nworm | 1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4 | Triage

Sharing

General

Target

OHTEYYRNYRTUOHCKYTYP.vbs
Size

17KB
Sample

220128-kwk9saagc9
MD5

e04e4cb7e410b885babba54cd59d5ae9
SHA1

4a4c1dc6d7a391aba21719e2b5595c11a172fd8c
SHA256

1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4
SHA512

b1824f04a2b3a270a54aaba06efacd06af36d8f508fe4b41dcf6bf3901c129c063d77eaa79d5b2fca3b92cac07aad36a4178af188d3f3bb5b4af227b87cb7941

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://15.188.246.78/Q/RILSXDKOPJHN.TXT

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoney02.duckdns.org:9031

Mutex

2e3fb6d0

Targets

- Target
  
  OHTEYYRNYRTUOHCKYTYP.vbs
- Size
  
  17KB
- MD5
  
  e04e4cb7e410b885babba54cd59d5ae9
- SHA1
  
  4a4c1dc6d7a391aba21719e2b5595c11a172fd8c
- SHA256
  
  1b976a1fa26c4118d09cd6b1eaeceafccc783008c22da58d6f5b1b3019fa1ba4
- SHA512
  
  b1824f04a2b3a270a54aaba06efacd06af36d8f508fe4b41dcf6bf3901c129c063d77eaa79d5b2fca3b92cac07aad36a4178af188d3f3bb5b4af227b87cb7941
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm