Analysis
-
max time kernel
134s -
max time network
154s -
platform
windows7_x64 -
resource
win7-20220715-en -
resource tags
arch:x64arch:x86image:win7-20220715-enlocale:en-usos:windows7-x64system -
submitted
31-07-2022 08:30
Behavioral task
behavioral1
Sample
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe
Resource
win7-20220715-en
General
-
Target
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe
-
Size
17KB
-
MD5
c6ef22d341307db526ba8f5fe2a00d12
-
SHA1
915e592739f6561fa871d0754f12a3a3d50153ee
-
SHA256
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd
-
SHA512
5b34ff33b0c42e0b6fd3eeeeca7accf44b2b4bd71b834a047fcccb321413b046b93db335da6c4b626fae352ff40e6219aa1adcce871f80dd0a06d59ff1340bd0
Malware Config
Extracted
nworm
v0.3.8
win32update.duckdns.org:5553
xmrdjo.duckdns.org:5553
4f9c371b
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
Windowsupdate.exepid process 756 Windowsupdate.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1764 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exedescription pid process Token: SeDebugPrivilege 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.execmd.exedescription pid process target process PID 888 wrote to memory of 1316 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe schtasks.exe PID 888 wrote to memory of 1316 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe schtasks.exe PID 888 wrote to memory of 1316 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe schtasks.exe PID 888 wrote to memory of 1116 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe cmd.exe PID 888 wrote to memory of 1116 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe cmd.exe PID 888 wrote to memory of 1116 888 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe cmd.exe PID 1116 wrote to memory of 1764 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1764 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 1764 1116 cmd.exe timeout.exe PID 1116 wrote to memory of 756 1116 cmd.exe Windowsupdate.exe PID 1116 wrote to memory of 756 1116 cmd.exe Windowsupdate.exe PID 1116 wrote to memory of 756 1116 cmd.exe Windowsupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe"C:\Users\Admin\AppData\Local\Temp\d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:888 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Windowsupdate.exe"' /tr "'C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"'2⤵
- Creates scheduled task(s)
PID:1316 -
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp89BA.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:1116 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:1764 -
C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"3⤵
- Executes dropped EXE
PID:756
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5033673bbc9f9098fa6038b35caf5e481
SHA16de43698c050a0a2145d74a490c2126b335a66da
SHA256206c5a70961c6cc66645a936992b4bdec32a77afb3d85495e90a27fa5f018b5c
SHA512baca957fd5bc67679d14b54c30db490dbf0964e7854d658e2f5510ac4bbdaa2b13f324ce82f7191ac02cf847a381cc4c29c199cb0a4ddb0a76d8cb4531cc0e70
-
Filesize
47.7MB
MD5df4cc6a6deff50ad67716b9a6c4cbb4a
SHA1f793e8ad154838eff970f44b0d1dc189d6ebc207
SHA256e3d98d06667e487fd69fb93f3ce988e389fa332e4db657474852f0d75b225630
SHA5121d4b2e05aaa0d17ec75187db0175b0afb391b7dc8f175cf394a469ebfabb0ad6fda9758ea05bcd54316efdd835676253d2b830d0f0bee612df78a1d230d11b72
-
Filesize
47.7MB
MD5df4cc6a6deff50ad67716b9a6c4cbb4a
SHA1f793e8ad154838eff970f44b0d1dc189d6ebc207
SHA256e3d98d06667e487fd69fb93f3ce988e389fa332e4db657474852f0d75b225630
SHA5121d4b2e05aaa0d17ec75187db0175b0afb391b7dc8f175cf394a469ebfabb0ad6fda9758ea05bcd54316efdd835676253d2b830d0f0bee612df78a1d230d11b72