General

  • Target

    STJQYIULUDCELUOGYJKBGX.vbs

  • Size

    6KB

  • Sample

    220215-cl9wdscbbr

  • MD5

    74f58ac31a1f70bb4c704f31074882c0

  • SHA1

    247ab701feff34cef747bf8e388b3639b8af9084

  • SHA256

    7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2

  • SHA512

    14e0e9a5f63e6b3807378a297146ba08ebdfbc73ff3ed27741761b22d53d3be59bcaa5ff2e06caa6d8d6f2e9d0f6fef9c530260d80fb61d50ea8ad904d990169

Score
10/10

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

    • Target

      STJQYIULUDCELUOGYJKBGX.vbs

    • Size

      6KB

    • MD5

      74f58ac31a1f70bb4c704f31074882c0

    • SHA1

      247ab701feff34cef747bf8e388b3639b8af9084

    • SHA256

      7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2

    • SHA512

      14e0e9a5f63e6b3807378a297146ba08ebdfbc73ff3ed27741761b22d53d3be59bcaa5ff2e06caa6d8d6f2e9d0f6fef9c530260d80fb61d50ea8ad904d990169

    Score
    10/10
    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks