180d63d3bcb7818f66840a4016c2
SHA51223d746191ee326c26b7b515114b7889e1e767d52debd88757db25c740d7de8466c64e802ea59655e15bd8d3783b0aa704c92c75fbccdec98f7b261028ded7858
-
memory/3652-115-0x0000000000820000-0x000000000083A000-memory.dmpFilesize
104KB
-
memory/4368-119-0x000000001B280000-0x000000001B282000-memory.dmpFilesize
8KB