nworm | 386128b90172d3ff50f69382446600ac2703d5a50907c02aac25db73c7be50b1 | Triage

Sharing

General

Target

TWG001.iso
Size

78KB
Sample

220127-tk8elsgah3
MD5

80b1a34d71b4d5c0b99c19a6259cd93e
SHA1

6e121478150517b52c75e99c8d94538763fad0f1
SHA256

386128b90172d3ff50f69382446600ac2703d5a50907c02aac25db73c7be50b1
SHA512

a1bda63df68c72b580fd3fcfd84e3dd3425cdd799dbba0b1b9154fd107036a819aac90ad0e749da797d01d24abb4dc9972f6ca468c55b1eb9015cbb11f7d5838

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://15.188.246.78/Q/RILSXDKOPJHN.TXT

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoney02.duckdns.org:9031

Mutex

2e3fb6d0

Targets

- Target
  
  OHTEYYRNYRTUOHCKYTYP.vbs
- Size
  
  17KB
- MD5
  
  e04e4cb7e410b885babba54cd59d5ae9
- SHA1
  
  4a4c1dc6d7a391aba21719e2b5595c11a172fd8c
- SHA256
  
  1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4
- SHA512
  
  b1824f04a2b3a270a54aaba06efacd06af36d8f508fe4b41dcf6bf3901c129c063d77eaa79d5b2fca3b92cac07aad36a4178af188d3f3bb5b4af227b87cb7941
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm