ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c

Analysis

max time kernel
32s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
14-10-2022 10:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe
Size

47KB
MD5

63193a51aa62c6f2f9da7087ce45bef0
SHA1

7f458e7e82ccf74bd2b1d43e3494a1d1e5daa649
SHA256

ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c
SHA512

34753f63452a90172f0ec704fd197d3e41db5f518536075f076b17011150205d248c9786cd6693ad60f4540e8b25049c97e90d7761ac3417c04a4c7d26b15dea
SSDEEP

768:xRU+NbykfR3PfG/qX4yI85JHxBJNPluYkXGjisZeNxBZTnRvDNKY9f:xtR33GCX4CxBJNPlfkui6IxBJlYY9f

Score

8^/10

persistence upx

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\NWCWorkstation\Parameters\ServiceDll = "%SystemRoot%\\system32\\nwcwks.dll"	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe

UPX packed file 1 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1928-55-0x0000000000400000-0x0000000000416000-memory.dmp	upx

Deletes itself 1 IoCs

pid	Process
1136	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1708	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\nwcwks.dll	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeIncBasePriorityPrivilege	1928	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1928 wrote to memory of 1136	1928	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe	27
PID 1928 wrote to memory of 1136	1928	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe	27
PID 1928 wrote to memory of 1136	1928	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe	27
PID 1928 wrote to memory of 1136	1928	ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe	27

C:\Users\Admin\AppData\Local\Temp\ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe
"C:\Users\Admin\AppData\Local\Temp\ab715a2d31dd84edafb5c1d9ed08894a01aff62811d5e0f70d17fa71c2e2c09c.exe"
1⤵
- Sets DLL path for service in the registry
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\AB715A~1.EXE > nul
  2⤵
  - Deletes itself
  PID:1136

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
PID:1708

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\??\c:\windows\SysWOW64\nwcwks.dll

Filesize
8KB

MD5
6ecf985cb1a3f2d7f5525d55bcf4bb8b

SHA1
240ff5600f273da2475aa18003fcda4e352fea13

SHA256
bff80bc0f86790a87f1010edfc31e2ad9ea712321f63e1129e3181ed57fe9b2b

SHA512
5d316fcd427ccc3e193c4575a8cdd964792f9630326fdf3530d6a727eaddd32bd008834b3385f114a8ddd96245b467915d879904321579142c129f8694842acd

Download Submit
\Windows\SysWOW64\nwcwks.dll

Filesize
8KB

MD5
6ecf985cb1a3f2d7f5525d55bcf4bb8b

SHA1
240ff5600f273da2475aa18003fcda4e352fea13

SHA256
bff80bc0f86790a87f1010edfc31e2ad9ea712321f63e1129e3181ed57fe9b2b

SHA512
5d316fcd427ccc3e193c4575a8cdd964792f9630326fdf3530d6a727eaddd32bd008834b3385f114a8ddd96245b467915d879904321579142c129f8694842acd

Download Submit
memory/1136-58-0x0000000000000000-mapping.dmp

Download
memory/1928-54-0x00000000762B1000-0x00000000762B3000-memory.dmp

Filesize
8KB

Download
memory/1928-55-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download