Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Resource
win10-en-20211208
General
-
Target
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
-
Size
19KB
-
MD5
8cdf4af6c295da278178651186da9347
-
SHA1
4edd98af3bb46ad5484f97c2470d8ec2a53018ab
-
SHA256
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e
-
SHA512
d8cbffd7aea77a7ce4554f5d72c29a15ab608dd06e481fce161ea9cfa5f91e5e1a9682827f0dc41a22e374ccf09ff8c6b2792eb8ad67575b00d11cff0d4f6b90
Malware Config
Extracted
nworm
v0.3.8
24.101.169.101:4782
192.168.1.20:4782
85224873
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
NTLDR.exepid process 1748 NTLDR.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3372 timeout.exe -
Suspicious behavior: EnumeratesProcesses 26 IoCs
Processes:
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exepid process 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe 1748 NTLDR.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exedescription pid process Token: SeDebugPrivilege 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe Token: SeDebugPrivilege 1748 NTLDR.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.execmd.exedescription pid process target process PID 2660 wrote to memory of 3968 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe schtasks.exe PID 2660 wrote to memory of 3968 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe schtasks.exe PID 2660 wrote to memory of 1696 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe cmd.exe PID 2660 wrote to memory of 1696 2660 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe cmd.exe PID 1696 wrote to memory of 3372 1696 cmd.exe timeout.exe PID 1696 wrote to memory of 3372 1696 cmd.exe timeout.exe PID 1696 wrote to memory of 1748 1696 cmd.exe NTLDR.exe PID 1696 wrote to memory of 1748 1696 cmd.exe NTLDR.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe"C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'NTLDR.exe"' /tr "'C:\Users\Admin\AppData\Roaming\NTLDR.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp54D3.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\NTLDR.exe"C:\Users\Admin\AppData\Roaming\NTLDR.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp54D3.tmp.batMD5
8553ab53fe91e9da95da6ce8b428c788
SHA1d01881b782a6c7c14fd026b45bf7ede835a839ed
SHA256666f2deed77b41dcd7f2e4e0a8ad66df62e4e762bf49d68b767ba12f8b83ee91
SHA512ab3b705d5ee1b2c2648b71eaca7cf8b4c6b49266eb3049d6958dec1aebda070ba5a77f9a38c028ad4eebb543e285a9ef1090b8072c707078366a4b5d31bf443b
-
C:\Users\Admin\AppData\Roaming\NTLDR.exeMD5
b9b478296f273d8e8b04e8f0385eff1c
SHA13cf7e2f4711394f6603dead2457379d2e6c0897e
SHA256d63d1fbffd40c9d2e44cf2653a61f0231953c299862c05ed19c878aaaa5e696f
SHA51275797dde22b0ef972b7403883644e9cae0776ae38ebbebef8c326a0c5a465af5bb43db92c5f0bd7f050b1d2c5fa014d7542e989bd3db1368ec2a79eda70384ca
-
C:\Users\Admin\AppData\Roaming\NTLDR.exeMD5
b9b478296f273d8e8b04e8f0385eff1c
SHA13cf7e2f4711394f6603dead2457379d2e6c0897e
SHA256d63d1fbffd40c9d2e44cf2653a61f0231953c299862c05ed19c878aaaa5e696f
SHA51275797dde22b0ef972b7403883644e9cae0776ae38ebbebef8c326a0c5a465af5bb43db92c5f0bd7f050b1d2c5fa014d7542e989bd3db1368ec2a79eda70384ca
-
memory/1748-121-0x000000001AE90000-0x000000001AE92000-memory.dmpFilesize
8KB
-
memory/2660-116-0x0000000000C10000-0x0000000000C1C000-memory.dmpFilesize
48KB
-
memory/2660-117-0x000000001B8A0000-0x000000001B8A2000-memory.dmpFilesize
8KB