nworm | 1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2 | Triage

Sharing

General

Target

EncKAO.vbs
Size

3KB
Sample

220222-xr3z9aceh6
MD5

fa584c2b021aed55aff0c764aee1cff0
SHA1

327e83c2886c42896804ab87ca6996cb621e9b71
SHA256

1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2
SHA512

a3db7960aa642cd61f499bda0f5892d2b7f939a65252842651472e963ca24ae9ebc7e51cb95e5c424b5dc8b0316333268edb902bb1be713621e4e11c5ecbe18e

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057

Mutex

cb2d3cba

Targets

- Target
  
  EncKAO.vbs
- Size
  
  3KB
- MD5
  
  fa584c2b021aed55aff0c764aee1cff0
- SHA1
  
  327e83c2886c42896804ab87ca6996cb621e9b71
- SHA256
  
  1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2
- SHA512
  
  a3db7960aa642cd61f499bda0f5892d2b7f939a65252842651472e963ca24ae9ebc7e51cb95e5c424b5dc8b0316333268edb902bb1be713621e4e11c5ecbe18e
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm