nworm | 8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f | Triage

Sharing

General

Target

YBAXAKQXVYWIXQJDE.VBS
Size

9KB
Sample

220308-vvx73aheh9
MD5

40f92eb4b46a3430167477d11dec4c9e
SHA1

515ad5cac3f5b9ed1e7a7e14d53a191a12193984
SHA256

8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
SHA512

80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://transfer.sh/get/8J0O0I/Server435.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Targets

- Target
  
  YBAXAKQXVYWIXQJDE.VBS
- Size
  
  9KB
- MD5
  
  40f92eb4b46a3430167477d11dec4c9e
- SHA1
  
  515ad5cac3f5b9ed1e7a7e14d53a191a12193984
- SHA256
  
  8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
- SHA512
  
  80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm