nworm | d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e

General

Target

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
Size

33KB
MD5

7341966dff36665a31185cb2b4331f0d
SHA1

02572e87b124474b1553e9bc418f7c8a4248be70
SHA256

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e
SHA512

94e4be60b3508a3e9868ffee630f37c21104be85a8c412c8edc7924af8b60f73bdd183eba89133afb54d01cfe88ec26b68cff1870b86cf3459e8c7505c229a93

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

Jonathin8068-24257.portmap.host:60149

Mutex

9c5336ac

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

omegalol.exe

pid process

3672 omegalol.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

820 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3788 timeout.exe

pid	process
3672	omegalol.exe

pid	process
820	schtasks.exe

pid	process
3788	timeout.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exeomegalol.exe

pid	process
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe
3672	omegalol.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exeomegalol.exe

description	pid	process
Token: SeDebugPrivilege	1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
Token: SeDebugPrivilege	3672	omegalol.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 820	1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	schtasks.exe
PID 1996 wrote to memory of 820	1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	schtasks.exe
PID 1996 wrote to memory of 1868	1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	cmd.exe
PID 1996 wrote to memory of 1868	1996	d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe	cmd.exe
PID 1868 wrote to memory of 3788	1868	cmd.exe	timeout.exe
PID 1868 wrote to memory of 3788	1868	cmd.exe	timeout.exe
PID 1868 wrote to memory of 3672	1868	cmd.exe	omegalol.exe
PID 1868 wrote to memory of 3672	1868	cmd.exe	omegalol.exe

C:\Users\Admin\AppData\Local\Temp\d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe
"C:\Users\Admin\AppData\Local\Temp\d0980b7fe304d1998df7e3829b8f35c1f6a41316c8675416f5264d8658fc881e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'omegalol.exe"' /tr "'C:\Users\Admin\AppData\Roaming\omegalol.exe"'
2⤵
- Creates scheduled task(s)
PID:820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD81C.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3788

C:\Users\Admin\AppData\Roaming\omegalol.exe
"C:\Users\Admin\AppData\Roaming\omegalol.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3672

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD81C.tmp.bat
MD5
1a335f403cfb8b5a12d69018f6bd8401

SHA1
07f07c892aaed746c59ddcc39d28420450bfd4e5

SHA256
57b74d0b678363af804129efcf04dd1145c00847eb42add9ad42308bfa46ba55

SHA512
4061ca8ec4e27dac8d5b30a5abf5740f22bb205f8bf91cc64197cf91219ae89c590e76db8a7220da28d6855f93812f6111dcaa96793bd89cc52f864eb3b4f9f0

Download Submit
C:\Users\Admin\AppData\Roaming\omegalol.exe
MD5
5ffab0281cbe6573731bc7536a21164b

SHA1
d043b1596cf3e253486897ad97dc53b2dff81b47

SHA256
bc69228aa408459ec18f4b6efe3bee2c80863ce2b91ad318d6045911c1333209

SHA512
239ae84ecdeed8b98dc033b67537f7a896a8a33aa7e712d94a7d0d5d8751174890b938ac29a8ba2344381719dc04126a05386609d4e1d02231c3917eddf4e985

Download Submit
C:\Users\Admin\AppData\Roaming\omegalol.exe
MD5
5ffab0281cbe6573731bc7536a21164b

SHA1
d043b1596cf3e253486897ad97dc53b2dff81b47

SHA256
bc69228aa408459ec18f4b6efe3bee2c80863ce2b91ad318d6045911c1333209

SHA512
239ae84ecdeed8b98dc033b67537f7a896a8a33aa7e712d94a7d0d5d8751174890b938ac29a8ba2344381719dc04126a05386609d4e1d02231c3917eddf4e985

Download Submit
memory/1996-115-0x0000000000700000-0x000000000070E000-memory.dmp

Filesize
56KB

Download
memory/1996-116-0x0000000000D60000-0x0000000000D62000-memory.dmp

Filesize
8KB

Download
memory/3672-120-0x000000001AB70000-0x000000001AB72000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads