Overview

overview

10

Static

static

1

Nkomssgp.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    55s
  • max time network
    58s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    15-06-2024 05:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nkomssgp.exe

  • Size

    4.6MB

  • MD5

    1d6421617b9bdaccaa87db2edc96cda0

  • SHA1

    002eb8b01151aebe91d8a8f8d4ed52c3aad9e1b2

  • SHA256

    a25bff1c3254fa942a830abd32bd1953e282a321a94ab9fc22e25f66d5f4b1a2

  • SHA512

    80f991929992adeda30d8137bf59c435671548f4580dac3e1c6df7c129c5d554711365a3b375cff8568345f554f971026ea60785931deeb8baacd6c643e92104

  • SSDEEP

    24576:w5VeFILu7XJJbYzr8KNJWtOh6S9JD4E678avKanuEXLI16NqX6QZkUHHsOS8dK/Z:4Vw

Score
10/10
xwormexecutionrattrojan

Malware Config

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nkomssgp.exe
    "C:\Users\Admin\AppData\Local\Temp\Nkomssgp.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4284
    • C:\Users\Admin\AppData\Local\Temp\Nkomssgp.exe
      "C:\Users\Admin\AppData\Local\Temp\Nkomssgp.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4552
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nkomssgp.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nkomssgp.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1
T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Nkomssgp.exe.log
    Filesize

    805B

    MD5

    9d0cacca373731660e8268a162d9d4ff

    SHA1

    a82111d00132cdf7ef46af5681601d55c6a0e17c

    SHA256

    95932f81206717ff86f0974ee37dc40d5d914f730f00a08344b4c1765d663394

    SHA512

    8c971ab501fc322b13f53b03325b2295e1eedb12b6d50a4225e6e3b4bf5128665b1a3d8b560a8b04f14bfa6f5cba41058e4f546139101fc303f3b8393f5ca485

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d0c46cad6c0778401e21910bd6b56b70

    SHA1

    7be418951ea96326aca445b8dfe449b2bfa0dca6

    SHA256

    9600b3fdf0565ccb49e21656aa4b24d7c18f776bfd04d9ee984b134707550f02

    SHA512

    057531b468f7fbbb2175a696a8aab274dec0d17d9f71df309edcff35e064f3378050066a3df47ccd03048fac461594ec75e3d4fe64f9dd79949d129f51e02949

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    a60181a4528030274396adce728b9291

    SHA1

    0a3a2036925ddea87690be698690b22fe5977446

    SHA256

    c5421717244e28377218d689054a10296c04119d947131c1fff8f688b5ffd303

    SHA512

    bb64d1f65ee0b5feedfd00684e2ed05d40f6c508faff5f8d0018af7e0f2f5905970b8b7660f1f2bdadccac27f97c479c3509254c0f3d578b156d6f4627497147

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5nc2ewgu.mea.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/1636-4959-0x00000000700E0000-0x000000007012C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1636-4949-0x0000000006300000-0x0000000006657000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2588-4936-0x00000000076D0000-0x0000000007D4A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/2588-4925-0x00000000700E0000-0x000000007012C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2588-4942-0x00000000072E0000-0x00000000072F5000-memory.dmp
    Filesize

    84KB

    Download
  • memory/2588-4941-0x00000000072D0000-0x00000000072DE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/2588-4940-0x00000000072A0000-0x00000000072B1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/2588-4939-0x0000000007330000-0x00000000073C6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2588-4938-0x0000000007100000-0x000000000710A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/2588-4937-0x0000000007090000-0x00000000070AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2588-4944-0x00000000073D0000-0x00000000073D8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2588-4935-0x0000000006F60000-0x0000000007004000-memory.dmp
    Filesize

    656KB

    Download
  • memory/2588-4934-0x0000000006F40000-0x0000000006F5E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2588-4943-0x00000000073F0000-0x000000000740A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2588-4924-0x0000000006F00000-0x0000000006F34000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2588-4923-0x0000000005D70000-0x0000000005DBC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2588-4922-0x0000000005D30000-0x0000000005D4E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2588-4921-0x00000000058A0000-0x0000000005BF7000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/2588-4947-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2588-4910-0x0000000004F90000-0x0000000004FB2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/2588-4911-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2588-4912-0x0000000005130000-0x0000000005196000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2588-4909-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2588-4907-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2588-4908-0x0000000005270000-0x000000000589A000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/2588-4906-0x0000000002560000-0x0000000002596000-memory.dmp
    Filesize

    216KB

    Download
  • memory/4284-40-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-36-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-8-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-24-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-12-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-6-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-5-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-66-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-4891-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4284-4892-0x0000000007020000-0x000000000708E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/4284-4893-0x0000000007090000-0x00000000070DC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/4284-4894-0x000000007501E000-0x000000007501F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4284-4895-0x0000000005950000-0x00000000059A4000-memory.dmp
    Filesize

    336KB

    Download
  • memory/4284-14-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-4900-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4284-1-0x0000000000990000-0x0000000000E22000-memory.dmp
    Filesize

    4.6MB

    Download
  • memory/4284-2-0x0000000006B80000-0x0000000006DB2000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-3-0x0000000007360000-0x0000000007906000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4284-4-0x0000000006E50000-0x0000000006EE2000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4284-18-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-16-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-22-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-26-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-28-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-30-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-32-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-35-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-11-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-38-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-0-0x000000007501E000-0x000000007501F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4284-46-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-42-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-44-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-48-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-50-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-52-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-54-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-56-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-60-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-62-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-64-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-68-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-58-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4284-20-0x0000000006B80000-0x0000000006DAC000-memory.dmp
    Filesize

    2.2MB

    Download
  • memory/4552-4905-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4552-4904-0x0000000005840000-0x00000000058A6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/4552-4903-0x0000000005720000-0x00000000057BC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4552-4902-0x0000000000400000-0x0000000000434000-memory.dmp
    Filesize

    208KB

    Download
  • memory/4552-4901-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4552-4969-0x0000000007290000-0x000000000729A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4552-4970-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/4552-4971-0x0000000007300000-0x000000000730C000-memory.dmp
    Filesize

    48KB

    Download
  • memory/4552-4972-0x0000000075010000-0x00000000757C1000-memory.dmp
    Filesize

    7.7MB

    Download