Analysis
-
max time kernel
135s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:33
Static task
static1
Behavioral task
behavioral1
Sample
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
Resource
win10-en-20211208
General
-
Target
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
-
Size
17KB
-
MD5
6f2ad7446177481ecfd632922d95bc44
-
SHA1
783accf5d9107b0a68860a33bfcb939ffeb50153
-
SHA256
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c
-
SHA512
3a1c54368844dbf9acdecd63504c005c08c068dea4123783a59e458ad3f97e769ee4ece181450013a16ed56fa602c1a03f11bb9d93b79f019297d49ea3809890
Malware Config
Extracted
nworm
v0.3.8
updateservice.linkpc.net:81
ainda.dyndns.org:81
debff03b
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
sql.exepid process 2052 sql.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2396 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exedescription pid process Token: SeDebugPrivilege 3532 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.execmd.exedescription pid process target process PID 3532 wrote to memory of 3648 3532 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe schtasks.exe PID 3532 wrote to memory of 3648 3532 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe schtasks.exe PID 3532 wrote to memory of 4036 3532 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe cmd.exe PID 3532 wrote to memory of 4036 3532 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe cmd.exe PID 4036 wrote to memory of 2396 4036 cmd.exe timeout.exe PID 4036 wrote to memory of 2396 4036 cmd.exe timeout.exe PID 4036 wrote to memory of 2052 4036 cmd.exe sql.exe PID 4036 wrote to memory of 2052 4036 cmd.exe sql.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe"C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'sql.exe"' /tr "'C:\Users\Admin\AppData\Roaming\sql.exe"'2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6CDF.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Users\Admin\AppData\Roaming\sql.exe"C:\Users\Admin\AppData\Roaming\sql.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6CDF.tmp.batMD5
01a0ba1adecd0b85adead670ed922c41
SHA15751f30fc0e16f54b6e7f68ec61d720dee9c9f72
SHA25651775580c24aeec9e28c623771a5ef154e12f1307723953e0bd18e4d2ce9a4f1
SHA512ca68ba4ae33795e092236abce08b3d5ab9cde69e65e183c9fdd7c15cd6575b2e7e4a0a82df1362c79802db439054e38542bef733431ee4ebae3c178ea7f506d6
-
C:\Users\Admin\AppData\Roaming\sql.exeMD5
c9bce658a2b193c150f3adb55b1f4473
SHA160d65091906b70b3b6150f3b68e6eb4b79d28815
SHA2560b11f19b94696de2cb209ba231dc1c194c2ee7f2f064233088af21c78dba0e78
SHA5120c6d3f1f1312275c66df690df9fe85a339bf92b3199a35e2ffbea5b82dd4f99d261dbf857ac65f2e36ff613797ac4c244b2646b9a985c8ce40f9feeed316e2c2
-
C:\Users\Admin\AppData\Roaming\sql.exeMD5
c9bce658a2b193c150f3adb55b1f4473
SHA160d65091906b70b3b6150f3b68e6eb4b79d28815
SHA2560b11f19b94696de2cb209ba231dc1c194c2ee7f2f064233088af21c78dba0e78
SHA5120c6d3f1f1312275c66df690df9fe85a339bf92b3199a35e2ffbea5b82dd4f99d261dbf857ac65f2e36ff613797ac4c244b2646b9a985c8ce40f9feeed316e2c2
-
memory/2052-120-0x000000001AF90000-0x000000001AF92000-memory.dmpFilesize
8KB
-
memory/3532-116-0x0000000000870000-0x000000000087A000-memory.dmpFilesize
40KB