nworm | 5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8

General

Target

5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe
Size

19KB
MD5

8e63a02d166c9c36bfacfa97f3056276
SHA1

fb738d4a90b7ed4c7e5be5ef7932166bb7854b91
SHA256

5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8
SHA512

dc11f40d9b61acf259ab664bcd0fc059d43a84fc57c92dfc6e23ee2b8142d6c6bdef3e495ec53608eb5d267c238e3bca6ada1fcc3c3e3a680bc9bb9773100c6a

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

padama600.ddns.net:1177

Mutex

b38e461c

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

winServices.exe

pid process

1148 winServices.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1836 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

768 timeout.exe

pid	process
1148	winServices.exe

pid	process
1836	schtasks.exe

pid	process
768	timeout.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exewinServices.exe

description	pid	process
Token: SeDebugPrivilege	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe
Token: SeDebugPrivilege	1148	winServices.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.execmd.exe

description	pid	process	target process
PID 1396 wrote to memory of 1836	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe	schtasks.exe
PID 1396 wrote to memory of 1836	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe	schtasks.exe
PID 1396 wrote to memory of 1836	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe	schtasks.exe
PID 1396 wrote to memory of 900	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe	cmd.exe
PID 1396 wrote to memory of 900	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe	cmd.exe
PID 1396 wrote to memory of 900	1396	5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe	cmd.exe
PID 900 wrote to memory of 768	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 768	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 768	900	cmd.exe	timeout.exe
PID 900 wrote to memory of 1148	900	cmd.exe	winServices.exe
PID 900 wrote to memory of 1148	900	cmd.exe	winServices.exe
PID 900 wrote to memory of 1148	900	cmd.exe	winServices.exe

C:\Users\Admin\AppData\Local\Temp\5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe
"C:\Users\Admin\AppData\Local\Temp\5317cc2ea842337b08c2a510263885b2eba67f175fcea597a39382d8251148f8.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1396

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'winServices.exe"' /tr "'C:\Users\Admin\AppData\Roaming\winServices.exe"'
2⤵
- Creates scheduled task(s)
PID:1836

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7CED.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:900

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:768

C:\Users\Admin\AppData\Roaming\winServices.exe
"C:\Users\Admin\AppData\Roaming\winServices.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1148

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp7CED.tmp.bat
MD5
368e1f9aa37e289794184cc055fffe29

SHA1
8d9c69ec2c47999db78b39b47309e4325881a999

SHA256
dae24c56aa93b1ce5c430fdd12ca1f71ea67d9cf6c14d15f7ff85a8b804ad168

SHA512
4b6c5d5eb3f16b4a25540f392dcaa111782b58a4c0ef04b28b6a5c9f04843c4d9dbd258e10b0e9c203109ba859b87d96f68d70196a84cfd0e065de6fb6ecb979

Download Submit
C:\Users\Admin\AppData\Roaming\winServices.exe
MD5
37c784fe33deda1c85d2d458522dcb44

SHA1
2456e4de8d0317bb35be47a03b4d57008ffc8276

SHA256
80c67498b1d7d794004bbf66b608cb5b4ab3b7411335586efe492e5c57d4980c

SHA512
3256d07fbe9b1ff2d7232be0e83523759da169ffe2932d2e83419b22bc4726d8fee8f4e690c22aaf943a3a5b3a775e40c8575b86dad1dbd3f95b8262999af45b

Download Submit
C:\Users\Admin\AppData\Roaming\winServices.exe
MD5
37c784fe33deda1c85d2d458522dcb44

SHA1
2456e4de8d0317bb35be47a03b4d57008ffc8276

SHA256
80c67498b1d7d794004bbf66b608cb5b4ab3b7411335586efe492e5c57d4980c

SHA512
3256d07fbe9b1ff2d7232be0e83523759da169ffe2932d2e83419b22bc4726d8fee8f4e690c22aaf943a3a5b3a775e40c8575b86dad1dbd3f95b8262999af45b

Download Submit
memory/1148-59-0x0000000000880000-0x000000000088C000-memory.dmp

Filesize
48KB

Download
memory/1148-60-0x000000001AC80000-0x000000001AC82000-memory.dmp

Filesize
8KB

Download
memory/1396-54-0x0000000000840000-0x000000000084C000-memory.dmp

Filesize
48KB

Download
memory/1396-55-0x000007FEFC081000-0x000007FEFC083000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads