nworm | 4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e

General

Target

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Size

19KB
MD5

8cdf4af6c295da278178651186da9347
SHA1

4edd98af3bb46ad5484f97c2470d8ec2a53018ab
SHA256

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e
SHA512

d8cbffd7aea77a7ce4554f5d72c29a15ab608dd06e481fce161ea9cfa5f91e5e1a9682827f0dc41a22e374ccf09ff8c6b2792eb8ad67575b00d11cff0d4f6b90

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

24.101.169.101:4782

192.168.1.20:4782

Mutex

85224873

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

NTLDR.exe

pid process

1748 NTLDR.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3968 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3372 timeout.exe

pid	process
1748	NTLDR.exe

pid	process
3968	schtasks.exe

pid	process
3372	timeout.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exe

pid	process
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe
1748	NTLDR.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exeNTLDR.exe

description	pid	process
Token: SeDebugPrivilege	2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
Token: SeDebugPrivilege	1748	NTLDR.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.execmd.exe

description	pid	process	target process
PID 2660 wrote to memory of 3968	2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	schtasks.exe
PID 2660 wrote to memory of 3968	2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	schtasks.exe
PID 2660 wrote to memory of 1696	2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	cmd.exe
PID 2660 wrote to memory of 1696	2660	4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe	cmd.exe
PID 1696 wrote to memory of 3372	1696	cmd.exe	timeout.exe
PID 1696 wrote to memory of 3372	1696	cmd.exe	timeout.exe
PID 1696 wrote to memory of 1748	1696	cmd.exe	NTLDR.exe
PID 1696 wrote to memory of 1748	1696	cmd.exe	NTLDR.exe

C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe
"C:\Users\Admin\AppData\Local\Temp\4df93d81835ebe38c0cc5e7ff06c5edbb04993e05bb8792866272d022596ad8e.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'NTLDR.exe"' /tr "'C:\Users\Admin\AppData\Roaming\NTLDR.exe"'
2⤵
- Creates scheduled task(s)
PID:3968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp54D3.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:1696

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:3372

C:\Users\Admin\AppData\Roaming\NTLDR.exe
"C:\Users\Admin\AppData\Roaming\NTLDR.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp54D3.tmp.bat
MD5
8553ab53fe91e9da95da6ce8b428c788

SHA1
d01881b782a6c7c14fd026b45bf7ede835a839ed

SHA256
666f2deed77b41dcd7f2e4e0a8ad66df62e4e762bf49d68b767ba12f8b83ee91

SHA512
ab3b705d5ee1b2c2648b71eaca7cf8b4c6b49266eb3049d6958dec1aebda070ba5a77f9a38c028ad4eebb543e285a9ef1090b8072c707078366a4b5d31bf443b

Download Submit
C:\Users\Admin\AppData\Roaming\NTLDR.exe
MD5
b9b478296f273d8e8b04e8f0385eff1c

SHA1
3cf7e2f4711394f6603dead2457379d2e6c0897e

SHA256
d63d1fbffd40c9d2e44cf2653a61f0231953c299862c05ed19c878aaaa5e696f

SHA512
75797dde22b0ef972b7403883644e9cae0776ae38ebbebef8c326a0c5a465af5bb43db92c5f0bd7f050b1d2c5fa014d7542e989bd3db1368ec2a79eda70384ca

Download Submit
C:\Users\Admin\AppData\Roaming\NTLDR.exe
MD5
b9b478296f273d8e8b04e8f0385eff1c

SHA1
3cf7e2f4711394f6603dead2457379d2e6c0897e

SHA256
d63d1fbffd40c9d2e44cf2653a61f0231953c299862c05ed19c878aaaa5e696f

SHA512
75797dde22b0ef972b7403883644e9cae0776ae38ebbebef8c326a0c5a465af5bb43db92c5f0bd7f050b1d2c5fa014d7542e989bd3db1368ec2a79eda70384ca

Download Submit
memory/1748-121-0x000000001AE90000-0x000000001AE92000-memory.dmp

Filesize
8KB

Download
memory/2660-116-0x0000000000C10000-0x0000000000C1C000-memory.dmp

Filesize
48KB

Download
memory/2660-117-0x000000001B8A0000-0x000000001B8A2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads