Analysis
-
max time kernel
92s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-en-20220112 -
submitted
08-03-2022 17:30
General
-
Target
file1.ps1
-
Size
132KB
-
MD5
9777539c560bfd297cc2574c37fa5b21
-
SHA1
4eb088f40d4cb02590c7299ac7e2c0d609680e1e
-
SHA256
be4f0c6439bdba738482ea253cde60f3347afd86b284362f83b510a0034b693a
-
SHA512
dc3ca59771b57826cd8714c4335ffbdecddd155e234309dd812d0db7bb2a21b590bd73c57d5270f2083e6f616fbf2265f955654ae5f091d9f820ae64beea1e96
Malware Config
Extracted
nworm
v0.3.8
nyanwmoney.duckdns.org:8891
594274bc
Signatures
-
NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
-
Suspicious use of SetThreadContext 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 10 IoCs
Processes
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\file1.ps11⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps12⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"3⤵
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1MD5
96cbd4ee164e4feb93152e2ef2d0e229
SHA12f5963d3042b87d5e3684a8c1de74e3543aad81e
SHA2562926650956ac94279c598ba4b761eac9fa34e49e8fe19580adf8c62fd2fac15a
SHA51248df582b45e09a85e94d60502a1d5f68412ea1325d81ceb2256c5a142d09f4db57e2e6f746a55458276aa8d3d9af59ce66219489d9aa9b73c5dac2c8a7d27b5b
-
memory/2948-152-0x000001BEF4BE0000-0x000001BEF4BFA000-memory.dmpFilesize
104KB
-
memory/2948-151-0x000001BEF4C16000-0x000001BEF4C18000-memory.dmpFilesize
8KB
-
memory/2948-150-0x000001BEF4C13000-0x000001BEF4C15000-memory.dmpFilesize
8KB
-
memory/2948-149-0x000001BEF4C10000-0x000001BEF4C12000-memory.dmpFilesize
8KB
-
memory/2948-148-0x00007FFE676E0000-0x00007FFE681A1000-memory.dmpFilesize
10.8MB
-
memory/3684-140-0x0000020F06473000-0x0000020F06475000-memory.dmpFilesize
8KB
-
memory/3684-134-0x0000020F07DF0000-0x0000020F07E12000-memory.dmpFilesize
136KB
-
memory/3684-139-0x0000020F06470000-0x0000020F06472000-memory.dmpFilesize
8KB
-
memory/3684-138-0x0000020F06476000-0x0000020F06478000-memory.dmpFilesize
8KB
-
memory/3684-137-0x00007FFE676E0000-0x00007FFE681A1000-memory.dmpFilesize
10.8MB
-
memory/4016-153-0x0000000000400000-0x000000000040A000-memory.dmpFilesize
40KB
-
memory/4016-154-0x0000000074A30000-0x00000000751E0000-memory.dmpFilesize
7.7MB
-
memory/4016-155-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/4016-156-0x0000000005410000-0x00000000054AC000-memory.dmpFilesize
624KB
-
memory/4016-157-0x0000000005A60000-0x0000000006004000-memory.dmpFilesize
5.6MB
-
memory/4016-158-0x00000000054B0000-0x0000000005516000-memory.dmpFilesize
408KB