nworm | 32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559 | Triage

Submit
Reports

Overview

overview

Static

static

ServerFAH.ps1

windows7_x64

ServerFAH.ps1

windows10-2004_x64

Sharing

General

Target

ServerFAH.ps1
Size

134KB
Sample

220222-w12m4scbe8
MD5

327fee2e572cf6b3b337fded32308189
SHA1

8046a0f02d0673d3833b40bc5ac885b0a8891079
SHA256

32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559
SHA512

be2e0938b929177621c7b9d324c2245ecef46e9b9b1b93204e1663edc2e9ee12f05e3e350362f7a6863d906bff2eb3e3b804a66d05a5c4cb4e87a7175b12bea8

Score

10^/10

nworm downloader worm

Static task

static1

Behavioral task

behavioral1

Sample

ServerFAH.ps1

Resource

win7-en-20211208

windows7_x64

0 signatures

0 seconds

Behavioral task

behavioral2

Sample

ServerFAH.ps1

Resource

win10v2004-en-20220112

nworm downloader worm

windows10-2004_x64

0 signatures

0 seconds

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

- Target
  
  ServerFAH.ps1
- Size
  
  134KB
- MD5
  
  327fee2e572cf6b3b337fded32308189
- SHA1
  
  8046a0f02d0673d3833b40bc5ac885b0a8891079
- SHA256
  
  32060ba18c4ed29f6a441b6193a2e6376bb43c752709558f046e9365b7275559
- SHA512
  
  be2e0938b929177621c7b9d324c2245ecef46e9b9b1b93204e1663edc2e9ee12f05e3e350362f7a6863d906bff2eb3e3b804a66d05a5c4cb4e87a7175b12bea8
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm

© 2018-2024

Terms | Privacy