nworm | 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c

General

Target

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
Size

17KB
MD5

6f2ad7446177481ecfd632922d95bc44
SHA1

783accf5d9107b0a68860a33bfcb939ffeb50153
SHA256

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c
SHA512

3a1c54368844dbf9acdecd63504c005c08c068dea4123783a59e458ad3f97e769ee4ece181450013a16ed56fa602c1a03f11bb9d93b79f019297d49ea3809890

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

updateservice.linkpc.net:81

ainda.dyndns.org:81

Mutex

debff03b

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm
Executes dropped EXE 1 IoCs

Processes:

sql.exe

pid process

2052 sql.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3648 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2396 timeout.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe

description pid process

Token: SeDebugPrivilege 3532 6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe

pid	process
2052	sql.exe

pid	process
3648	schtasks.exe

pid	process
2396	timeout.exe

description	pid	process
Token: SeDebugPrivilege	3532	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.execmd.exe

description	pid	process	target process
PID 3532 wrote to memory of 3648	3532	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	schtasks.exe
PID 3532 wrote to memory of 3648	3532	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	schtasks.exe
PID 3532 wrote to memory of 4036	3532	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	cmd.exe
PID 3532 wrote to memory of 4036	3532	6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe	cmd.exe
PID 4036 wrote to memory of 2396	4036	cmd.exe	timeout.exe
PID 4036 wrote to memory of 2396	4036	cmd.exe	timeout.exe
PID 4036 wrote to memory of 2052	4036	cmd.exe	sql.exe
PID 4036 wrote to memory of 2052	4036	cmd.exe	sql.exe

C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe
"C:\Users\Admin\AppData\Local\Temp\6eccc9b1ec733f8e229e2b523942c8947208da6625f251f64e10680228f42f9c.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3532

C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /sc ONLOGON /RL HIGHEST /tn "'sql.exe"' /tr "'C:\Users\Admin\AppData\Roaming\sql.exe"'
2⤵
- Creates scheduled task(s)
PID:3648

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp6CDF.tmp.bat""
2⤵
- Suspicious use of WriteProcessMemory
PID:4036

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:2396

C:\Users\Admin\AppData\Roaming\sql.exe
"C:\Users\Admin\AppData\Roaming\sql.exe"
3⤵
- Executes dropped EXE
PID:2052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp6CDF.tmp.bat
MD5
01a0ba1adecd0b85adead670ed922c41

SHA1
5751f30fc0e16f54b6e7f68ec61d720dee9c9f72

SHA256
51775580c24aeec9e28c623771a5ef154e12f1307723953e0bd18e4d2ce9a4f1

SHA512
ca68ba4ae33795e092236abce08b3d5ab9cde69e65e183c9fdd7c15cd6575b2e7e4a0a82df1362c79802db439054e38542bef733431ee4ebae3c178ea7f506d6

Download Submit
C:\Users\Admin\AppData\Roaming\sql.exe
MD5
c9bce658a2b193c150f3adb55b1f4473

SHA1
60d65091906b70b3b6150f3b68e6eb4b79d28815

SHA256
0b11f19b94696de2cb209ba231dc1c194c2ee7f2f064233088af21c78dba0e78

SHA512
0c6d3f1f1312275c66df690df9fe85a339bf92b3199a35e2ffbea5b82dd4f99d261dbf857ac65f2e36ff613797ac4c244b2646b9a985c8ce40f9feeed316e2c2

Download Submit
C:\Users\Admin\AppData\Roaming\sql.exe
MD5
c9bce658a2b193c150f3adb55b1f4473

SHA1
60d65091906b70b3b6150f3b68e6eb4b79d28815

SHA256
0b11f19b94696de2cb209ba231dc1c194c2ee7f2f064233088af21c78dba0e78

SHA512
0c6d3f1f1312275c66df690df9fe85a339bf92b3199a35e2ffbea5b82dd4f99d261dbf857ac65f2e36ff613797ac4c244b2646b9a985c8ce40f9feeed316e2c2

Download Submit
memory/2052-120-0x000000001AF90000-0x000000001AF92000-memory.dmp

Filesize
8KB

Download
memory/3532-116-0x0000000000870000-0x000000000087A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads