Analysis Overview
SHA256
ae2ab592c449e18dd57692ae43b247ab02f5003ee170c87f82168d2aa6e03b8c
Threat Level: Known bad
The file Nurik.exe was found to be: Known bad.
Malicious Activity Summary
Xworm family
Detect Xworm Payload
Xworm
Command and Scripting Interpreter: PowerShell
Drops startup file
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Enumerates physical storage devices
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Creates scheduled task(s)
Suspicious use of SetWindowsHookEx
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-30 15:42
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-30 15:42
Reported
2024-05-30 15:44
Platform
win10-20240404-en
Max time kernel
79s
Max time network
81s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\WindowsSecurity.lnk | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000\Software\Microsoft\Windows\CurrentVersion\Run\WindowsSecurity = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsSecurity" | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | pastebin.com | N/A | N/A |
| N/A | pastebin.com | N/A | N/A |
| N/A | 0.tcp.eu.ngrok.io | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates physical storage devices
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nurik.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Nurik.exe
"C:\Users\Admin\AppData\Local\Temp\Nurik.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nurik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nurik.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\WindowsSecurity'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'WindowsSecurity'
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "WindowsSecurity" /tr "C:\Users\Admin\AppData\Roaming\WindowsSecurity"
C:\Windows\System32\schtasks.exe
"C:\Windows\System32\schtasks.exe" /delete /f /tn "WindowsSecurity"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp923.tmp.bat""
C:\Windows\system32\timeout.exe
timeout 3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | pastebin.com | udp |
| US | 172.67.19.24:443 | pastebin.com | tcp |
| US | 8.8.8.8:53 | 24.19.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.tcp.eu.ngrok.io | udp |
| DE | 3.124.142.205:15742 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 205.142.124.3.in-addr.arpa | udp |
| DE | 3.124.142.205:15742 | 0.tcp.eu.ngrok.io | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/1296-0-0x00007FFD2F653000-0x00007FFD2F654000-memory.dmp
memory/1296-1-0x0000000000050000-0x000000000008A000-memory.dmp
memory/1296-2-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp
memory/3920-7-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp
memory/3920-8-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp
memory/3920-9-0x000002C3E9FE0000-0x000002C3EA002000-memory.dmp
memory/3920-12-0x000002C3EA790000-0x000002C3EA806000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_l4npc22p.fze.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/3920-50-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 7bc745df6da19773556ef4643ae66090 |
| SHA1 | 2f63cb82e1512e879fe68f80c112afdd650b9c1a |
| SHA256 | 38b2f95d679d4741c35548fecce854db6ae10aa991fee194f247d6cc573ba33b |
| SHA512 | 36e8074bb285a99024f1d424bd9d47b403b44b20c272074143e21c30fbc280621a9f3066c0607a8f995ae2feba073c4d03412d2639b9e0cd72e672b9974c04eb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e1068b7b7d5bbd12d46c91710fb2d3e3 |
| SHA1 | c61151701b1ba48b023a06fc14b489bdec822af0 |
| SHA256 | 5d45917923beb51ce60d5eecb76f057a1e3a83430d8b60b44af800633fa370c5 |
| SHA512 | d7fd7fc9100fb0b1989d31dbf36e04e446f10594c8c2aa3a3f252829346e4724f9d2813c44eaea07406dccb776b0710e3ee1a794ca2995474dcaa1a31baefb77 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 0eea8ae8d7e55ab31a19f56232bdcbd6 |
| SHA1 | 411b041511b64202a88fff54f4dc52d8a95a7947 |
| SHA256 | ca44f226959263a4965c7f0baa961574f00541498208b06d90bad4f5a2bd02ef |
| SHA512 | f337cb6809f4bec291a052bcb57efcb12f6e46cfe5575dcc30dcef6010c3b6f9b46999ff3bedc4a79f3482edbb9c0212703b99eeade54a5ec121aefa4a72f6b2 |
memory/1296-184-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp
memory/1296-185-0x000000001C5A0000-0x000000001C5AC000-memory.dmp
memory/1296-192-0x00007FFD2F650000-0x00007FFD3003C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp923.tmp.bat
| MD5 | 8f8c333dc8741d118f1c3a1a9a9c857f |
| SHA1 | 28fd24e1513b08e0dd66801a8647f5838485f42e |
| SHA256 | 4e5e2047e102e99a3b4c25a174fed77c25b0fc88eb20b36910355c88051f1fdf |
| SHA512 | 7af530d4ed78417a59984a15ccbeda611c66577686b35b57301186ba2c3855687210c67556ae170d51223ec22f7429296c1791a9c8374903fc3b56f73df4ec58 |