Analysis
-
max time kernel
49s -
max time network
56s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
21-06-2024 20:16
Behavioral task
behavioral1
Sample
Nursultan.exe
Resource
win10-20240611-en
General
-
Target
Nursultan.exe
-
Size
39KB
-
MD5
19cc9588da38dc15c39a0b97845aec8b
-
SHA1
6a515efd577c31d93118c18541a37f0b7a4ea577
-
SHA256
e748fa958fa9bcc470e3417d8241b69bdf94434840600a8a1a9e7111d39041cf
-
SHA512
4bf4c10a6674b0efa7b913bb0c23533ab2940286b75cfcf1e3b29294c285c51b936c3c2b50c9841d4d5b89dbdb6d3ecc188d6221c1ce8687f00cab773b4a47b6
-
SSDEEP
768:wPv2tl24FKuGCuuJ/5c/lpfFWPJ92OA6dOMhVjhg:wGr7IrCuuJefFe92OA6dOMDC
Malware Config
Extracted
xworm
5.0
127.0.0.1:24920
6.tcp.eu.ngrok.io:24920
4.tcp.eu.ngrok.io:24920
5.tcp.eu.ngrok.io:24920
0.tcp.eu.ngrok.io:24920
20.ip.gl.ply.gg:24920
VBbEnWr486GXjFcH
-
Install_directory
%AppData%
-
install_file
cmd.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1904-1-0x0000000000660000-0x0000000000670000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 1716 powershell.exe 4428 powershell.exe 848 powershell.exe 2860 powershell.exe -
Drops startup file 2 IoCs
Processes:
Nursultan.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk Nursultan.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk Nursultan.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Nursultan.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe" Nursultan.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeNursultan.exepid process 1716 powershell.exe 1716 powershell.exe 1716 powershell.exe 4428 powershell.exe 4428 powershell.exe 4428 powershell.exe 848 powershell.exe 848 powershell.exe 848 powershell.exe 2860 powershell.exe 2860 powershell.exe 2860 powershell.exe 1904 Nursultan.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Nursultan.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1904 Nursultan.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeIncreaseQuotaPrivilege 1716 powershell.exe Token: SeSecurityPrivilege 1716 powershell.exe Token: SeTakeOwnershipPrivilege 1716 powershell.exe Token: SeLoadDriverPrivilege 1716 powershell.exe Token: SeSystemProfilePrivilege 1716 powershell.exe Token: SeSystemtimePrivilege 1716 powershell.exe Token: SeProfSingleProcessPrivilege 1716 powershell.exe Token: SeIncBasePriorityPrivilege 1716 powershell.exe Token: SeCreatePagefilePrivilege 1716 powershell.exe Token: SeBackupPrivilege 1716 powershell.exe Token: SeRestorePrivilege 1716 powershell.exe Token: SeShutdownPrivilege 1716 powershell.exe Token: SeDebugPrivilege 1716 powershell.exe Token: SeSystemEnvironmentPrivilege 1716 powershell.exe Token: SeRemoteShutdownPrivilege 1716 powershell.exe Token: SeUndockPrivilege 1716 powershell.exe Token: SeManageVolumePrivilege 1716 powershell.exe Token: 33 1716 powershell.exe Token: 34 1716 powershell.exe Token: 35 1716 powershell.exe Token: 36 1716 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeIncreaseQuotaPrivilege 4428 powershell.exe Token: SeSecurityPrivilege 4428 powershell.exe Token: SeTakeOwnershipPrivilege 4428 powershell.exe Token: SeLoadDriverPrivilege 4428 powershell.exe Token: SeSystemProfilePrivilege 4428 powershell.exe Token: SeSystemtimePrivilege 4428 powershell.exe Token: SeProfSingleProcessPrivilege 4428 powershell.exe Token: SeIncBasePriorityPrivilege 4428 powershell.exe Token: SeCreatePagefilePrivilege 4428 powershell.exe Token: SeBackupPrivilege 4428 powershell.exe Token: SeRestorePrivilege 4428 powershell.exe Token: SeShutdownPrivilege 4428 powershell.exe Token: SeDebugPrivilege 4428 powershell.exe Token: SeSystemEnvironmentPrivilege 4428 powershell.exe Token: SeRemoteShutdownPrivilege 4428 powershell.exe Token: SeUndockPrivilege 4428 powershell.exe Token: SeManageVolumePrivilege 4428 powershell.exe Token: 33 4428 powershell.exe Token: 34 4428 powershell.exe Token: 35 4428 powershell.exe Token: 36 4428 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeIncreaseQuotaPrivilege 848 powershell.exe Token: SeSecurityPrivilege 848 powershell.exe Token: SeTakeOwnershipPrivilege 848 powershell.exe Token: SeLoadDriverPrivilege 848 powershell.exe Token: SeSystemProfilePrivilege 848 powershell.exe Token: SeSystemtimePrivilege 848 powershell.exe Token: SeProfSingleProcessPrivilege 848 powershell.exe Token: SeIncBasePriorityPrivilege 848 powershell.exe Token: SeCreatePagefilePrivilege 848 powershell.exe Token: SeBackupPrivilege 848 powershell.exe Token: SeRestorePrivilege 848 powershell.exe Token: SeShutdownPrivilege 848 powershell.exe Token: SeDebugPrivilege 848 powershell.exe Token: SeSystemEnvironmentPrivilege 848 powershell.exe Token: SeRemoteShutdownPrivilege 848 powershell.exe Token: SeUndockPrivilege 848 powershell.exe Token: SeManageVolumePrivilege 848 powershell.exe Token: 33 848 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Nursultan.exepid process 1904 Nursultan.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
Nursultan.exedescription pid process target process PID 1904 wrote to memory of 1716 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 1716 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 4428 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 4428 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 848 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 848 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 2860 1904 Nursultan.exe powershell.exe PID 1904 wrote to memory of 2860 1904 Nursultan.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4428
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:848
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2860
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2736
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD58592ba100a78835a6b94d5949e13dfc1
SHA163e901200ab9a57c7dd4c078d7f75dcd3b357020
SHA256fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c
SHA51287f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3
-
Filesize
1KB
MD5c098d0dce72fdc2767092ee60bea2cb3
SHA143dd5626ad4a4cd912d23fe9aae7727740489f0c
SHA256325de7928584f09e80af81ff96b75d6bdf8241c7a1dd49dcc599e423d97b435a
SHA512a2418a7ef8c6e0c77029eec1859321cfa04015bc9d387b5dc6edd4446d00d5ef11448ea0b7a1d6346fe56d85e8f385d15495fbc2220b51ab4ec4c74d6a568a0b
-
Filesize
1KB
MD5f41ab028b4a8c3be10541f66f56d9eae
SHA1cca9d98e6b05e59f4687ea47c748bd22cb212c6b
SHA256d5c714152db27988d839dcac5e8371da4abb406898278df97e3668e2de4e4d16
SHA5123b7ec374803bb577ffb04e21508382ed3f7b4acbb938975960226df946c6f489793516500140b415f4eb6680a2a05820fd06f3935b5b85a2bbea32c4b3c48188
-
Filesize
1KB
MD5c024c7da42ba9c9bf1b94386acabd002
SHA18db4774defd2e7acec2388ae9a5b1f3aa3bd7238
SHA256109927085d3b19738f9bd0c6f809d98c189e3a9666df6954a5ddc7d60c2e0aa9
SHA5121b5433866580c82f760621d2693d166bfb12ba38176836e92e4a9101f9bbc0e3845187efcb4bdb0931bdff46200a332ee46046070ad7cc7239e792a0468d40af
-
Filesize
1B
MD5c4ca4238a0b923820dcc509a6f75849b
SHA1356a192b7913b04c54574d18c28d46e6395428ab
SHA2566b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b
SHA5124dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a