nworm | 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd

General

Target

5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe
Size

17KB
MD5

16ce8ee04799a1e4f531eec98418a994
SHA1

cda1ba9604872a6f462a21f6b82b2ca643b81b76
SHA256

5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd
SHA512

dcb4486d0a9fc66b0bf71083e3f79950d3f163bf74526c862dc7b8717d26829d3e04715eaa566db8ecd46cc778839efef8a9d9da090e7f90f8301869d79dc289

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

jtbz.ddns.net:1604

jtbz2.ddns.net:1604

Mutex

2f5c1f29

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

windows.exe

pid process

788 windows.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

652 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1568 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe

description pid process

Token: SeDebugPrivilege 1700 5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe

pid	process
788	windows.exe

pid	process
652	schtasks.exe

pid	process
1568	timeout.exe

description	pid	process
Token: SeDebugPrivilege	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.execmd.exe

description	pid	process	target process
PID 1700 wrote to memory of 652	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe	schtasks.exe
PID 1700 wrote to memory of 652	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe	schtasks.exe
PID 1700 wrote to memory of 652	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe	schtasks.exe
PID 1700 wrote to memory of 560	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe	cmd.exe
PID 1700 wrote to memory of 560	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe	cmd.exe
PID 1700 wrote to memory of 560	1700	5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe	cmd.exe
PID 560 wrote to memory of 1568	560	cmd.exe	timeout.exe
PID 560 wrote to memory of 1568	560	cmd.exe	timeout.exe
PID 560 wrote to memory of 1568	560	cmd.exe	timeout.exe
PID 560 wrote to memory of 788	560	cmd.exe	windows.exe
PID 560 wrote to memory of 788	560	cmd.exe	windows.exe
PID 560 wrote to memory of 788	560	cmd.exe	windows.exe

C:\Users\Admin\AppData\Local\Temp\5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe
"C:\Users\Admin\AppData\Local\Temp\5934d1da5cf45739ab3c3c01c8fe736a4aeac541b1b9601efe4d1eea6d2fcecd.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1700

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'windows.exe"' /tr "'C:\Users\Admin\AppData\Roaming\windows.exe"'
2⤵
- Creates scheduled task(s)
PID:652

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:560

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1568

C:\Users\Admin\AppData\Roaming\windows.exe
"C:\Users\Admin\AppData\Roaming\windows.exe"
3⤵
- Executes dropped EXE
PID:788

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9C6E.tmp.bat
MD5
417b39b756a5a03f90152fb9b7aa9a8a

SHA1
8015082cb41a3fa8a8fa965ce10d74808b54ae24

SHA256
052b9fee21d071d0f3c1807b75f7377cd730c705cef413d252ba0496779471c6

SHA512
e6dd69b7b87cd4ec9d1afee6ebb9439a9d2ae44cef5ead0245fc6a599a57706d90ef745cb2d76b01ffdf341e9865c9038d35593780f83270fe6e5f701b3984d7

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
e78d862107464401c7d31d28e86354c0

SHA1
3de244e9404e36ff167b34f7953f56a9711bc7f2

SHA256
e568ac4b98f9c3fd34d3b69fac30d1f687c5037947ba15e8bbf07b4dac9db878

SHA512
282fe0e3b41801f2310a8405cad52dd8e4ccbf44db446e4e49367d88ba428548a243970309fb6aa4b84ad6f2811f1a8a5f358fa67878923372002bb0666bb747

Download Submit
C:\Users\Admin\AppData\Roaming\windows.exe
MD5
e78d862107464401c7d31d28e86354c0

SHA1
3de244e9404e36ff167b34f7953f56a9711bc7f2

SHA256
e568ac4b98f9c3fd34d3b69fac30d1f687c5037947ba15e8bbf07b4dac9db878

SHA512
282fe0e3b41801f2310a8405cad52dd8e4ccbf44db446e4e49367d88ba428548a243970309fb6aa4b84ad6f2811f1a8a5f358fa67878923372002bb0666bb747

Download Submit
memory/788-59-0x00000000001F0000-0x00000000001FA000-memory.dmp

Filesize
40KB

Download
memory/788-60-0x000000001AF90000-0x000000001AF92000-memory.dmp

Filesize
8KB

Download
memory/1700-54-0x0000000000CB0000-0x0000000000CBA000-memory.dmp

Filesize
40KB

Download
memory/1700-55-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads