Analysis
-
max time kernel
135s -
max time network
160s -
platform
windows7_x64 -
resource
win7-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
Resource
win10-en-20211208
General
-
Target
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
-
Size
17KB
-
MD5
6f2ad7446177481ecfd632922d95bc44
-
SHA1
783accf5d9107b0a68860a33bfcb939ffeb50153
-
SHA256
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c
-
SHA512
3a1c54368844dbf9acdecd63504c005c08c068dea4123783a59e458ad3f97e769ee4ece181450013a16ed56fa602c1a03f11bb9d93b79f019297d49ea3809890
Malware Config
Extracted
nworm
v0.3.8
updateservice.linkpc.net:81
ainda.dyndns.org:81
debff03b
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
sql.exepid process 1692 sql.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 588 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exedescription pid process Token: SeDebugPrivilege 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.execmd.exedescription pid process target process PID 1624 wrote to memory of 580 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe schtasks.exe PID 1624 wrote to memory of 580 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe schtasks.exe PID 1624 wrote to memory of 580 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe schtasks.exe PID 1624 wrote to memory of 548 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe cmd.exe PID 1624 wrote to memory of 548 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe cmd.exe PID 1624 wrote to memory of 548 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe cmd.exe PID 548 wrote to memory of 588 548 cmd.exe timeout.exe PID 548 wrote to memory of 588 548 cmd.exe timeout.exe PID 548 wrote to memory of 588 548 cmd.exe timeout.exe PID 548 wrote to memory of 1692 548 cmd.exe sql.exe PID 548 wrote to memory of 1692 548 cmd.exe sql.exe PID 548 wrote to memory of 1692 548 cmd.exe sql.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe"C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'sql.exe"' /tr "'C:\Users\Admin\AppData\Roaming\sql.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F20.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\sql.exe"C:\Users\Admin\AppData\Roaming\sql.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp5F20.tmp.batMD5
01a0ba1adecd0b85adead670ed922c41
SHA15751f30fc0e16f54b6e7f68ec61d720dee9c9f72
SHA25651775580c24aeec9e28c623771a5ef154e12f1307723953e0bd18e4d2ce9a4f1
SHA512ca68ba4ae33795e092236abce08b3d5ab9cde69e65e183c9fdd7c15cd6575b2e7e4a0a82df1362c79802db439054e38542bef733431ee4ebae3c178ea7f506d6
-
C:\Users\Admin\AppData\Roaming\sql.exeMD5
29c267b371e29ad235cab0f266994e5a
SHA19aa265d3ffd94fca7faf7593d5f3e2cf732d2ad3
SHA2567e308727ba0027385116978ccaeb8ff0e45cf362170967672b1e10d17507197c
SHA512832bf8f38c085ca4440c9292f623d5b60f67174b4c22b19e87b546d7c013ebd0ea6192cd8c9f9bbdbc631eb9f5b4be05637d2bc2ca395b5dd63507e309edb0c9
-
C:\Users\Admin\AppData\Roaming\sql.exeMD5
29c267b371e29ad235cab0f266994e5a
SHA19aa265d3ffd94fca7faf7593d5f3e2cf732d2ad3
SHA2567e308727ba0027385116978ccaeb8ff0e45cf362170967672b1e10d17507197c
SHA512832bf8f38c085ca4440c9292f623d5b60f67174b4c22b19e87b546d7c013ebd0ea6192cd8c9f9bbdbc631eb9f5b4be05637d2bc2ca395b5dd63507e309edb0c9
-
memory/1624-54-0x0000000000CA0000-0x0000000000CAA000-memory.dmpFilesize
40KB
-
memory/1624-55-0x000007FEFC321000-0x000007FEFC323000-memory.dmpFilesize
8KB
-
memory/1692-59-0x00000000002F0000-0x00000000002FA000-memory.dmpFilesize
40KB
-
memory/1692-60-0x000000001ABC0000-0x000000001ABC2000-memory.dmpFilesize
8KB