nworm | 3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a

General

Target

3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
Size

19KB
MD5

c722ffe89ecb69db142ecb15bc71c572
SHA1

febf301c31f726d00682afda2b33f2776d7b34c2
SHA256

3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a
SHA512

4b396ed48645db4d983bdf8e55755af5bf4613e14a8aeb1881774264c2fb62508ea4fe67fb5d98783107649365c13b1acd32e2aa44d0272b36c2e80f533ffa67

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

ofi.dyn.ydns.io:1080

redlan.mywire.org:1080

Mutex

b0456e7e

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

NetUserDat.exe

pid process

2324 NetUserDat.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3860 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3660 timeout.exe

pid	process
2324	NetUserDat.exe

pid	process
3860	schtasks.exe

pid	process
3660	timeout.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exeNetUserDat.exe

pid	process
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe
2324	NetUserDat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exeNetUserDat.exe

description	pid	process
Token: SeDebugPrivilege	2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
Token: SeDebugPrivilege	2324	NetUserDat.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.execmd.exe

description	pid	process	target process
PID 2504 wrote to memory of 3860	2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe	schtasks.exe
PID 2504 wrote to memory of 3860	2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe	schtasks.exe
PID 2504 wrote to memory of 2924	2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe	cmd.exe
PID 2504 wrote to memory of 2924	2504	3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe	cmd.exe
PID 2924 wrote to memory of 3660	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 3660	2924	cmd.exe	timeout.exe
PID 2924 wrote to memory of 2324	2924	cmd.exe	NetUserDat.exe
PID 2924 wrote to memory of 2324	2924	cmd.exe	NetUserDat.exe

C:\Users\Admin\AppData\Local\Temp\3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe
"C:\Users\Admin\AppData\Local\Temp\3f3a298e7b430343d12d9039e9e83ae46c4bc952ea9b329959be1aa07205787a.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'NetUserDat.exe"' /tr "'C:\Users\Admin\AppData\Roaming\NetUserDat.exe"'
2⤵
- Creates scheduled task(s)
PID:3860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpB65B.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3660

C:\Users\Admin\AppData\Roaming\NetUserDat.exe
"C:\Users\Admin\AppData\Roaming\NetUserDat.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB65B.tmp.bat
MD5
abf17c3a9458f1adea182b49cd17b617

SHA1
7cf4eaba7aa99d6ccb0d0af6bc0f0e9ed30282f0

SHA256
80237041c6c5eaf8e7a42b46d5df52d3b8c9f4a2c1dcd4a91dfe5d5d78dfbbe9

SHA512
7a450e8698cb3bd75e385ccf7fe2a5e6f322fdedf7616521bae800efecab457444fe39197195a91dc8ea6307803c20b0345ee46caa93b637b3afff822ab9d837

Download Submit
C:\Users\Admin\AppData\Roaming\NetUserDat.exe
MD5
979ec4908e955fe53eb336890d4c328a

SHA1
0dfcdfc360141578f494e684e159367abcfc4cb7

SHA256
a6f362feb6819455d739849ee4fac3346e6ac9f7b8bc4bc16fb5a3142d6bc2fa

SHA512
b43be6c0b74707006584360a722e228eeae110971a892ee4cc6384640f6963fbcd82e58d924b93941e6e6e63d2005e283da61b4bc3fd54dc5e168ec95937e46c

Download Submit
C:\Users\Admin\AppData\Roaming\NetUserDat.exe
MD5
979ec4908e955fe53eb336890d4c328a

SHA1
0dfcdfc360141578f494e684e159367abcfc4cb7

SHA256
a6f362feb6819455d739849ee4fac3346e6ac9f7b8bc4bc16fb5a3142d6bc2fa

SHA512
b43be6c0b74707006584360a722e228eeae110971a892ee4cc6384640f6963fbcd82e58d924b93941e6e6e63d2005e283da61b4bc3fd54dc5e168ec95937e46c

Download Submit
memory/2324-120-0x000000001B0E0000-0x000000001B0E2000-memory.dmp

Filesize
8KB

Download
memory/2504-115-0x0000000000B70000-0x0000000000B7C000-memory.dmp

Filesize
48KB

Download
memory/2504-116-0x000000001B820000-0x000000001B822000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads