Overview

overview

10

Static

static

ServR43.ps1

windows7_x64

1

ServR43.ps1

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ServR43.ps1

  • Size

    124KB

  • Sample

    220210-vxkpraaehm

  • MD5

    f44c5104f399e5c2d04db77efefbf8f5

  • SHA1

    d4fb1887e9c84d5aece99a0849c64661e01a3138

  • SHA256

    4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf

  • SHA512

    6c40afe943d16eb2bc55a1035806ad68406203b833a1ca34212625d0c52b5f48008da5c8bbb058c59cd561b6820f84cf02cefb3cfd17bb2ea7508a8f6e79cdc0

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057
Mutex

cb2d3cba

Targets

    • Target

      ServR43.ps1

    • Size

      124KB

    • MD5

      f44c5104f399e5c2d04db77efefbf8f5

    • SHA1

      d4fb1887e9c84d5aece99a0849c64661e01a3138

    • SHA256

      4c391b57d604c695925938bfc10ceb4673edd64e9655759c2aead9e12b3e17cf

    • SHA512

      6c40afe943d16eb2bc55a1035806ad68406203b833a1ca34212625d0c52b5f48008da5c8bbb058c59cd561b6820f84cf02cefb3cfd17bb2ea7508a8f6e79cdc0

    Score
    10/10
    nwormdownloaderworm

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

      wormdownloadernworm

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks