General
-
Target
Nurik.exe
-
Size
210KB
-
Sample
240524-pnd8qabf6t
-
MD5
bb252d8aa4f5834229ea080c11db0b59
-
SHA1
7de57dfc07520a7f3013abc807446e8611914812
-
SHA256
ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
-
SHA512
0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a
-
SSDEEP
3072:tXbHXK681mboHFtHODlewZp0EAVHLqaHSegMc11irm+uhdtNp+5hBu:tXb6Ib2ewwZpTEH+NvlNpoh
Behavioral task
behavioral1
Sample
Nurik.exe
Resource
win11-20240508-en
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/cVQrB6DR
Targets
-
-
Target
Nurik.exe
-
Size
210KB
-
MD5
bb252d8aa4f5834229ea080c11db0b59
-
SHA1
7de57dfc07520a7f3013abc807446e8611914812
-
SHA256
ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
-
SHA512
0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a
-
SSDEEP
3072:tXbHXK681mboHFtHODlewZp0EAVHLqaHSegMc11irm+uhdtNp+5hBu:tXb6Ib2ewwZpTEH+NvlNpoh
Score10/10-
Detect Xworm Payload
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file
-
Adds Run key to start application
-
Legitimate hosting services abused for malware hosting/C2
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-