nworm | 1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1 | Triage

Sharing

General

Target

KVDKGYBAXAKQX_PAYMENT_COPY.VBS
Size

9KB
Sample

220309-sb6zracdbp
MD5

8ade0a04317db340d7dcdc9a4b32c795
SHA1

30350a6e2339507039e86a68a99958b1d9dea157
SHA256

1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1
SHA512

7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://transfer.sh/get/gnXbHK/ServerSHJWIJW8292.txt

Extracted

Family

nworm

Version

v0.3.8

C2

nyanwmoney.duckdns.org:8891

Mutex

594274bc

Targets

- Target
  
  KVDKGYBAXAKQX_PAYMENT_COPY.VBS
- Size
  
  9KB
- MD5
  
  8ade0a04317db340d7dcdc9a4b32c795
- SHA1
  
  30350a6e2339507039e86a68a99958b1d9dea157
- SHA256
  
  1aa032a3d316f19de0c0946185eb7331aa1270d52882550c867eae1ce540ade1
- SHA512
  
  7572ebc9ae53a8639285b849fa972d4f40eaf3a923e43430f85337a73810bdeb487d0231ffdb4f0391442c2acdb244ab03063ed0ddc78cd12248431476c2cdaf
Score

10^/10

nworm downloader worm
- NWorm
  A TrickBot module used to propagate to vulnerable domain controllers.
  worm downloader nworm
- Process spawned unexpected child process
  This typically indicates the parent process was compromised via an exploit or macro.
- Blocklisted process makes network request
- Drops file in System32 directory
- Suspicious use of SetThreadContext
behavioral1 behavioral2

MITRE ATT&CK Matrix

Tasks

static1

behavioral1

behavioral2

nwormdownloaderworm