nworm | b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674

General

Target

b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
Size

19KB
MD5

fbf86df341ad8b1fe2c799016e2c8721
SHA1

8ac6f44c179921105658cb95003cd3d2d0f09f61
SHA256

b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674
SHA512

db78261bc620779308b5aab6a02b6af366fceb5b011ae4ce71c18f69f94f463b67707c256f6ba765818ab61a57a882335bd2e6e0c66a20dabdb5a1c5169e25c8

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

66.70.242.36:8080

127.0.0.0:8080

Mutex

0b80e527

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

winServices.exe

pid process

1096 winServices.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

596 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1944 timeout.exe

pid	process
1096	winServices.exe

pid	process
596	schtasks.exe

pid	process
1944	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exewinServices.exe

pid	process
1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
1096	winServices.exe
1096	winServices.exe
1096	winServices.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exewinServices.exe

description	pid	process
Token: SeDebugPrivilege	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
Token: SeDebugPrivilege	1096	winServices.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.execmd.exe

description	pid	process	target process
PID 1592 wrote to memory of 596	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe	schtasks.exe
PID 1592 wrote to memory of 596	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe	schtasks.exe
PID 1592 wrote to memory of 596	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe	schtasks.exe
PID 1592 wrote to memory of 820	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe	cmd.exe
PID 1592 wrote to memory of 820	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe	cmd.exe
PID 1592 wrote to memory of 820	1592	b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe	cmd.exe
PID 820 wrote to memory of 1944	820	cmd.exe	timeout.exe
PID 820 wrote to memory of 1944	820	cmd.exe	timeout.exe
PID 820 wrote to memory of 1944	820	cmd.exe	timeout.exe
PID 820 wrote to memory of 1096	820	cmd.exe	winServices.exe
PID 820 wrote to memory of 1096	820	cmd.exe	winServices.exe
PID 820 wrote to memory of 1096	820	cmd.exe	winServices.exe

C:\Users\Admin\AppData\Local\Temp\b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe
"C:\Users\Admin\AppData\Local\Temp\b2e0cfae142aa05f01ccd32006c9ac0e3be1f1d2774fcef1847ae36e57288674.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1592

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'winServices.exe"' /tr "'C:\Users\Admin\AppData\Roaming\winServices.exe"'
2⤵
- Creates scheduled task(s)
PID:596

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp905D.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:820

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1944

C:\Users\Admin\AppData\Roaming\winServices.exe
"C:\Users\Admin\AppData\Roaming\winServices.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1096

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp905D.tmp.bat
MD5
368e1f9aa37e289794184cc055fffe29

SHA1
8d9c69ec2c47999db78b39b47309e4325881a999

SHA256
dae24c56aa93b1ce5c430fdd12ca1f71ea67d9cf6c14d15f7ff85a8b804ad168

SHA512
4b6c5d5eb3f16b4a25540f392dcaa111782b58a4c0ef04b28b6a5c9f04843c4d9dbd258e10b0e9c203109ba859b87d96f68d70196a84cfd0e065de6fb6ecb979

Download Submit
C:\Users\Admin\AppData\Roaming\winServices.exe
MD5
552277a6d5f19df992c4335171ddf338

SHA1
4796a3ae147b52aabc92ba6dcbf00f53b65b7e53

SHA256
17e86b1bdf15b1191fd3896eaa34560ccff7c39e3efb692da9f984595a7212e2

SHA512
b24197d1e849b159ddf68d36c18ddaf62310a2f2d3a4da3a22e93666cad61e8b44a1abcc62935cab287290b6efa54000e26f7088a4c36a3eac8aa24d065c47bf

Download Submit
C:\Users\Admin\AppData\Roaming\winServices.exe
MD5
552277a6d5f19df992c4335171ddf338

SHA1
4796a3ae147b52aabc92ba6dcbf00f53b65b7e53

SHA256
17e86b1bdf15b1191fd3896eaa34560ccff7c39e3efb692da9f984595a7212e2

SHA512
b24197d1e849b159ddf68d36c18ddaf62310a2f2d3a4da3a22e93666cad61e8b44a1abcc62935cab287290b6efa54000e26f7088a4c36a3eac8aa24d065c47bf

Download Submit
memory/1096-59-0x00000000010A0000-0x00000000010AC000-memory.dmp

Filesize
48KB

Download
memory/1096-60-0x000000001AD30000-0x000000001AD32000-memory.dmp

Filesize
8KB

Download
memory/1592-54-0x0000000001290000-0x000000000129C000-memory.dmp

Filesize
48KB

Download
memory/1592-55-0x000000001B0F0000-0x000000001B0F2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads