nworm | 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c

General

Target

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
Size

17KB
MD5

6f2ad7446177481ecfd632922d95bc44
SHA1

783accf5d9107b0a68860a33bfcb939ffeb50153
SHA256

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c
SHA512

3a1c54368844dbf9acdecd63504c005c08c068dea4123783a59e458ad3f97e769ee4ece181450013a16ed56fa602c1a03f11bb9d93b79f019297d49ea3809890

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

updateservice.linkpc.net:81

ainda.dyndns.org:81

Mutex

debff03b

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

sql.exe

pid process

1692 sql.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

580 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

588 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe

description pid process

Token: SeDebugPrivilege 1624 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe

pid	process
1692	sql.exe

pid	process
580	schtasks.exe

pid	process
588	timeout.exe

description	pid	process
Token: SeDebugPrivilege	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.execmd.exe

description	pid	process	target process
PID 1624 wrote to memory of 580	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	schtasks.exe
PID 1624 wrote to memory of 580	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	schtasks.exe
PID 1624 wrote to memory of 580	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	schtasks.exe
PID 1624 wrote to memory of 548	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	cmd.exe
PID 1624 wrote to memory of 548	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	cmd.exe
PID 1624 wrote to memory of 548	1624	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	cmd.exe
PID 548 wrote to memory of 588	548	cmd.exe	timeout.exe
PID 548 wrote to memory of 588	548	cmd.exe	timeout.exe
PID 548 wrote to memory of 588	548	cmd.exe	timeout.exe
PID 548 wrote to memory of 1692	548	cmd.exe	sql.exe
PID 548 wrote to memory of 1692	548	cmd.exe	sql.exe
PID 548 wrote to memory of 1692	548	cmd.exe	sql.exe

C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
"C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'sql.exe"' /tr "'C:\Users\Admin\AppData\Roaming\sql.exe"'
2⤵
- Creates scheduled task(s)
PID:580

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5F20.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:548

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:588

C:\Users\Admin\AppData\Roaming\sql.exe
"C:\Users\Admin\AppData\Roaming\sql.exe"
3⤵
- Executes dropped EXE
PID:1692

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5F20.tmp.bat
MD5
01a0ba1adecd0b85adead670ed922c41

SHA1
5751f30fc0e16f54b6e7f68ec61d720dee9c9f72

SHA256
51775580c24aeec9e28c623771a5ef154e12f1307723953e0bd18e4d2ce9a4f1

SHA512
ca68ba4ae33795e092236abce08b3d5ab9cde69e65e183c9fdd7c15cd6575b2e7e4a0a82df1362c79802db439054e38542bef733431ee4ebae3c178ea7f506d6

Download Submit
C:\Users\Admin\AppData\Roaming\sql.exe
MD5
29c267b371e29ad235cab0f266994e5a

SHA1
9aa265d3ffd94fca7faf7593d5f3e2cf732d2ad3

SHA256
7e308727ba0027385116978ccaeb8ff0e45cf362170967672b1e10d17507197c

SHA512
832bf8f38c085ca4440c9292f623d5b60f67174b4c22b19e87b546d7c013ebd0ea6192cd8c9f9bbdbc631eb9f5b4be05637d2bc2ca395b5dd63507e309edb0c9

Download Submit
C:\Users\Admin\AppData\Roaming\sql.exe
MD5
29c267b371e29ad235cab0f266994e5a

SHA1
9aa265d3ffd94fca7faf7593d5f3e2cf732d2ad3

SHA256
7e308727ba0027385116978ccaeb8ff0e45cf362170967672b1e10d17507197c

SHA512
832bf8f38c085ca4440c9292f623d5b60f67174b4c22b19e87b546d7c013ebd0ea6192cd8c9f9bbdbc631eb9f5b4be05637d2bc2ca395b5dd63507e309edb0c9

Download Submit
memory/1624-54-0x0000000000CA0000-0x0000000000CAA000-memory.dmp

Filesize
40KB

Download
memory/1624-55-0x000007FEFC321000-0x000007FEFC323000-memory.dmp

Filesize
8KB

Download
memory/1692-59-0x00000000002F0000-0x00000000002FA000-memory.dmp

Filesize
40KB

Download
memory/1692-60-0x000000001ABC0000-0x000000001ABC2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads