nworm | 36e82f18e72113f24a5460ed87f67dab158c6f3b342422287bdb8218c2186bc9

General

Target

file1.ps1
Size

132KB
MD5

9777539c560bfd297cc2574c37fa5b21
SHA1

4eb088f40d4cb02590c7299ac7e2c0d609680e1e
SHA256

be4f0c6439bdba738482ea253cde60f3347afd86b284362f83b510a0034b693a
SHA512

dc3ca59771b57826cd8714c4335ffbdecddd155e234309dd812d0db7bb2a21b590bd73c57d5270f2083e6f616fbf2265f955654ae5f091d9f820ae64beea1e96

Score

10^/10

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2948 set thread context of 4016	2948	powershell.exe	63

Suspicious behavior: EnumeratesProcesses 4 IoCs

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3684	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 2948	3684	powershell.exe	62
PID 3684 wrote to memory of 2948	3684	powershell.exe	62
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63
PID 2948 wrote to memory of 4016	2948	powershell.exe	63

memory/2948-152-0x000001BEF4BE0000-0x000001BEF4BFA000-memory.dmp

Filesize
104KB

Download
memory/2948-151-0x000001BEF4C16000-0x000001BEF4C18000-memory.dmp

Filesize
8KB

Download
memory/2948-150-0x000001BEF4C13000-0x000001BEF4C15000-memory.dmp

Filesize
8KB

Download
memory/2948-149-0x000001BEF4C10000-0x000001BEF4C12000-memory.dmp

Filesize
8KB

Download
memory/2948-148-0x00007FFE676E0000-0x00007FFE681A1000-memory.dmp

Filesize
10.8MB

Download
memory/3684-140-0x0000020F06473000-0x0000020F06475000-memory.dmp

Filesize
8KB

Download
memory/3684-134-0x0000020F07DF0000-0x0000020F07E12000-memory.dmp

Filesize
136KB

Download
memory/3684-139-0x0000020F06470000-0x0000020F06472000-memory.dmp

Filesize
8KB

Download
memory/3684-138-0x0000020F06476000-0x0000020F06478000-memory.dmp

Filesize
8KB

Download
memory/3684-137-0x00007FFE676E0000-0x00007FFE681A1000-memory.dmp

Filesize
10.8MB

Download
memory/4016-153-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4016-154-0x0000000074A30000-0x00000000751E0000-memory.dmp

Filesize
7.7MB

Download
memory/4016-155-0x0000000005360000-0x0000000005361000-memory.dmp

Filesize
4KB

Download
memory/4016-156-0x0000000005410000-0x00000000054AC000-memory.dmp

Filesize
624KB

Download
memory/4016-157-0x0000000005A60000-0x0000000006004000-memory.dmp

Filesize
5.6MB

Download
memory/4016-158-0x00000000054B0000-0x0000000005516000-memory.dmp

Filesize
408KB

Download