nworm | 065a406f34b5752752a396d8cc6778887565860c89ab10ed9f7a8059f216e87f | Triage

Sharing

General

Target

GWQOPR308UMK.vbs
Size

6KB
Sample

220210-gtrf8sfbep
MD5

2902fe58837ed5560bb44c8fbfc80189
SHA1

9c1001a224f93fd1b6c06fad5ae15595cc57a345
SHA256

065a406f34b5752752a396d8cc6778887565860c89ab10ed9f7a8059f216e87f
SHA512

28cb4f6cd40532d6a9d48c18e9529c7dbb54d7d05d00e5eaddd278149c14166f2627d4a3febd861f9f5913f30c9e0d11c80a72c52fde6e85c25da8c42a48078d

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

http://54.235.58.2/2/Ps1HDF.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

- Target
  
  GWQOPR308UMK.vbs
- Size
  
  6KB
- MD5
  
  2902fe58837ed5560bb44c8fbfc80189
- SHA1
  
  9c1001a224f93fd1b6c06fad5ae15595cc57a345
- SHA256
  
  065a406f34b5752752a396d8cc6778887565860c89ab10ed9f7a8059f216e87f
- SHA512
  
  28cb4f6cd40532d6a9d48c18e9529c7dbb54d7d05d00e5eaddd278149c14166f2627d4a3febd861f9f5913f30c9e0d11c80a72c52fde6e85c25da8c42a48078d
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm