Overview

overview

10

Static

static

10

Nurik.exe

windows11-21h2-x64

Analysis

  • max time kernel
    39s
  • max time network
    49s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    22-05-2024 17:30

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Nurik.exe

  • Size

    210KB

  • MD5

    bb252d8aa4f5834229ea080c11db0b59

  • SHA1

    7de57dfc07520a7f3013abc807446e8611914812

  • SHA256

    ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c

  • SHA512

    0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a

  • SSDEEP

    3072:tXbHXK681mboHFtHODlewZp0EAVHLqaHSegMc11irm+uhdtNp+5hBu:tXb6Ib2ewwZpTEH+NvlNpoh

Score
10/10
xwormevasionexecutionpersistenceransomwarerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    USB.exe

  • pastebin_url

    https://pastebin.com/raw/cVQrB6DR

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Modifies WinLogon 2 TTPs 1 IoCs
    persistence
  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Kills process with taskkill 2 IoCs
    evasion
  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nurik.exe
    "C:\Users\Admin\AppData\Local\Temp\Nurik.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3324
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nurik.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4732
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nurik.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2564
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4736
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"
      2⤵
      • Creates scheduled task(s)
      PID:4896
    • C:\Users\Admin\AppData\Local\Temp\dqveec.exe
      "C:\Users\Admin\AppData\Local\Temp\dqveec.exe"
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Modifies WinLogon
      • Sets desktop wallpaper using registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:5024
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3296
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im explorer.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:1560
        • C:\Windows\SysWOW64\taskkill.exe
          taskkill /f /im taskmgr.exe
          4⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:856
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic useraccount where name='Admin' set FullName='UR NEXT'
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:808
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic useraccount where name='Admin' rename 'UR NEXT'
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:3732
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown /f /r /t 0
          4⤵
            PID:656
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
      1⤵
        PID:2448
      • C:\Users\Admin\AppData\Roaming\WindowsSecurity
        C:\Users\Admin\AppData\Roaming\WindowsSecurity
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:3624
      • C:\Windows\system32\AUDIODG.EXE
        C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004D8
        1⤵
          PID:3404
        • C:\Windows\system32\LogonUI.exe
          "LogonUI.exe" /flags:0x4 /state0:0xa3a2d855 /state1:0x41c64e6d
          1⤵
            PID:3756

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Command and Scripting Interpreter

          1
          T1059

          PowerShell

          1
          T1059.001

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Boot or Logon Autostart Execution

          2
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Winlogon Helper DLL

          1
          T1547.004

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Modify Registry

          3
          T1112

          Credential Access

          Discovery

          Query Registry

          2
          T1012

          Peripheral Device Discovery

          1
          T1120

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Web Service

          1
          T1102

          Impact

          Defacement

          1
          T1491

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            627073ee3ca9676911bee35548eff2b8

            SHA1

            4c4b68c65e2cab9864b51167d710aa29ebdcff2e

            SHA256

            85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

            SHA512

            3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb
            Filesize

            640KB

            MD5

            0312ee70f802287aa57586862423b784

            SHA1

            0d1c992d3a81c6107c60ad99c3f0e9535a96d298

            SHA256

            fdee42f8c8260761f35e043dd4440340c236a7fb26e1b9db7b6ac92ac316d46f

            SHA512

            fa22fd27ac0e00b4351a0d8d1de6d6b03630b1132ce65f3c7214e81c891bcd8e99cee8133ce73844c6e5c5f6299aba45ebed3fad774adfa59ecdc36a429e5557

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML
            Filesize

            9KB

            MD5

            7050d5ae8acfbe560fa11073fef8185d

            SHA1

            5bc38e77ff06785fe0aec5a345c4ccd15752560e

            SHA256

            cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

            SHA512

            a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            1a9fa92a4f2e2ec9e244d43a6a4f8fb9

            SHA1

            9910190edfaccece1dfcc1d92e357772f5dae8f7

            SHA256

            0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

            SHA512

            5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            944B

            MD5

            5b705b4839f481b2485f2195c589cad0

            SHA1

            a55866cd9e6fedf352d0e937101755ea61a50c86

            SHA256

            f6a3b94a63de605bbbcf1e95cb2d743166f44ea7e9d0d2bfa0e88c94c26e37c6

            SHA512

            f228eccd5646068a81e79baeaf7e8bfa470b30d503bf0ca8cc746c009510ab609b5c091cadf08fab1e3581900cdb7834c775c61a95a29c2d73ccd0dcbd851bab

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hoo1bral.hpr.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\dqveec.exe
            Filesize

            6.7MB

            MD5

            f2b7074e1543720a9a98fda660e02688

            SHA1

            1029492c1a12789d8af78d54adcb921e24b9e5ca

            SHA256

            4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

            SHA512

            73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\one.rtf
            Filesize

            403B

            MD5

            6fbd6ce25307749d6e0a66ebbc0264e7

            SHA1

            faee71e2eac4c03b96aabecde91336a6510fff60

            SHA256

            e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

            SHA512

            35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\rniw.exe
            Filesize

            76KB

            MD5

            9232120b6ff11d48a90069b25aa30abc

            SHA1

            97bb45f4076083fca037eee15d001fd284e53e47

            SHA256

            70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

            SHA512

            b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

            Download Submit
          • C:\Users\Admin\AppData\Local\Temp\windl.bat
            Filesize

            771B

            MD5

            a9401e260d9856d1134692759d636e92

            SHA1

            4141d3c60173741e14f36dfe41588bb2716d2867

            SHA256

            b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

            SHA512

            5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

            Download Submit
          • C:\Users\Admin\AppData\Roaming\WindowsSecurity
            Filesize

            210KB

            MD5

            bb252d8aa4f5834229ea080c11db0b59

            SHA1

            7de57dfc07520a7f3013abc807446e8611914812

            SHA256

            ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c

            SHA512

            0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a

            Download Submit
          • C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt
            Filesize

            396B

            MD5

            9037ebf0a18a1c17537832bc73739109

            SHA1

            1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

            SHA256

            38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

            SHA512

            4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

            Download Submit
          • memory/2564-32-0x0000021B54010000-0x0000021B5415F000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/3324-930-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/3324-2-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/3324-1-0x0000000000490000-0x00000000004CA000-memory.dmp
            Filesize

            232KB

            Download
          • memory/3324-929-0x000000001CEA0000-0x000000001CF2E000-memory.dmp
            Filesize

            568KB

            Download
          • memory/3324-0-0x00007FF839DA3000-0x00007FF839DA5000-memory.dmp
            Filesize

            8KB

            Download
          • memory/3324-64-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/3324-62-0x000000001B370000-0x000000001B37C000-memory.dmp
            Filesize

            48KB

            Download
          • memory/4732-20-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4732-3-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4732-9-0x000001FA64540000-0x000001FA64562000-memory.dmp
            Filesize

            136KB

            Download
          • memory/4732-18-0x000001FA7CC40000-0x000001FA7CD8F000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4732-13-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4732-14-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4732-15-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4732-19-0x00007FF839DA0000-0x00007FF83A862000-memory.dmp
            Filesize

            10.8MB

            Download
          • memory/4736-43-0x00000170EF770000-0x00000170EF8BF000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/4760-54-0x000001AE39EA0000-0x000001AE39FEF000-memory.dmp
            Filesize

            1.3MB

            Download
          • memory/5024-99-0x000000000BEB0000-0x000000000BEC0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-101-0x000000000BEB0000-0x000000000BEC0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-100-0x000000000BEB0000-0x000000000BEC0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-106-0x000000000BF70000-0x000000000BF80000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-107-0x000000000BF70000-0x000000000BF80000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-108-0x000000000BEB0000-0x000000000BEC0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-109-0x000000000BEB0000-0x000000000BEC0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-110-0x000000000BF70000-0x000000000BF80000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-102-0x000000000BEB0000-0x000000000BEC0000-memory.dmp
            Filesize

            64KB

            Download
          • memory/5024-95-0x000000000BE40000-0x000000000BE78000-memory.dmp
            Filesize

            224KB

            Download
          • memory/5024-96-0x000000000BE10000-0x000000000BE1E000-memory.dmp
            Filesize

            56KB

            Download
          • memory/5024-77-0x0000000006300000-0x00000000068A6000-memory.dmp
            Filesize

            5.6MB

            Download
          • memory/5024-76-0x0000000000C60000-0x000000000130E000-memory.dmp
            Filesize

            6.7MB

            Download