Overview

overview

10

Static

static

WZQNBDSLVG...YE.ps1

windows7_x64

1

WZQNBDSLVG...YE.ps1

windows10-2004_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    22-02-2022 18:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    WZQNBDSLVGAWPUXJRUVDYE.ps1

  • Size

    130KB

  • MD5

    3fbbaee606b9fa5ed730aab0c6123ce0

  • SHA1

    a38435566b572cd77b2b5521cf50d830518ba9cf

  • SHA256

    2d89ba4be26780c15328677895a43b6b31791a25105892d562cacf7fc902299d

  • SHA512

    9cb3c6aa7021c09ec5c54520066fea23195e87c5cac41b2eba7bd8a0f31edc23414ebe4bbe3524ebcc2e100c3aec179987e58e11587205d4242302fa92b33f2f

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057
Mutex

cb2d3cba

Signatures

  • NWorm

    A TrickBot module used to propagate to vulnerable domain controllers.

    wormdownloadernworm
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\WZQNBDSLVGAWPUXJRUVDYE.ps1
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3572
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      2⤵
        PID:2796

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2796-142-0x0000000000400000-0x000000000040A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2796-144-0x000000007500E000-0x000000007500F000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2796-145-0x00000000054A0000-0x00000000054A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2796-146-0x0000000005730000-0x00000000057CC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2796-147-0x0000000005D80000-0x0000000006324000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/2796-148-0x00000000057D0000-0x0000000005836000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3572-130-0x00007FFB81073000-0x00007FFB81075000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3572-135-0x000001E62B510000-0x000001E62B532000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3572-139-0x000001E62A833000-0x000001E62A835000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3572-138-0x000001E62A830000-0x000001E62A832000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3572-140-0x000001E62A836000-0x000001E62A838000-memory.dmp
      Filesize

      8KB

      Download
    • memory/3572-141-0x000001E62B690000-0x000001E62B6AA000-memory.dmp
      Filesize

      104KB

      Download