nworm | 043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0 | Triage

Analysis

max time kernel
153s
max time network
143s
platform
windows10_x64
resource
win10-en-20211208
submitted
26-01-2022 15:33

Sharing

Report Analysis Logs

General

Target

043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0.exe
Size

11KB
MD5

35394030407f8b24d4046d172d23d50e
SHA1

1afc8308b56671d5cabeac3d5aff77f0d5a2d1a6
SHA256

043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0
SHA512

dc1ca8751225d1714f4b61b93faacbd78c5888a607ec7206b8069cdcbbd573f724b2cbcc988f2a7b319fee353d00cccf319f1d12dd369c5992d4b9090b25dbe1

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.7C

C2

139.180.171.110:2222

Mutex

090383e3-d29a-4f22-9ac9-8273a3a0c547

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0.exe

description pid process

Token: SeDebugPrivilege 4304 043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0.exe

C:\Users\Admin\AppData\Local\Temp\043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0.exe
"C:\Users\Admin\AppData\Local\Temp\043c9d3c25c284c582dff2887cc1c92bf1a7c76941d0c2f84eef95d72a31b4a0.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4304-115-0x0000000000C00000-0x0000000000C0A000-memory.dmp

Filesize
40KB

Download
memory/4304-116-0x00000000012D0000-0x00000000012D2000-memory.dmp

Filesize
8KB

Download