Analysis
-
max time kernel
154s -
max time network
157s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Resource
win10-en-20211208
General
-
Target
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
-
Size
19KB
-
MD5
8cdf4af6c295da278178651186da9347
-
SHA1
4edd98af3bb46ad5484f97c2470d8ec2a53018ab
-
SHA256
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e
-
SHA512
d8cbffd7aea77a7ce4554f5d72c29a15ab608dd06e481fce161ea9cfa5f91e5e1a9682827f0dc41a22e374ccf09ff8c6b2792eb8ad67575b00d11cff0d4f6b90
Malware Config
Extracted
nworm
v0.3.8
24.101.169.101:4782
192.168.1.20:4782
85224873
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
NTLDR.exepid process 1644 NTLDR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1652 timeout.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exepid process 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 1644 NTLDR.exe 1644 NTLDR.exe 1644 NTLDR.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exedescription pid process Token: SeDebugPrivilege 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe Token: SeDebugPrivilege 1644 NTLDR.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.execmd.exedescription pid process target process PID 528 wrote to memory of 340 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe schtasks.exe PID 528 wrote to memory of 340 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe schtasks.exe PID 528 wrote to memory of 340 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe schtasks.exe PID 528 wrote to memory of 2016 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe cmd.exe PID 528 wrote to memory of 2016 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe cmd.exe PID 528 wrote to memory of 2016 528 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe cmd.exe PID 2016 wrote to memory of 1652 2016 cmd.exe timeout.exe PID 2016 wrote to memory of 1652 2016 cmd.exe timeout.exe PID 2016 wrote to memory of 1652 2016 cmd.exe timeout.exe PID 2016 wrote to memory of 1644 2016 cmd.exe NTLDR.exe PID 2016 wrote to memory of 1644 2016 cmd.exe NTLDR.exe PID 2016 wrote to memory of 1644 2016 cmd.exe NTLDR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe"C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'NTLDR.exe"' /tr "'C:\Users\Admin\AppData\Roaming\NTLDR.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7AEA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\NTLDR.exe"C:\Users\Admin\AppData\Roaming\NTLDR.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7AEA.tmp.batMD5
8553ab53fe91e9da95da6ce8b428c788
SHA1d01881b782a6c7c14fd026b45bf7ede835a839ed
SHA256666f2deed77b41dcd7f2e4e0a8ad66df62e4e762bf49d68b767ba12f8b83ee91
SHA512ab3b705d5ee1b2c2648b71eaca7cf8b4c6b49266eb3049d6958dec1aebda070ba5a77f9a38c028ad4eebb543e285a9ef1090b8072c707078366a4b5d31bf443b
-
C:\Users\Admin\AppData\Roaming\NTLDR.exeMD5
313d4fa72d35f63d675ba7497ae4e9b5
SHA199a191be0fe46b618478bbd16822764cb4b2d0a8
SHA256701ad2ce29179eb4cb60153075286a899f023f7dc9005dad53de646f3017efb7
SHA512a9d4af9abe0cbcf1b5c313dbc6f2504b1ae47c7ecb1c41cc7e29e18c684387d94a80ad583c67ed733e33af7d33abbc9139ee2b3d604e425b2fd7503d58a735af
-
C:\Users\Admin\AppData\Roaming\NTLDR.exeMD5
313d4fa72d35f63d675ba7497ae4e9b5
SHA199a191be0fe46b618478bbd16822764cb4b2d0a8
SHA256701ad2ce29179eb4cb60153075286a899f023f7dc9005dad53de646f3017efb7
SHA512a9d4af9abe0cbcf1b5c313dbc6f2504b1ae47c7ecb1c41cc7e29e18c684387d94a80ad583c67ed733e33af7d33abbc9139ee2b3d604e425b2fd7503d58a735af
-
memory/528-54-0x00000000003C0000-0x00000000003CC000-memory.dmpFilesize
48KB
-
memory/528-55-0x0000000000280000-0x0000000000390000-memory.dmpFilesize
1.1MB
-
memory/1644-59-0x0000000000070000-0x000000000007C000-memory.dmpFilesize
48KB
-
memory/1644-60-0x0000000000530000-0x0000000000532000-memory.dmpFilesize
8KB