nworm | 030fb292c8fedebe01ff5929c737df216dfde678e14fbf47ac70c7a21f630cb7 | Triage

Sharing

General

Target

ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.VBS
Size

10KB
Sample

220210-xgx19aafhm
MD5

d0be9b310cf06899b65ff3db8c6b20a7
SHA1

ce3d7dabd54f6c8c995cde52cf4be2bc30653965
SHA256

030fb292c8fedebe01ff5929c737df216dfde678e14fbf47ac70c7a21f630cb7
SHA512

11b04987b28603549e641907c7a2d2af58303df5628c669bbbb37ec6079767675aabe921e59e67dfea04a629c6afc8b9622dd7e395e261bab7cdb855153f204e

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

- Target
  
  ISSVULHWACHLPTGHUNSEZBHITDJCYSVUKKGQHLSCPYQYLHSHFDDDKXHBOOLHYAHOOCFW.VBS
- Size
  
  10KB
- MD5
  
  d0be9b310cf06899b65ff3db8c6b20a7
- SHA1
  
  ce3d7dabd54f6c8c995cde52cf4be2bc30653965
- SHA256
  
  030fb292c8fedebe01ff5929c737df216dfde678e14fbf47ac70c7a21f630cb7
- SHA512
  
  11b04987b28603549e641907c7a2d2af58303df5628c669bbbb37ec6079767675aabe921e59e67dfea04a629c6afc8b9622dd7e395e261bab7cdb855153f204e
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm