nworm | 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e

General

Target

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Size

19KB
MD5

8cdf4af6c295da278178651186da9347
SHA1

4edd98af3bb46ad5484f97c2470d8ec2a53018ab
SHA256

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e
SHA512

d8cbffd7aea77a7ce4554f5d72c29a15ab608dd06e481fce161ea9cfa5f91e5e1a9682827f0dc41a22e374ccf09ff8c6b2792eb8ad67575b00d11cff0d4f6b90

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

24.101.169.101:4782

192.168.1.20:4782

Mutex

85224873

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

NTLDR.exe

pid process

1644 NTLDR.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

340 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1652 timeout.exe

pid	process
1644	NTLDR.exe

pid	process
340	schtasks.exe

pid	process
1652	timeout.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exe

pid	process
528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
1644	NTLDR.exe
1644	NTLDR.exe
1644	NTLDR.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exe

description	pid	process
Token: SeDebugPrivilege	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Token: SeDebugPrivilege	1644	NTLDR.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.execmd.exe

description	pid	process	target process
PID 528 wrote to memory of 340	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	schtasks.exe
PID 528 wrote to memory of 340	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	schtasks.exe
PID 528 wrote to memory of 340	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	schtasks.exe
PID 528 wrote to memory of 2016	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	cmd.exe
PID 528 wrote to memory of 2016	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	cmd.exe
PID 528 wrote to memory of 2016	528	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	cmd.exe
PID 2016 wrote to memory of 1652	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 1652	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 1652	2016	cmd.exe	timeout.exe
PID 2016 wrote to memory of 1644	2016	cmd.exe	NTLDR.exe
PID 2016 wrote to memory of 1644	2016	cmd.exe	NTLDR.exe
PID 2016 wrote to memory of 1644	2016	cmd.exe	NTLDR.exe

C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
"C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:528

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'NTLDR.exe"' /tr "'C:\Users\Admin\AppData\Roaming\NTLDR.exe"'
2⤵
- Creates scheduled task(s)
PID:340

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7AEA.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:2016

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1652

C:\Users\Admin\AppData\Roaming\NTLDR.exe
"C:\Users\Admin\AppData\Roaming\NTLDR.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7AEA.tmp.bat
MD5
8553ab53fe91e9da95da6ce8b428c788

SHA1
d01881b782a6c7c14fd026b45bf7ede835a839ed

SHA256
666f2deed77b41dcd7f2e4e0a8ad66df62e4e762bf49d68b767ba12f8b83ee91

SHA512
ab3b705d5ee1b2c2648b71eaca7cf8b4c6b49266eb3049d6958dec1aebda070ba5a77f9a38c028ad4eebb543e285a9ef1090b8072c707078366a4b5d31bf443b

Download Submit
C:\Users\Admin\AppData\Roaming\NTLDR.exe
MD5
313d4fa72d35f63d675ba7497ae4e9b5

SHA1
99a191be0fe46b618478bbd16822764cb4b2d0a8

SHA256
701ad2ce29179eb4cb60153075286a899f023f7dc9005dad53de646f3017efb7

SHA512
a9d4af9abe0cbcf1b5c313dbc6f2504b1ae47c7ecb1c41cc7e29e18c684387d94a80ad583c67ed733e33af7d33abbc9139ee2b3d604e425b2fd7503d58a735af

Download Submit
C:\Users\Admin\AppData\Roaming\NTLDR.exe
MD5
313d4fa72d35f63d675ba7497ae4e9b5

SHA1
99a191be0fe46b618478bbd16822764cb4b2d0a8

SHA256
701ad2ce29179eb4cb60153075286a899f023f7dc9005dad53de646f3017efb7

SHA512
a9d4af9abe0cbcf1b5c313dbc6f2504b1ae47c7ecb1c41cc7e29e18c684387d94a80ad583c67ed733e33af7d33abbc9139ee2b3d604e425b2fd7503d58a735af

Download Submit
memory/528-54-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/528-55-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1644-59-0x0000000000070000-0x000000000007C000-memory.dmp

Filesize
48KB

Download
memory/1644-60-0x0000000000530000-0x0000000000532000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads