Analysis
-
max time kernel
170s -
max time network
213s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
31-07-2022 08:30
Behavioral task
behavioral1
Sample
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe
Resource
win7-20220715-en
General
-
Target
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe
-
Size
17KB
-
MD5
c6ef22d341307db526ba8f5fe2a00d12
-
SHA1
915e592739f6561fa871d0754f12a3a3d50153ee
-
SHA256
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd
-
SHA512
5b34ff33b0c42e0b6fd3eeeeca7accf44b2b4bd71b834a047fcccb321413b046b93db335da6c4b626fae352ff40e6219aa1adcce871f80dd0a06d59ff1340bd0
Malware Config
Extracted
nworm
v0.3.8
win32update.duckdns.org:5553
xmrdjo.duckdns.org:5553
4f9c371b
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Executes dropped EXE 1 IoCs
Processes:
Windowsupdate.exepid process 1796 Windowsupdate.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2372564722-193526734-2636556182-1000\Control Panel\International\Geo\Nation d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3760 timeout.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exedescription pid process Token: SeDebugPrivilege 3768 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.execmd.exedescription pid process target process PID 3768 wrote to memory of 2836 3768 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe schtasks.exe PID 3768 wrote to memory of 2836 3768 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe schtasks.exe PID 3768 wrote to memory of 3728 3768 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe cmd.exe PID 3768 wrote to memory of 3728 3768 d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe cmd.exe PID 3728 wrote to memory of 3760 3728 cmd.exe timeout.exe PID 3728 wrote to memory of 3760 3728 cmd.exe timeout.exe PID 3728 wrote to memory of 1796 3728 cmd.exe Windowsupdate.exe PID 3728 wrote to memory of 1796 3728 cmd.exe Windowsupdate.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe"C:\Users\Admin\AppData\Local\Temp\d8ababca584ba4feecd850a69aef231068e9e025d31afe75dbe681dbf5c2d5fd.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Windowsupdate.exe"' /tr "'C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"'2⤵
- Creates scheduled task(s)
PID:2836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpE191.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:3728 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3760 -
C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"C:\Users\Admin\AppData\Roaming\Windowsupdate.exe"3⤵
- Executes dropped EXE
PID:1796
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
89B
MD5033673bbc9f9098fa6038b35caf5e481
SHA16de43698c050a0a2145d74a490c2126b335a66da
SHA256206c5a70961c6cc66645a936992b4bdec32a77afb3d85495e90a27fa5f018b5c
SHA512baca957fd5bc67679d14b54c30db490dbf0964e7854d658e2f5510ac4bbdaa2b13f324ce82f7191ac02cf847a381cc4c29c199cb0a4ddb0a76d8cb4531cc0e70
-
Filesize
47.3MB
MD5ca22e0d0df410fdc0be3055729e74475
SHA16b76e77517011c77eb1b1f5a192391ee0c8b277d
SHA256b1cd99ea5ffc316188022bb299935eaad69fdc4c452e63e157d7fddf374e706a
SHA5121981ddc9a67edb1623a2e84255ae3be64ef556ced8df5f8458e2895d4a49635ae6ce522a2a8a2e9cb75e87be4ab6121397d2715555f0f36d90400773c4731d1a
-
Filesize
47.3MB
MD5ca22e0d0df410fdc0be3055729e74475
SHA16b76e77517011c77eb1b1f5a192391ee0c8b277d
SHA256b1cd99ea5ffc316188022bb299935eaad69fdc4c452e63e157d7fddf374e706a
SHA5121981ddc9a67edb1623a2e84255ae3be64ef556ced8df5f8458e2895d4a49635ae6ce522a2a8a2e9cb75e87be4ab6121397d2715555f0f36d90400773c4731d1a