Extracted

• • Target

    7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2.vbs

  • Size

    6KB

  • MD5

    74f58ac31a1f70bb4c704f31074882c0

  • SHA1

    247ab701feff34cef747bf8e388b3639b8af9084

  • SHA256

    7c1862829839b836c1c21bb92e65316c1148efefab2028eccf91231bc50fe2c2

  • SHA512

    14e0e9a5f63e6b3807378a297146ba08ebdfbc73ff3ed27741761b22d53d3be59bcaa5ff2e06caa6d8d6f2e9d0f6fef9c530260d80fb61d50ea8ad904d990169

  Score

  10^/10

  nwormdownloaderworm

  • NWorm

    A TrickBot module used to propagate to vulnerable domain controllers.

    wormdownloadernworm

  • Process spawned unexpected child process

    This typically indicates the parent process was compromised via an exploit or macro.

  • Blocklisted process makes network request

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory

  • Suspicious use of SetThreadContext

  behavioral1behavioral2