Overview

overview

10

Static

static

3

W-DAX-main/D WAX.exe

windows7-x64

10

W-DAX-main/D WAX.exe

windows10-1703-x64

10

W-DAX-main/D WAX.exe

windows10-2004-x64

10

W-DAX-main/D WAX.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    1799s
  • max time network
    1801s
  • platform
    windows10-1703_x64
  • resource
    win10-20231129-en
  • resource tags

    arch:x64arch:x86image:win10-20231129-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-12-2023 17:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    W-DAX-main/D WAX.exe

  • Size

    220KB

  • MD5

    72b51e28589fbeac9400380dddedb79a

  • SHA1

    4d14ab35e4425a8b1b1b655c2178b0ea2522e7f0

  • SHA256

    6ca01f81cc92345981212659aa05d5595a45e96a1f4a6f8678d21f1d24c96aa0

  • SHA512

    31cdc53b75d92b258ff5c160224e6212228d5ab42d5ed6b7e976439c0bd97cf444687079b95810e88c3ef36aa9670e4089578cf102baa37cc2f91d1dbe658cca

  • SSDEEP

    6144:w9/COjX6BAs8WN7wwZV/pt2qFnM/pte63AX:wVvXK8WNzfptHEptpM

Score
10/10
nitroxwormpersistenceransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

3.0

C2

16.ip.gl.ply.gg:59539

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Nitro

    A ransomware that demands Discord nitro gift codes to decrypt files.

    ransomwarenitro
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Renames multiple (88) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops desktop.ini file(s) 5 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\W-DAX-main\D WAX.exe
    "C:\Users\Admin\AppData\Local\Temp\W-DAX-main\D WAX.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3692
    • C:\Users\Admin\AppData\Local\Temp\SECURITY AVAST.exe
      "C:\Users\Admin\AppData\Local\Temp\SECURITY AVAST.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4724
    • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
      "C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops desktop.ini file(s)
      • Sets desktop wallpaper using registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2524
      • C:\Windows\SysWOW64\cmd.exe
        "cmd.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3940
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
    1⤵
      PID:5000
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -s wlidsvc
      1⤵
        PID:4480

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
        Filesize

        106KB

        MD5

        9d45fedb0c67a1c04a89edb3ee707d44

        SHA1

        7773d0e37a0c478191f11e57b338a7a780001a3a

        SHA256

        7019f42701a888986b9dda599f0e8a6d21a762d409f539a05345778e39de7865

        SHA512

        88f99051e5023846d6cb1886031e6f390ac8c04b4f60ba1433edadb3239d23b8a817e20b06d6135a700b85d23ce8885714a8349d2f1c980a93b55a638262c7d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\NitroRansomware.exe
        Filesize

        106KB

        MD5

        9d45fedb0c67a1c04a89edb3ee707d44

        SHA1

        7773d0e37a0c478191f11e57b338a7a780001a3a

        SHA256

        7019f42701a888986b9dda599f0e8a6d21a762d409f539a05345778e39de7865

        SHA512

        88f99051e5023846d6cb1886031e6f390ac8c04b4f60ba1433edadb3239d23b8a817e20b06d6135a700b85d23ce8885714a8349d2f1c980a93b55a638262c7d6

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SECURITY AVAST.exe
        Filesize

        104KB

        MD5

        cceba0ca8ed89f7c181bcfbbd934c591

        SHA1

        2166e325c5a65d751547e0a5b53f66e341e6ba40

        SHA256

        2f8785ef55401b2a906b9bc6a4d995bb58084c12577d39dae5a32d49525ae629

        SHA512

        c56d0716db3df6d657f199b3e879cb09ebc7cccef5a722ad651ee4c44e019ca7bd62f5954af6404ec235f53afe9f248300619c99e7bf0e4ba3a8d5f4180f0262

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\SECURITY AVAST.exe
        Filesize

        104KB

        MD5

        cceba0ca8ed89f7c181bcfbbd934c591

        SHA1

        2166e325c5a65d751547e0a5b53f66e341e6ba40

        SHA256

        2f8785ef55401b2a906b9bc6a4d995bb58084c12577d39dae5a32d49525ae629

        SHA512

        c56d0716db3df6d657f199b3e879cb09ebc7cccef5a722ad651ee4c44e019ca7bd62f5954af6404ec235f53afe9f248300619c99e7bf0e4ba3a8d5f4180f0262

        Download Submit

      • C:\Users\Admin\AppData\Roaming\SECURITY AVAST.exe
        Filesize

        104KB

        MD5

        cceba0ca8ed89f7c181bcfbbd934c591

        SHA1

        2166e325c5a65d751547e0a5b53f66e341e6ba40

        SHA256

        2f8785ef55401b2a906b9bc6a4d995bb58084c12577d39dae5a32d49525ae629

        SHA512

        c56d0716db3df6d657f199b3e879cb09ebc7cccef5a722ad651ee4c44e019ca7bd62f5954af6404ec235f53afe9f248300619c99e7bf0e4ba3a8d5f4180f0262

        Download Submit

      • memory/2524-19-0x0000000005CA0000-0x000000000619E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/2524-63-0x0000000073100000-0x00000000737EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2524-127-0x0000000005800000-0x0000000005810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2524-126-0x0000000005800000-0x0000000005810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2524-124-0x0000000005800000-0x0000000005810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2524-17-0x0000000000FE0000-0x0000000001000000-memory.dmp

        Filesize

        128KB

        Download

      • memory/2524-18-0x0000000073100000-0x00000000737EE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/2524-123-0x0000000005800000-0x0000000005810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2524-20-0x0000000005880000-0x0000000005912000-memory.dmp

        Filesize

        584KB

        Download

      • memory/2524-21-0x0000000005920000-0x00000000059BC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/2524-22-0x0000000005800000-0x0000000005810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2524-122-0x0000000006540000-0x000000000654A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/2524-75-0x0000000005800000-0x0000000005810000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3692-1-0x00007FFBF8880000-0x00007FFBF926C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/3692-3-0x0000000001350000-0x0000000001360000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3692-0-0x0000000000AE0000-0x0000000000B1E000-memory.dmp

        Filesize

        248KB

        Download

      • memory/3692-15-0x00007FFBF8880000-0x00007FFBF926C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4724-53-0x00007FFBF8880000-0x00007FFBF926C000-memory.dmp

        Filesize

        9.9MB

        Download

      • memory/4724-27-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4724-97-0x000000001B9D0000-0x000000001B9E0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4724-14-0x0000000000C50000-0x0000000000C70000-memory.dmp

        Filesize

        128KB

        Download

      • memory/4724-16-0x00007FFBF8880000-0x00007FFBF926C000-memory.dmp

        Filesize

        9.9MB

        Download