Analysis Overview
SHA256
ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
Threat Level: Known bad
The file Nurik.exe was found to be: Known bad.
Malicious Activity Summary
Detect Xworm Payload
Xworm family
Xworm
Modifies WinLogon for persistence
UAC bypass
Command and Scripting Interpreter: PowerShell
Disables Task Manager via registry modification
Disables RegEdit via registry modification
Executes dropped EXE
Drops startup file
Writes to the Master Boot Record (MBR)
Looks up external IP address via web service
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Adds Run key to start application
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
Modifies Control Panel
System policy modification
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-29 11:44
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-29 11:44
Reported
2024-05-29 11:48
Platform
win11-20240508-en
Max time kernel
181s
Max time network
186s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "0" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
UAC bypass
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Disables Task Manager via registry modification
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsSecurity | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsSecurity | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WindowsSecurity | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSecurity" | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Delete value | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Modifies Control Panel
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Mouse | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3433428765-2473475212-4279855560-1000\Control Panel\Mouse\SwapMouseButtons = "1" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "235" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WindowsSecurity | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WindowsSecurity | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WindowsSecurity | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDesktop = "1" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\HideFastUserSwitching = "1" | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System | C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe | N/A |
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nurik.exe
"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nurik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nurik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"
C:\Users\Admin\AppData\Roaming\WindowsSecurity
C:\Users\Admin\AppData\Roaming\WindowsSecurity
C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe
"C:\Users\Admin\AppData\Local\Temp\lpuvdz.exe"
C:\Windows\explorer.exe
explorer.exe
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004D8
C:\Users\Admin\AppData\Roaming\WindowsSecurity
C:\Users\Admin\AppData\Roaming\WindowsSecurity
C:\Users\Admin\AppData\Roaming\WindowsSecurity
C:\Users\Admin\AppData\Roaming\WindowsSecurity
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa38ca855 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 104.20.4.235:443 | pastebin.com | tcp |
| DE | 3.125.102.39:15961 | 0.tcp.eu.ngrok.io | tcp |
| DE | 3.124.142.205:15961 | 0.tcp.eu.ngrok.io | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| DE | 3.125.209.94:15961 | 0.tcp.eu.ngrok.io | tcp |
Files
memory/1048-0-0x00007FF864593000-0x00007FF864595000-memory.dmp
memory/1048-1-0x0000000000FE0000-0x000000000101A000-memory.dmp
memory/1048-2-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/4176-3-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/4176-4-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/4176-5-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/4176-6-0x000001A9C28E0000-0x000001A9C2902000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vzktullg.goa.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4176-15-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/4176-16-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/4176-19-0x000001A9C2950000-0x000001A9C2A9F000-memory.dmp
memory/4176-20-0x00007FF864590000-0x00007FF865052000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 627073ee3ca9676911bee35548eff2b8 |
| SHA1 | 4c4b68c65e2cab9864b51167d710aa29ebdcff2e |
| SHA256 | 85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c |
| SHA512 | 3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3284cb698efa6fb773dc0eebd30a3214 |
| SHA1 | a1093d44f025e5ba9609e99a3fc5fce3723fd7f3 |
| SHA256 | 22f6a7c20c96be4775bec28c377d98d91a160fb5dd3158083e4365286161a2aa |
| SHA512 | af3ea3c69350087cd0e6768679ba7bdfff4c184b5bfe7abf9152aa161713c56c6dc86390543507580f9ae0a6103d26486dbe37330dbc78e172a966957ba43606 |
memory/1576-32-0x000001BC56BA0000-0x000001BC56CEF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 78dd5ad095162eb2777b0ff766a61a6e |
| SHA1 | 5ba064016205f0d26999080726c600e48f308f39 |
| SHA256 | aed8c14187935d0a33ac129c8bdce507dfb1938a1fd1d8a7c8c568c224d2deec |
| SHA512 | 993c2370fd9ddc14abfa9e4c972188605ec57a8edc17a2d9e51d85da93e98a72a4c096e6967a4d6e6ec7555cc04bfebc4977c23e301b6fa7b308c0ea8971a72d |
memory/2352-43-0x0000014775B30000-0x0000014775C7F000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d9f57d6c4214f890e8c0b575404864dc |
| SHA1 | 017f9174a12ca9632ffdf6b4316c88e02800777a |
| SHA256 | 3d51900ed720bd3f98cfc27c5a268eaa93b2ae4a40202fcc8240e26d1a3eac8f |
| SHA512 | bec0064af11dd33ba51e4e6271633b3d9143d9e6b99290bc84da066c74eff297dc92071cb56c377739a3ece3e19c780e4591cde667bf8d4aa73eb4797630d042 |
memory/3720-54-0x000001B1F67E0000-0x000001B1F692F000-memory.dmp
memory/1048-58-0x00007FF864593000-0x00007FF864595000-memory.dmp
memory/1048-59-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/1048-60-0x000000001CF80000-0x000000001CF8C000-memory.dmp
C:\Users\Admin\AppData\Roaming\WindowsSecurity
| MD5 | bb252d8aa4f5834229ea080c11db0b59 |
| SHA1 | 7de57dfc07520a7f3013abc807446e8611914812 |
| SHA256 | ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c |
| SHA512 | 0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a |
memory/1516-76-0x0000000000400000-0x0000000003DF3000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\WindowsSecurity.log
| MD5 | 2cbbb74b7da1f720b48ed31085cbd5b8 |
| SHA1 | 79caa9a3ea8abe1b9c4326c3633da64a5f724964 |
| SHA256 | e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3 |
| SHA512 | ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9 |
memory/1516-79-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1516-80-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1516-82-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1516-83-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1048-84-0x000000001B4F0000-0x000000001B57E000-memory.dmp
memory/1516-85-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1516-87-0x0000000000400000-0x0000000003DF3000-memory.dmp
memory/1048-91-0x00007FF864590000-0x00007FF865052000-memory.dmp
memory/1516-90-0x0000000000400000-0x0000000003DF3000-memory.dmp