Overview

overview

10

Static

static

EncKAO.vbs

windows7_x64

3

EncKAO.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EncKAO.vbs

  • Size

    3KB

  • Sample

    220222-xr3z9aceh6

  • MD5

    fa584c2b021aed55aff0c764aee1cff0

  • SHA1

    327e83c2886c42896804ab87ca6996cb621e9b71

  • SHA256

    1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2

  • SHA512

    a3db7960aa642cd61f499bda0f5892d2b7f939a65252842651472e963ca24ae9ebc7e51cb95e5c424b5dc8b0316333268edb902bb1be713621e4e11c5ecbe18e

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

C2

nyanmoj.duckdns.org:5057

moneyhope81.duckdns.org:5057
Mutex

cb2d3cba

Targets

    • Target

      EncKAO.vbs

    • Size

      3KB

    • MD5

      fa584c2b021aed55aff0c764aee1cff0

    • SHA1

      327e83c2886c42896804ab87ca6996cb621e9b71

    • SHA256

      1b956ea6626165956ea897d431801376e7189f96e149de1b2ee2fed6944a38b2

    • SHA512

      a3db7960aa642cd61f499bda0f5892d2b7f939a65252842651472e963ca24ae9ebc7e51cb95e5c424b5dc8b0316333268edb902bb1be713621e4e11c5ecbe18e

    Score
    10/10
    nwormdownloaderworm

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

      wormdownloadernworm

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Tasks