Analysis
-
max time kernel
120s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
22-02-2022 18:35
Static task
static1
Behavioral task
behavioral1
Sample
WZQNBDSLVGAWPUXJRUVDYE.ps1
Resource
win7-en-20211208
Behavioral task
behavioral2
Sample
WZQNBDSLVGAWPUXJRUVDYE.ps1
Resource
win10v2004-en-20220112
General
-
Target
WZQNBDSLVGAWPUXJRUVDYE.ps1
-
Size
130KB
-
MD5
3fbbaee606b9fa5ed730aab0c6123ce0
-
SHA1
a38435566b572cd77b2b5521cf50d830518ba9cf
-
SHA256
2d89ba4be26780c15328677895a43b6b31791a25105892d562cacf7fc902299d
-
SHA512
9cb3c6aa7021c09ec5c54520066fea23195e87c5cac41b2eba7bd8a0f31edc23414ebe4bbe3524ebcc2e100c3aec179987e58e11587205d4242302fa92b33f2f
Malware Config
Extracted
nworm
v0.3.8
nyanmoj.duckdns.org:5057
moneyhope81.duckdns.org:5057
cb2d3cba
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
powershell.exedescription pid process target process PID 3572 set thread context of 2796 3572 powershell.exe aspnet_compiler.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 3572 powershell.exe 3572 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 3572 powershell.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
powershell.exedescription pid process target process PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe PID 3572 wrote to memory of 2796 3572 powershell.exe aspnet_compiler.exe
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WZQNBDSLVGAWPUXJRUVDYE.ps11⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"2⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2796-142-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/2796-144-0x000000007500E000-0x000000007500F000-memory.dmpFilesize
4KB
-
memory/2796-145-0x00000000054A0000-0x00000000054A1000-memory.dmpFilesize
4KB
-
memory/2796-146-0x0000000005730000-0x00000000057CC000-memory.dmpFilesize
624KB
-
memory/2796-147-0x0000000005D80000-0x0000000006324000-memory.dmpFilesize
5.6MB
-
memory/2796-148-0x00000000057D0000-0x0000000005836000-memory.dmpFilesize
408KB
-
memory/3572-130-0x00007FFB81073000-0x00007FFB81075000-memory.dmpFilesize
8KB
-
memory/3572-135-0x000001E62B510000-0x000001E62B532000-memory.dmpFilesize
136KB
-
memory/3572-139-0x000001E62A833000-0x000001E62A835000-memory.dmpFilesize
8KB
-
memory/3572-138-0x000001E62A830000-0x000001E62A832000-memory.dmpFilesize
8KB
-
memory/3572-140-0x000001E62A836000-0x000001E62A838000-memory.dmpFilesize
8KB
-
memory/3572-141-0x000001E62B690000-0x000001E62B6AA000-memory.dmpFilesize
104KB