nworm | 1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1

General

Target

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Size

22KB
MD5

01573f1b61b5578c5c87e555e74f75a6
SHA1

ade56f4a823f742d7202a72a2fb16384f9711637
SHA256

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1
SHA512

a27d20a92123afd6302d67368622947d7fb978aa75212be24f3f3a38031c9215b6824044fb728b5bbf557c17d213d1e0ff630c970168837c08bfb50ea38e986a

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

185.247.69.194:6333

91.202.169.7:6333

Mutex

1f09d7c7

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

java.exe

pid process

1632 java.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2992 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1120 timeout.exe

pid	process
1632	java.exe

pid	process
2992	schtasks.exe

pid	process
1120	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exejava.exe

description	pid	process
Token: SeDebugPrivilege	616	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
Token: SeDebugPrivilege	1632	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.execmd.exe

description	pid	process	target process
PID 616 wrote to memory of 2992	616	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	schtasks.exe
PID 616 wrote to memory of 2992	616	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	schtasks.exe
PID 616 wrote to memory of 2760	616	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	cmd.exe
PID 616 wrote to memory of 2760	616	1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe	cmd.exe
PID 2760 wrote to memory of 1120	2760	cmd.exe	timeout.exe
PID 2760 wrote to memory of 1120	2760	cmd.exe	timeout.exe
PID 2760 wrote to memory of 1632	2760	cmd.exe	java.exe
PID 2760 wrote to memory of 1632	2760	cmd.exe	java.exe

C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe
"C:\Users\Admin\AppData\Local\Temp\1e04e0ce103e51fe1d1584759bc28da409f634e6e09de4892d2ab3f6659078f1.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:616

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'java.exe"' /tr "'C:\Users\Admin\AppData\Roaming\java.exe"'
2⤵
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBC09.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2760

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1120

C:\Users\Admin\AppData\Roaming\java.exe
"C:\Users\Admin\AppData\Roaming\java.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1632

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBC09.tmp.bat
MD5
30555202bcbb7e6cb72801355e41259d

SHA1
a13bdeae264741e1e1205702d87c20180f022558

SHA256
da5ef21c4cf5184db5331c82b67a05c806b22281d8d24b0f18c85784382982cc

SHA512
4e5648a17a063032376d501731e9e4e1b6bba194cfcbcb26c7f0f66a7ca22f9327bc5bcdf342bce705d5885466ae413d0a2833db94a40c05e8ec6d0cdbf1a040

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
MD5
48a6d3c455536ef54f7d31c7ea893515

SHA1
38da31e73e9a4f54d6763dd9e7706d5dcfa0b5f2

SHA256
227f03e971b681f509ad059afaf05eae74782b58fde1f9dffbb9d5592b42bec9

SHA512
c7e4aed148bd3c1dd3ad1918adad7393f66da0312121403ce077d50a271f1874fed2b5ed6be4d733f5ebc3cebb84ab6b584b23448a5dcf6226ef1e730324c02a

Download Submit
C:\Users\Admin\AppData\Roaming\java.exe
MD5
48a6d3c455536ef54f7d31c7ea893515

SHA1
38da31e73e9a4f54d6763dd9e7706d5dcfa0b5f2

SHA256
227f03e971b681f509ad059afaf05eae74782b58fde1f9dffbb9d5592b42bec9

SHA512
c7e4aed148bd3c1dd3ad1918adad7393f66da0312121403ce077d50a271f1874fed2b5ed6be4d733f5ebc3cebb84ab6b584b23448a5dcf6226ef1e730324c02a

Download Submit
memory/616-115-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1632-119-0x000000001B430000-0x000000001B432000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads