nworm | 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1

General

Target

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Size

22KB
MD5

01573f1b61b5578c5c87e555e74f75a6
SHA1

ade56f4a823f742d7202a72a2fb16384f9711637
SHA256

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1
SHA512

a27d20a92123afd6302d67368622947d7fb978aa75212be24f3f3a38031c9215b6824044fb728b5bbf557c17d213d1e0ff630c970168837c08bfb50ea38e986a

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

185.247.69.194:6333

91.202.169.7:6333

Mutex

1f09d7c7

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

856 java.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1928 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1816 timeout.exe

pid	process
856	java.exe

pid	process
1928	schtasks.exe

pid	process
1816	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exejava.exe

description	pid	process
Token: SeDebugPrivilege	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Token: SeDebugPrivilege	856	java.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.execmd.exe

description	pid	process	target process
PID 1520 wrote to memory of 1928	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	schtasks.exe
PID 1520 wrote to memory of 1928	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	schtasks.exe
PID 1520 wrote to memory of 1928	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	schtasks.exe
PID 1520 wrote to memory of 876	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	cmd.exe
PID 1520 wrote to memory of 876	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	cmd.exe
PID 1520 wrote to memory of 876	1520	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	cmd.exe
PID 876 wrote to memory of 1816	876	cmd.exe	timeout.exe
PID 876 wrote to memory of 1816	876	cmd.exe	timeout.exe
PID 876 wrote to memory of 1816	876	cmd.exe	timeout.exe
PID 876 wrote to memory of 856	876	cmd.exe	java.exe
PID 876 wrote to memory of 856	876	cmd.exe	java.exe
PID 876 wrote to memory of 856	876	cmd.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
"C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1520

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'java.exe"' /tr "'C:\Users\Admin\AppData\Roaming\java.exe"'
2⤵
- Creates scheduled task(s)
PID:1928

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9F5B.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:876

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1816

C:\Users\Admin\AppData\Roaming\java.exe
"C:\Users\Admin\AppData\Roaming\java.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:856

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9F5B.tmp.bat
MD5
30555202bcbb7e6cb72801355e41259d

SHA1
a13bdeae264741e1e1205702d87c20180f022558

SHA256
da5ef21c4cf5184db5331c82b67a05c806b22281d8d24b0f18c85784382982cc

SHA512
4e5648a17a063032376d501731e9e4e1b6bba194cfcbcb26c7f0f66a7ca22f9327bc5bcdf342bce705d5885466ae413d0a2833db94a40c05e8ec6d0cdbf1a040

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
MD5
4aa6a16a99e39e4d7fac8b76ae46d087

SHA1
011afc32fadd18a0e4f8245600825f3f821b7e21

SHA256
83bc87af87e24d8eede311eaa70f982e247c28d5e4c00983a2db1e00bd748b5b

SHA512
60e910ea327c11bf3332e43eb27ccf2e6841b144182aa321ee147582c649788c7190410be5af6d3ccc62d3f88d883a1e022fbb5ab4603cdf70c5358092dad7a1

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
MD5
4aa6a16a99e39e4d7fac8b76ae46d087

SHA1
011afc32fadd18a0e4f8245600825f3f821b7e21

SHA256
83bc87af87e24d8eede311eaa70f982e247c28d5e4c00983a2db1e00bd748b5b

SHA512
60e910ea327c11bf3332e43eb27ccf2e6841b144182aa321ee147582c649788c7190410be5af6d3ccc62d3f88d883a1e022fbb5ab4603cdf70c5358092dad7a1

Download Submit
memory/856-59-0x00000000008D0000-0x00000000008DC000-memory.dmp

Filesize
48KB

Download
memory/856-60-0x000000001AF80000-0x000000001AF82000-memory.dmp

Filesize
8KB

Download
memory/1520-54-0x0000000001360000-0x000000000136C000-memory.dmp

Filesize
48KB

Download
memory/1520-55-0x000007FEFC3C1000-0x000007FEFC3C3000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads