Overview

overview

10

Static

static

KVDKGYBAXA...PY.vbs

windows7_x64

10

KVDKGYBAXA...PY.vbs

windows10-2004_x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    KVDKGYBAXAKQX_PAYMENT_COPY.VBS

  • Size

    9KB

  • Sample

    220309-sb6zracdbp

  • MD5

    8ade0a04317db340d7dcdc9a4b32c795

  • SHA1

    30350a6e2339507039e86a68a99958b1d9dea157

  • SHA256

    1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1

  • SHA512

    7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf

Score
10/10
nwormdownloaderworm

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
exe.dropper

https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Targets

    • Target

      KVDKGYBAXAKQX_PAYMENT_COPY.VBS

    • Size

      9KB

    • MD5

      8ade0a04317db340d7dcdc9a4b32c795

    • SHA1

      30350a6e2339507039e86a68a99958b1d9dea157

    • SHA256

      1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1

    • SHA512

      7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf

    Score
    10/10
    nwormdownloaderworm

    • NWorm

      A TrickBot module used to propagate to vulnerable domain controllers.

      wormdownloadernworm

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Blocklisted process makes network request

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix

Tasks