nworm | 0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268

General

Target

0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
Size

49KB
MD5

ef5575dc5a9673885a93816fec5752e3
SHA1

981b40105ff0b9d1deafae85517efb2bc03c54cc
SHA256

0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268
SHA512

2979efab620d252ce552ea376878f807860030f33aa1c2265eb24b3ec7e8ba2f7190a61a49655b8ed59e5be583edcf257fccf9bbdb423e6e5d64afe288bbb5a6

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

google8.ddns.net:1999

Mutex

52889f08

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

Adobe.vbs.exe

pid process

580 Adobe.vbs.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3684 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1156 timeout.exe

pid	process
580	Adobe.vbs.exe

pid	process
3684	schtasks.exe

pid	process
1156	timeout.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exeAdobe.vbs.exe

pid	process
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe
580	Adobe.vbs.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exeAdobe.vbs.exe

description	pid	process
Token: SeDebugPrivilege	2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
Token: SeDebugPrivilege	580	Adobe.vbs.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.execmd.exe

description	pid	process	target process
PID 2708 wrote to memory of 3684	2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe	schtasks.exe
PID 2708 wrote to memory of 3684	2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe	schtasks.exe
PID 2708 wrote to memory of 3048	2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe	cmd.exe
PID 2708 wrote to memory of 3048	2708	0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe	cmd.exe
PID 3048 wrote to memory of 1156	3048	cmd.exe	timeout.exe
PID 3048 wrote to memory of 1156	3048	cmd.exe	timeout.exe
PID 3048 wrote to memory of 580	3048	cmd.exe	Adobe.vbs.exe
PID 3048 wrote to memory of 580	3048	cmd.exe	Adobe.vbs.exe

C:\Users\Admin\AppData\Local\Temp\0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe
"C:\Users\Admin\AppData\Local\Temp\0f0b4d98f4b41948f43060d83b12cf9c995f4a425f376c8ae4e5836500df6268.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2708

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'Adobe.vbs.exe"' /tr "'C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe"'
2⤵
- Creates scheduled task(s)
PID:3684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp4F26.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1156

C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe
"C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:580

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4F26.tmp.bat
MD5
081bcae08a5e79c34e6a1d4fc5a844fb

SHA1
ba9c5f944367399e6af2a4f8dd3edc09159e3114

SHA256
a64e193c62c004eae3f92111d769a3d3dad9f38954fd4ba67732f12313e655e8

SHA512
23b4c65af7e881e33a47ba825d16be6a84b053e797a49301a38ee358cdc9ff031ca54294df00903186c4a1bbd02f39433ae09cfa92073b87b00799c81c8ec644

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe
MD5
254f4cd3b9c774967ca8bace515fda31

SHA1
5166944aa9efcaea0c2699c9209ddcefdfd1e6a7

SHA256
099f3dc3ca2c65e77659ecd6afb1b07bba7fcc25fbff0d44c0dc8218f2e5bb7c

SHA512
6fd106b709d251e893866ac2ace80d70886e54ae791d1f84ecb3f6246503c0b1671eebef6f70058dfe0d22e0bf0e3439829a49290fe4366ac4f6b8bd1a30ee04

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe.vbs.exe
MD5
254f4cd3b9c774967ca8bace515fda31

SHA1
5166944aa9efcaea0c2699c9209ddcefdfd1e6a7

SHA256
099f3dc3ca2c65e77659ecd6afb1b07bba7fcc25fbff0d44c0dc8218f2e5bb7c

SHA512
6fd106b709d251e893866ac2ace80d70886e54ae791d1f84ecb3f6246503c0b1671eebef6f70058dfe0d22e0bf0e3439829a49290fe4366ac4f6b8bd1a30ee04

Download Submit
memory/580-123-0x000000001B760000-0x000000001B762000-memory.dmp

Filesize
8KB

Download
memory/2708-118-0x00000000008E0000-0x00000000008F2000-memory.dmp

Filesize
72KB

Download
memory/2708-119-0x000000001B5C0000-0x000000001B5C2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads