Analysis Overview
SHA256
211cb177c61f63ca15955c9c3cfb44104f0551714801adc550911b038c2bf368
Threat Level: Known bad
The file Nursultan Beta.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
StormKitty payload
Contains code to disable Windows Defender
Detect Xworm Payload
StormKitty
Command and Scripting Interpreter: PowerShell
Reads user/profile data of web browsers
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-03 17:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-03 17:33
Reported
2024-05-03 17:35
Platform
win10v2004-20240419-en
Max time kernel
128s
Max time network
137s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nursultan Beta = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Nursultan Beta.exe" | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan Beta.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan Beta.exe'
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan Beta.exe'
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2364 -ip 2364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2364 -s 2768
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | lesbian-organ.gl.at.ply.gg | udp |
| US | 147.185.221.19:38343 | lesbian-organ.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 19.221.185.147.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 142.53.16.96.in-addr.arpa | udp |
| US | 147.185.221.19:38343 | lesbian-organ.gl.at.ply.gg | tcp |
| US | 147.185.221.19:38343 | lesbian-organ.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 49.15.97.104.in-addr.arpa | udp |
| US | 147.185.221.19:38343 | lesbian-organ.gl.at.ply.gg | tcp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/2364-0-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-1-0x0000000002C00000-0x0000000002C01000-memory.dmp
memory/2364-2-0x0000000073A8E000-0x0000000073A8F000-memory.dmp
memory/2364-3-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-4-0x0000000007E70000-0x0000000007F0C000-memory.dmp
memory/2364-5-0x0000000007F10000-0x0000000007F76000-memory.dmp
memory/2364-6-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/1144-7-0x0000000005060000-0x0000000005096000-memory.dmp
memory/2364-8-0x0000000000140000-0x0000000000558000-memory.dmp
memory/1144-10-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/1144-9-0x0000000005790000-0x0000000005DB8000-memory.dmp
memory/1144-11-0x0000000005510000-0x0000000005532000-memory.dmp
memory/1144-13-0x0000000005F30000-0x0000000005F96000-memory.dmp
memory/1144-12-0x0000000073A80000-0x0000000074230000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_iui4yjzc.ouo.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1144-24-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/1144-23-0x0000000006010000-0x0000000006364000-memory.dmp
memory/1144-25-0x00000000065F0000-0x000000000660E000-memory.dmp
memory/1144-26-0x0000000006620000-0x000000000666C000-memory.dmp
memory/1144-27-0x00000000075C0000-0x00000000075F2000-memory.dmp
memory/1144-28-0x000000006F250000-0x000000006F29C000-memory.dmp
memory/1144-38-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/1144-40-0x0000000006BB0000-0x0000000006BCE000-memory.dmp
memory/1144-39-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/1144-42-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/1144-41-0x0000000007600000-0x00000000076A3000-memory.dmp
memory/1144-44-0x0000000007910000-0x000000000792A000-memory.dmp
memory/1144-43-0x0000000007F60000-0x00000000085DA000-memory.dmp
memory/1144-45-0x0000000007980000-0x000000000798A000-memory.dmp
memory/1144-46-0x0000000007B90000-0x0000000007C26000-memory.dmp
memory/1144-47-0x0000000007B10000-0x0000000007B21000-memory.dmp
memory/1144-48-0x0000000007B40000-0x0000000007B4E000-memory.dmp
memory/1144-49-0x0000000007B50000-0x0000000007B64000-memory.dmp
memory/1144-50-0x0000000007C50000-0x0000000007C6A000-memory.dmp
memory/1144-51-0x0000000007C30000-0x0000000007C38000-memory.dmp
memory/1144-54-0x0000000073A80000-0x0000000074230000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 968cb9309758126772781b83adb8a28f |
| SHA1 | 8da30e71accf186b2ba11da1797cf67f8f78b47c |
| SHA256 | 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a |
| SHA512 | 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3 |
memory/2160-65-0x0000000006410000-0x0000000006764000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7b28b7cad8d1f96972fa01a47051a911 |
| SHA1 | a4689865be424109180c43f3aeeaadd43199d1c4 |
| SHA256 | ab0968d055f29e24f7a294ea4a650ef73b5bad237ecfed76d3c2f59a0fac1423 |
| SHA512 | fb707bb3fa3c5be21e02774985f61aabd38034adf24ed97eb12a746f6e9f253144369c78d0344a5084c6f609657e405f87e8a00e4daeafb9693c589afd0f944f |
memory/2160-67-0x000000006F250000-0x000000006F29C000-memory.dmp
memory/2364-77-0x0000000000140000-0x0000000000558000-memory.dmp
memory/3208-88-0x0000000005460000-0x00000000057B4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 8eb18d1e42438cdef79ad11fb112a7e1 |
| SHA1 | 420e59b30486f75d17b648dc51444a716a2e1d82 |
| SHA256 | 0fbb79721d49d0c92e5b3228b95b0a6f574b424b818d4d08ad82be8dc90513d9 |
| SHA512 | 2d39c22c1291ec981e4c686dc4cce2e8a73be6203ea38bd8e6fa8b517f2cd703110703e615a49532a89bd7f47480cc3550b70169ce0e8296aeb52e766e2da47e |
memory/3208-90-0x000000006F250000-0x000000006F29C000-memory.dmp
memory/2364-100-0x0000000002C00000-0x0000000002C01000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f3faa2aa01099d4d8cc4ce80ca959c76 |
| SHA1 | b8e5ee6477b02e51e7f8636765d1e5d56294cadc |
| SHA256 | 7e5cc3d45a780ca4dc13c8545c99594048c4c32d521f492def02c5a39ce4d9f4 |
| SHA512 | b7e957ded4dc9ced03f0d65ddc2cd6bb6f270fe77db3276b16062ba231f1318ffed2462a2f250cec8f207849a9b4594bd587e096fb664d5076179d81b5280a56 |
memory/3560-112-0x000000006F250000-0x000000006F29C000-memory.dmp
memory/2364-123-0x000000000A130000-0x000000000A6D4000-memory.dmp
memory/2364-124-0x000000000A6E0000-0x000000000A772000-memory.dmp
memory/2364-125-0x000000000A090000-0x000000000A09A000-memory.dmp
memory/2364-126-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-127-0x0000000073A8E000-0x0000000073A8F000-memory.dmp
memory/2364-128-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-129-0x0000000073A80000-0x0000000074230000-memory.dmp
memory/2364-130-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-131-0x000000000A100000-0x000000000A10C000-memory.dmp
memory/2364-132-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-133-0x000000000B160000-0x000000000B16E000-memory.dmp
memory/2364-134-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-135-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-136-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-137-0x0000000002930000-0x000000000296A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp82B8.tmp
| MD5 | c38b245b97fea00a08141af793a76f87 |
| SHA1 | c9c5c786f8e8d3c5670ef64f4f3ae35c556bb640 |
| SHA256 | b6647006cf5e920db52c66a2028f2492df03c4deceda32fb021ebe4126bfe261 |
| SHA512 | 6d4a19aff6c2999f2369ae8831a8208aeefcb6fe7620a86bd8343690a155c055d0327ec4b42af3929fd6997ad5ce28d0e7f9a980567b244f3e373409cf2e5d38 |
memory/2364-143-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-144-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-145-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-146-0x0000000000140000-0x0000000000558000-memory.dmp
memory/2364-147-0x000000000AA00000-0x000000000AB1E000-memory.dmp
memory/2364-148-0x000000000BE00000-0x000000000C154000-memory.dmp
memory/2364-149-0x000000000AB20000-0x000000000AB6C000-memory.dmp