nworm | d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e

General

Target

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
Size

33KB
MD5

7341966dff36665a31185cb2b4331f0d
SHA1

02572e87b124474b1553e9bc418f7c8a4248be70
SHA256

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e
SHA512

94e4be60b3508a3e9868ffee630f37c21104be85a8c412c8edc7924af8b60f73bdd183eba89133afb54d01cfe88ec26b68cff1870b86cf3459e8c7505c229a93

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

Jonathin8068-24257.portmap.host:60149

Mutex

9c5336ac

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

omegalol.exe

pid process

1284 omegalol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1868 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

624 timeout.exe

pid	process
1284	omegalol.exe

pid	process
1868	schtasks.exe

pid	process
624	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exeomegalol.exe

pid	process
1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1284	omegalol.exe
1284	omegalol.exe
1284	omegalol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exeomegalol.exe

description	pid	process
Token: SeDebugPrivilege	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
Token: SeDebugPrivilege	1284	omegalol.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.execmd.exe

description	pid	process	target process
PID 1296 wrote to memory of 1868	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	schtasks.exe
PID 1296 wrote to memory of 1868	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	schtasks.exe
PID 1296 wrote to memory of 1868	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	schtasks.exe
PID 1296 wrote to memory of 1604	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	cmd.exe
PID 1296 wrote to memory of 1604	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	cmd.exe
PID 1296 wrote to memory of 1604	1296	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	cmd.exe
PID 1604 wrote to memory of 624	1604	cmd.exe	timeout.exe
PID 1604 wrote to memory of 624	1604	cmd.exe	timeout.exe
PID 1604 wrote to memory of 624	1604	cmd.exe	timeout.exe
PID 1604 wrote to memory of 1284	1604	cmd.exe	omegalol.exe
PID 1604 wrote to memory of 1284	1604	cmd.exe	omegalol.exe
PID 1604 wrote to memory of 1284	1604	cmd.exe	omegalol.exe

C:\Users\Admin\AppData\Local\Temp\d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
"C:\Users\Admin\AppData\Local\Temp\d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1296

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'omegalol.exe"' /tr "'C:\Users\Admin\AppData\Roaming\omegalol.exe"'
2⤵
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5457.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:624

C:\Users\Admin\AppData\Roaming\omegalol.exe
"C:\Users\Admin\AppData\Roaming\omegalol.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1284

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5457.tmp.bat
MD5
1a335f403cfb8b5a12d69018f6bd8401

SHA1
07f07c892aaed746c59ddcc39d28420450bfd4e5

SHA256
57b74d0b678363af804129efcf04dd1145c00847eb42add9ad42308bfa46ba55

SHA512
4061ca8ec4e27dac8d5b30a5abf5740f22bb205f8bf91cc64197cf91219ae89c590e76db8a7220da28d6855f93812f6111dcaa96793bd89cc52f864eb3b4f9f0

Download Submit
C:\Users\Admin\AppData\Roaming\omegalol.exe
MD5
8ce119db9848a23b97c5846974103aed

SHA1
ddfba68a1d85e5b3370e641d2b44c2187c634901

SHA256
176f1c306e1ecd39b238274f0fe1065107802d82e2ee6437e1fecb83d3f9223d

SHA512
8e6471ae0040cc7fb176264d68ead4902746d4942da7bab6c5a4c46fee612b74298ff8e084cef067c869305ad721cfa24825a28db97bf659c27a55a78ed84805

Download Submit
C:\Users\Admin\AppData\Roaming\omegalol.exe
MD5
8ce119db9848a23b97c5846974103aed

SHA1
ddfba68a1d85e5b3370e641d2b44c2187c634901

SHA256
176f1c306e1ecd39b238274f0fe1065107802d82e2ee6437e1fecb83d3f9223d

SHA512
8e6471ae0040cc7fb176264d68ead4902746d4942da7bab6c5a4c46fee612b74298ff8e084cef067c869305ad721cfa24825a28db97bf659c27a55a78ed84805

Download Submit
memory/1284-59-0x0000000000FB0000-0x0000000000FBE000-memory.dmp

Filesize
56KB

Download
memory/1284-60-0x000000001AD50000-0x000000001AD52000-memory.dmp

Filesize
8KB

Download
memory/1296-54-0x0000000000F40000-0x0000000000F4E000-memory.dmp

Filesize
56KB

Download
memory/1296-55-0x0000000000D50000-0x0000000000F40000-memory.dmp

Filesize
1.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads