Analysis
-
max time kernel
79s -
max time network
81s -
platform
windows10-1703_x64 -
resource
win10-20240404-en -
resource tags
arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system -
submitted
30-05-2024 15:42
Behavioral task
behavioral1
Sample
Nurik.exe
Resource
win10-20240404-en
General
-
Target
Nurik.exe
-
Size
210KB
-
MD5
bb252d8aa4f5834229ea080c11db0b59
-
SHA1
7de57dfc07520a7f3013abc807446e8611914812
-
SHA256
ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
-
SHA512
0e9aa28aeb33328b7b7140a461b45e4a211cb68326130e174b54dd260d3f44323a3ab86f16571e0b0e55c9597f293b9a5d085e1bb01f4fbe2cdb2b20080e4c5a
-
SSDEEP
3072:tXbHXK681mboHFtHODlewZp0EAVHLqaHSegMc11irm+uhdtNp+5hBu:tXb6Ib2ewwZpTEH+NvlNpoh
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
USB.exe
-
pastebin_url
https://pastebin.com/raw/cVQrB6DR
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1296-1-0x0000000000050000-0x000000000008A000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2440 powershell.exe 1560 powershell.exe 3596 powershell.exe 3920 powershell.exe -
Drops startup file 2 IoCs
Processes:
Nurik.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk Nurik.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk Nurik.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nurik.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSecurity" Nurik.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 3852 timeout.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeNurik.exepid process 3920 powershell.exe 3920 powershell.exe 3920 powershell.exe 2440 powershell.exe 2440 powershell.exe 2440 powershell.exe 1560 powershell.exe 1560 powershell.exe 1560 powershell.exe 3596 powershell.exe 3596 powershell.exe 3596 powershell.exe 1296 Nurik.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Nurik.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1296 Nurik.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeIncreaseQuotaPrivilege 3920 powershell.exe Token: SeSecurityPrivilege 3920 powershell.exe Token: SeTakeOwnershipPrivilege 3920 powershell.exe Token: SeLoadDriverPrivilege 3920 powershell.exe Token: SeSystemProfilePrivilege 3920 powershell.exe Token: SeSystemtimePrivilege 3920 powershell.exe Token: SeProfSingleProcessPrivilege 3920 powershell.exe Token: SeIncBasePriorityPrivilege 3920 powershell.exe Token: SeCreatePagefilePrivilege 3920 powershell.exe Token: SeBackupPrivilege 3920 powershell.exe Token: SeRestorePrivilege 3920 powershell.exe Token: SeShutdownPrivilege 3920 powershell.exe Token: SeDebugPrivilege 3920 powershell.exe Token: SeSystemEnvironmentPrivilege 3920 powershell.exe Token: SeRemoteShutdownPrivilege 3920 powershell.exe Token: SeUndockPrivilege 3920 powershell.exe Token: SeManageVolumePrivilege 3920 powershell.exe Token: 33 3920 powershell.exe Token: 34 3920 powershell.exe Token: 35 3920 powershell.exe Token: 36 3920 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeIncreaseQuotaPrivilege 2440 powershell.exe Token: SeSecurityPrivilege 2440 powershell.exe Token: SeTakeOwnershipPrivilege 2440 powershell.exe Token: SeLoadDriverPrivilege 2440 powershell.exe Token: SeSystemProfilePrivilege 2440 powershell.exe Token: SeSystemtimePrivilege 2440 powershell.exe Token: SeProfSingleProcessPrivilege 2440 powershell.exe Token: SeIncBasePriorityPrivilege 2440 powershell.exe Token: SeCreatePagefilePrivilege 2440 powershell.exe Token: SeBackupPrivilege 2440 powershell.exe Token: SeRestorePrivilege 2440 powershell.exe Token: SeShutdownPrivilege 2440 powershell.exe Token: SeDebugPrivilege 2440 powershell.exe Token: SeSystemEnvironmentPrivilege 2440 powershell.exe Token: SeRemoteShutdownPrivilege 2440 powershell.exe Token: SeUndockPrivilege 2440 powershell.exe Token: SeManageVolumePrivilege 2440 powershell.exe Token: 33 2440 powershell.exe Token: 34 2440 powershell.exe Token: 35 2440 powershell.exe Token: 36 2440 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeIncreaseQuotaPrivilege 1560 powershell.exe Token: SeSecurityPrivilege 1560 powershell.exe Token: SeTakeOwnershipPrivilege 1560 powershell.exe Token: SeLoadDriverPrivilege 1560 powershell.exe Token: SeSystemProfilePrivilege 1560 powershell.exe Token: SeSystemtimePrivilege 1560 powershell.exe Token: SeProfSingleProcessPrivilege 1560 powershell.exe Token: SeIncBasePriorityPrivilege 1560 powershell.exe Token: SeCreatePagefilePrivilege 1560 powershell.exe Token: SeBackupPrivilege 1560 powershell.exe Token: SeRestorePrivilege 1560 powershell.exe Token: SeShutdownPrivilege 1560 powershell.exe Token: SeDebugPrivilege 1560 powershell.exe Token: SeSystemEnvironmentPrivilege 1560 powershell.exe Token: SeRemoteShutdownPrivilege 1560 powershell.exe Token: SeUndockPrivilege 1560 powershell.exe Token: SeManageVolumePrivilege 1560 powershell.exe Token: 33 1560 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nurik.exepid process 1296 Nurik.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
Nurik.execmd.exedescription pid process target process PID 1296 wrote to memory of 3920 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 3920 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 2440 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 2440 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 1560 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 1560 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 3596 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 3596 1296 Nurik.exe powershell.exe PID 1296 wrote to memory of 4568 1296 Nurik.exe schtasks.exe PID 1296 wrote to memory of 4568 1296 Nurik.exe schtasks.exe PID 1296 wrote to memory of 4740 1296 Nurik.exe schtasks.exe PID 1296 wrote to memory of 4740 1296 Nurik.exe schtasks.exe PID 1296 wrote to memory of 4632 1296 Nurik.exe cmd.exe PID 1296 wrote to memory of 4632 1296 Nurik.exe cmd.exe PID 4632 wrote to memory of 3852 4632 cmd.exe timeout.exe PID 4632 wrote to memory of 3852 4632 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nurik.exe"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1296 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nurik.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3920
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nurik.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2440
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1560
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3596
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"2⤵
- Creates scheduled task(s)
PID:4568
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsSecurity"2⤵PID:4740
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp923.tmp.bat""2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:3852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD50eea8ae8d7e55ab31a19f56232bdcbd6
SHA1411b041511b64202a88fff54f4dc52d8a95a7947
SHA256ca44f226959263a4965c7f0baa961574f00541498208b06d90bad4f5a2bd02ef
SHA512f337cb6809f4bec291a052bcb57efcb12f6e46cfe5575dcc30dcef6010c3b6f9b46999ff3bedc4a79f3482edbb9c0212703b99eeade54a5ec121aefa4a72f6b2
-
Filesize
1KB
MD57bc745df6da19773556ef4643ae66090
SHA12f63cb82e1512e879fe68f80c112afdd650b9c1a
SHA25638b2f95d679d4741c35548fecce854db6ae10aa991fee194f247d6cc573ba33b
SHA51236e8074bb285a99024f1d424bd9d47b403b44b20c272074143e21c30fbc280621a9f3066c0607a8f995ae2feba073c4d03412d2639b9e0cd72e672b9974c04eb
-
Filesize
1KB
MD5e1068b7b7d5bbd12d46c91710fb2d3e3
SHA1c61151701b1ba48b023a06fc14b489bdec822af0
SHA2565d45917923beb51ce60d5eecb76f057a1e3a83430d8b60b44af800633fa370c5
SHA512d7fd7fc9100fb0b1989d31dbf36e04e446f10594c8c2aa3a3f252829346e4724f9d2813c44eaea07406dccb776b0710e3ee1a794ca2995474dcaa1a31baefb77
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a
-
Filesize
156B
MD58f8c333dc8741d118f1c3a1a9a9c857f
SHA128fd24e1513b08e0dd66801a8647f5838485f42e
SHA2564e5e2047e102e99a3b4c25a174fed77c25b0fc88eb20b36910355c88051f1fdf
SHA5127af530d4ed78417a59984a15ccbeda611c66577686b35b57301186ba2c3855687210c67556ae170d51223ec22f7429296c1791a9c8374903fc3b56f73df4ec58