nworm | dae8a21a0a648fdfaab4e7b927cee26d3f600ea3a6732f52490a64f167128f0e | Triage

Sharing

General

Target

BSQ002.iso
Size

602KB
Sample

220211-s5w2msedfj
MD5

6e2bfca0d5c3861fe2da777399f32f6a
SHA1

e0846e536decdad46df8353c07e90abb9760b8a4
SHA256

dae8a21a0a648fdfaab4e7b927cee26d3f600ea3a6732f52490a64f167128f0e
SHA512

2f400b160a0ab239dd901c871caa85f0937b221227c93b46c0f2453331d6e3cfc67ce49fa7db8ce7a84042195f132e939de80e6b592df0cf79d41e543ec454cf

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

- Target
  
  DRGRKEYUTGCHG.VBS
- Size
  
  10KB
- MD5
  
  bd8dffacd8333c2cec6b8eb794965631
- SHA1
  
  28feabf6ee95f521c0ba21e4014b372d2553abd5
- SHA256
  
  e700d9c14903adf9a197c4264b53dd06ec47375de4b07b50df49a97052119930
- SHA512
  
  e900eede39e73529e1c8296d314ba3f4e25397a7bfff45b8e418f23e267f7e1369c69ce36d32e3d93938873cfd275221b42ef8cb6ad80e4c039d46d52fa7e52c
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm