nworm | 6b235c95eed670e95d5d6a62ce5cb81207cfa20f7c677c715a3fee9297810e3d | Triage

Submit
Reports

Overview

overview

Static

static

KTROWQANB.vbs

windows7_x64

KTROWQANB.vbs

windows10-2004_x64

Sharing

General

Target

KTROWQANB.vbs
Size

6KB
Sample

220210-gtrf8sfben
MD5

ae14df44e1c761f6ffd4f775e9c890dd
SHA1

53960358beadf51da65921775f40d63770834ff0
SHA256

6b235c95eed670e95d5d6a62ce5cb81207cfa20f7c677c715a3fee9297810e3d
SHA512

c919b3c70f986095dc0eaf2004a54c28766e77e4398b09697c11dee80c6d5325f0c6570fb57a2df894daf0714552dfb1638c99d8c5e77142d811d5b958440ce4

Score

10^/10

nworm downloader worm

Static task

static1

Behavioral task

behavioral1

Sample

KTROWQANB.vbs

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

KTROWQANB.vbs

Resource

win10v2004-en-20220112

nworm downloader worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://54.235.58.2/2/Ps1HDF.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

- Target
  
  KTROWQANB.vbs
- Size
  
  6KB
- MD5
  
  ae14df44e1c761f6ffd4f775e9c890dd
- SHA1
  
  53960358beadf51da65921775f40d63770834ff0
- SHA256
  
  6b235c95eed670e95d5d6a62ce5cb81207cfa20f7c677c715a3fee9297810e3d
- SHA512
  
  c919b3c70f986095dc0eaf2004a54c28766e77e4398b09697c11dee80c6d5325f0c6570fb57a2df894daf0714552dfb1638c99d8c5e77142d811d5b958440ce4
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm

© 2018-2024

Terms | Privacy