nworm | 20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44

General

Target

20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
Size

19KB
MD5

fb5aabe905c0e8b3d837e91719f7c5cb
SHA1

424c260a208e9fa7ff7d4468ffa368fb3bbafb1d
SHA256

20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44
SHA512

28dc13f3c285ad992d750373e446ccb7838d076aad9f72e35f6a5c27b5b721fad25f491a07b62c8e7cea2fd410513ae50e9a5f976a09b02973bb506184f1f6f6

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

crownctf.duckdns.org:448

microduck.duckdns.org:448

Mutex

dbb3c5cc

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

temmp.exe

pid process

1072 temmp.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

436 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1660 timeout.exe

pid	process
1072	temmp.exe

pid	process
436	schtasks.exe

pid	process
1660	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exetemmp.exe

description	pid	process
Token: SeDebugPrivilege	812	20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
Token: SeDebugPrivilege	1072	temmp.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.execmd.exe

description	pid	process	target process
PID 812 wrote to memory of 436	812	20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe	schtasks.exe
PID 812 wrote to memory of 436	812	20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe	schtasks.exe
PID 812 wrote to memory of 1788	812	20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe	cmd.exe
PID 812 wrote to memory of 1788	812	20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe	cmd.exe
PID 1788 wrote to memory of 1660	1788	cmd.exe	timeout.exe
PID 1788 wrote to memory of 1660	1788	cmd.exe	timeout.exe
PID 1788 wrote to memory of 1072	1788	cmd.exe	temmp.exe
PID 1788 wrote to memory of 1072	1788	cmd.exe	temmp.exe

C:\Users\Admin\AppData\Local\Temp\20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe
"C:\Users\Admin\AppData\Local\Temp\20b27b82977cfec2475a14f94fbf11ddd3fbde14677364215ed561ff020aea44.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:812

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'temmp.exe"' /tr "'C:\Users\Admin\AppData\Local\Temp\temmp.exe"'
2⤵
- Creates scheduled task(s)
PID:436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3573.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1660

C:\Users\Admin\AppData\Local\Temp\temmp.exe
"C:\Users\Admin\AppData\Local\Temp\temmp.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1072

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\temmp.exe
MD5
817214118f22c47d43c697d14b66cab3

SHA1
17687f77c7c128fc13a8368364f34f990fd4ea14

SHA256
2d4d1921457831964db12303909279abff68fc157585a3a6feb2082e26e9560d

SHA512
45e5c1799f3ea75b7c8eb4c89a76f20e8180771ce24de05a72159f188661481356909a1351ec8fada6f25215ab40db0a9cbf2b74a8996080132e6379a5670e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\temmp.exe
MD5
817214118f22c47d43c697d14b66cab3

SHA1
17687f77c7c128fc13a8368364f34f990fd4ea14

SHA256
2d4d1921457831964db12303909279abff68fc157585a3a6feb2082e26e9560d

SHA512
45e5c1799f3ea75b7c8eb4c89a76f20e8180771ce24de05a72159f188661481356909a1351ec8fada6f25215ab40db0a9cbf2b74a8996080132e6379a5670e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3573.tmp.bat
MD5
5ebbce1550f4f82e22ba815a5b18f25f

SHA1
e4db9a3caeb03cede72b3c0f0908cacf12f804fc

SHA256
bb073f512e3bb848f2ce004bc38f150b228b4658430f331187b6b31cb20c21ef

SHA512
a0a7c564989b95ddf94efed2bbbd8da21db4ff9810419086f875b43f497f9cd7ebe3c7a08822a10bd5e29c38fecfe7e94c34292a181d495c19fb2b6d3e11cce8

Download Submit
memory/812-118-0x0000000000330000-0x000000000033C000-memory.dmp

Filesize
48KB

Download
memory/1072-122-0x000000001B860000-0x000000001B862000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads