Analysis
-
max time kernel
151s -
max time network
154s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe
Resource
win10-en-20211208
General
-
Target
5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe
-
Size
19KB
-
MD5
8e63a02d166c9c36bfacfa97f3056276
-
SHA1
fb738d4a90b7ed4c7e5be5ef7932166bb7854b91
-
SHA256
5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8
-
SHA512
dc11f40d9b61acf259ab664bcd0fc059d43a84fc57c92dfc6e23ee2b8142d6c6bdef3e495ec53608eb5d267c238e3bca6ada1fcc3c3e3a680bc9bb9773100c6a
Malware Config
Extracted
nworm
v0.3.8
padama600.ddns.net:1177
b38e461c
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
winServices.exepid process 2332 winServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2000 timeout.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exewinServices.exedescription pid process Token: SeDebugPrivilege 3828 5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe Token: SeDebugPrivilege 2332 winServices.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.execmd.exedescription pid process target process PID 3828 wrote to memory of 336 3828 5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe schtasks.exe PID 3828 wrote to memory of 336 3828 5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe schtasks.exe PID 3828 wrote to memory of 1128 3828 5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe cmd.exe PID 3828 wrote to memory of 1128 3828 5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe cmd.exe PID 1128 wrote to memory of 2000 1128 cmd.exe timeout.exe PID 1128 wrote to memory of 2000 1128 cmd.exe timeout.exe PID 1128 wrote to memory of 2332 1128 cmd.exe winServices.exe PID 1128 wrote to memory of 2332 1128 cmd.exe winServices.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe"C:\Users\Admin\AppData\Local\Temp\5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'winServices.exe"' /tr "'C:\Users\Admin\AppData\Roaming\winServices.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F1F.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\winServices.exe"C:\Users\Admin\AppData\Roaming\winServices.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7F1F.tmp.batMD5
368e1f9aa37e289794184cc055fffe29
SHA18d9c69ec2c47999db78b39b47309e4325881a999
SHA256dae24c56aa93b1ce5c430fdd12ca1f71ea67d9cf6c14d15f7ff85a8b804ad168
SHA5124b6c5d5eb3f16b4a25540f392dcaa111782b58a4c0ef04b28b6a5c9f04843c4d9dbd258e10b0e9c203109ba859b87d96f68d70196a84cfd0e065de6fb6ecb979
-
C:\Users\Admin\AppData\Roaming\winServices.exeMD5
82ce4fe8be638aa6c35071e6278288fa
SHA13f70ab3340386edc86e7a8ffc198d6502bc626b7
SHA256c18d34980b3651143929271e6a1d5eac42bd6f1d05b3a12883d266d61588d3ed
SHA512f6e0256af6c7eb3bd8cb8e6882638213c3d7f4f32ef9a897be0e7d439cc834779a8ea769ccb3557b7b1c29108b88d81f90c0de81c772a2a3ba1f7fce0f41606e
-
C:\Users\Admin\AppData\Roaming\winServices.exeMD5
82ce4fe8be638aa6c35071e6278288fa
SHA13f70ab3340386edc86e7a8ffc198d6502bc626b7
SHA256c18d34980b3651143929271e6a1d5eac42bd6f1d05b3a12883d266d61588d3ed
SHA512f6e0256af6c7eb3bd8cb8e6882638213c3d7f4f32ef9a897be0e7d439cc834779a8ea769ccb3557b7b1c29108b88d81f90c0de81c772a2a3ba1f7fce0f41606e
-
memory/2332-119-0x0000000002B50000-0x0000000002B52000-memory.dmpFilesize
8KB
-
memory/3828-115-0x0000000000CE0000-0x0000000000CEC000-memory.dmpFilesize
48KB