Analysis
-
max time kernel
154s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe
Resource
win10-en-20211208
General
-
Target
5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe
-
Size
17KB
-
MD5
16ce8ee04799a1e4f531eec98418a994
-
SHA1
cda1ba9604872a6f462a21f6b82b2ca643b81b76
-
SHA256
5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd
-
SHA512
dcb4486d0a9fc66b0bf71083e3f79950d3f163bf74526c862dc7b8717d26829d3e04715eaa566db8ecd46cc778839efef8a9d9da090e7f90f8301869d79dc289
Malware Config
Extracted
nworm
v0.3.8
jtbz.ddns.net:1604
jtbz2.ddns.net:1604
2f5c1f29
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
windows.exepid process 840 windows.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3944 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exedescription pid process Token: SeDebugPrivilege 796 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.execmd.exedescription pid process target process PID 796 wrote to memory of 2764 796 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe schtasks.exe PID 796 wrote to memory of 2764 796 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe schtasks.exe PID 796 wrote to memory of 1884 796 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe cmd.exe PID 796 wrote to memory of 1884 796 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe cmd.exe PID 1884 wrote to memory of 3944 1884 cmd.exe timeout.exe PID 1884 wrote to memory of 3944 1884 cmd.exe timeout.exe PID 1884 wrote to memory of 840 1884 cmd.exe windows.exe PID 1884 wrote to memory of 840 1884 cmd.exe windows.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe"C:\Users\Admin\AppData\Local\Temp\5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'windows.exe"' /tr "'C:\Users\Admin\AppData\Roaming\windows.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD250.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\windows.exe"C:\Users\Admin\AppData\Roaming\windows.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpD250.tmp.batMD5
417b39b756a5a03f90152fb9b7aa9a8a
SHA18015082cb41a3fa8a8fa965ce10d74808b54ae24
SHA256052b9fee21d071d0f3c1807b75f7377cd730c705cef413d252ba0496779471c6
SHA512e6dd69b7b87cd4ec9d1afee6ebb9439a9d2ae44cef5ead0245fc6a599a57706d90ef745cb2d76b01ffdf341e9865c9038d35593780f83270fe6e5f701b3984d7
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
ccea063e8b7b5faaf0533609214097d6
SHA1948d3a1d3bfd995e152a8ff14c607cd41cf5ff28
SHA2569a03471db77059fadb1928c707c7c00faf036679104781adc3d45d107baaee2e
SHA512e65929d5ba03589130c2962deff4c577be05f231002717e0c72efa01903e1bee6eb7d7c29bb7b58d8c64fd3e322cafbab74c7be5460c7724409c33775481eba9
-
C:\Users\Admin\AppData\Roaming\windows.exeMD5
ccea063e8b7b5faaf0533609214097d6
SHA1948d3a1d3bfd995e152a8ff14c607cd41cf5ff28
SHA2569a03471db77059fadb1928c707c7c00faf036679104781adc3d45d107baaee2e
SHA512e65929d5ba03589130c2962deff4c577be05f231002717e0c72efa01903e1bee6eb7d7c29bb7b58d8c64fd3e322cafbab74c7be5460c7724409c33775481eba9
-
memory/796-115-0x0000000000590000-0x000000000059A000-memory.dmpFilesize
40KB
-
memory/840-119-0x000000001AEB0000-0x000000001AEB2000-memory.dmpFilesize
8KB