Analysis
-
max time kernel
9s -
max time network
13s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 07:26
General
-
Target
Nexus.exe
-
Size
40KB
-
MD5
0b677bbe363ea393d2a1152b9c9c67d7
-
SHA1
956f8c498490c595df946763d486c9016839f1b8
-
SHA256
960c31ec0fad0f80d726d3a91d9bbbc68c34c09a60f9381a87a589eee8814133
-
SHA512
f24a1bb67caed2487f78be90ae728c8ed386e46ef0159c188d0b8b05e479731b5ccb1b298e8e00db0b5c8a5d145dca3d56435b95ce0099286150fa814aad11c8
-
SSDEEP
768:36Pq4VSviT+oGQAyAqbA8K7tF5Pq9IUOMhY3/Rsq:gvSqT1HAzAVKxFk9IUOMepr
Malware Config
Extracted
Family
xworm
Version
5.0
C2
85.203.4.69:1999
Mutex
nejvXraHvLYWkslH
Attributes
-
Install_directory
%Userprofile%
-
install_file
csrss.exe
aes.plain
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/5000-1-0x0000000000110000-0x0000000000120000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
Nexus.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk Nexus.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\csrss.lnk Nexus.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Nexus.exepid process 5000 Nexus.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Nexus.exedescription pid process Token: SeDebugPrivilege 5000 Nexus.exe Token: SeDebugPrivilege 5000 Nexus.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nexus.exepid process 5000 Nexus.exe