Analysis

  • max time kernel
    49s
  • max time network
    56s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    21-06-2024 20:16

General

  • Target

    Nursultan.exe

  • Size

    39KB

  • MD5

    19cc9588da38dc15c39a0b97845aec8b

  • SHA1

    6a515efd577c31d93118c18541a37f0b7a4ea577

  • SHA256

    e748fa958fa9bcc470e3417d8241b69bdf94434840600a8a1a9e7111d39041cf

  • SHA512

    4bf4c10a6674b0efa7b913bb0c23533ab2940286b75cfcf1e3b29294c285c51b936c3c2b50c9841d4d5b89dbdb6d3ecc188d6221c1ce8687f00cab773b4a47b6

  • SSDEEP

    768:wPv2tl24FKuGCuuJ/5c/lpfFWPJ92OA6dOMhVjhg:wGr7IrCuuJefFe92OA6dOMDC

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:24920

6.tcp.eu.ngrok.io:24920

4.tcp.eu.ngrok.io:24920

5.tcp.eu.ngrok.io:24920

0.tcp.eu.ngrok.io:24920

20.ip.gl.ply.gg:24920

Mutex

VBbEnWr486GXjFcH

Attributes
  • Install_directory

    %AppData%

  • install_file

    cmd.exe

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1904
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1716
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4428
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:848
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      PID:2860
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:2736

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

      Filesize

      3KB

      MD5

      8592ba100a78835a6b94d5949e13dfc1

      SHA1

      63e901200ab9a57c7dd4c078d7f75dcd3b357020

      SHA256

      fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

      SHA512

      87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      c098d0dce72fdc2767092ee60bea2cb3

      SHA1

      43dd5626ad4a4cd912d23fe9aae7727740489f0c

      SHA256

      325de7928584f09e80af81ff96b75d6bdf8241c7a1dd49dcc599e423d97b435a

      SHA512

      a2418a7ef8c6e0c77029eec1859321cfa04015bc9d387b5dc6edd4446d00d5ef11448ea0b7a1d6346fe56d85e8f385d15495fbc2220b51ab4ec4c74d6a568a0b

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      f41ab028b4a8c3be10541f66f56d9eae

      SHA1

      cca9d98e6b05e59f4687ea47c748bd22cb212c6b

      SHA256

      d5c714152db27988d839dcac5e8371da4abb406898278df97e3668e2de4e4d16

      SHA512

      3b7ec374803bb577ffb04e21508382ed3f7b4acbb938975960226df946c6f489793516500140b415f4eb6680a2a05820fd06f3935b5b85a2bbea32c4b3c48188

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

      Filesize

      1KB

      MD5

      c024c7da42ba9c9bf1b94386acabd002

      SHA1

      8db4774defd2e7acec2388ae9a5b1f3aa3bd7238

      SHA256

      109927085d3b19738f9bd0c6f809d98c189e3a9666df6954a5ddc7d60c2e0aa9

      SHA512

      1b5433866580c82f760621d2693d166bfb12ba38176836e92e4a9101f9bbc0e3845187efcb4bdb0931bdff46200a332ee46046070ad7cc7239e792a0468d40af

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd4ol3zi.i3a.ps1

      Filesize

      1B

      MD5

      c4ca4238a0b923820dcc509a6f75849b

      SHA1

      356a192b7913b04c54574d18c28d46e6395428ab

      SHA256

      6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

      SHA512

      4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    • memory/1716-10-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/1716-11-0x0000020549EF0000-0x0000020549F66000-memory.dmp

      Filesize

      472KB

    • memory/1716-40-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/1716-50-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/1716-51-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/1716-9-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/1716-6-0x0000020531840000-0x0000020531862000-memory.dmp

      Filesize

      136KB

    • memory/1904-0-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp

      Filesize

      4KB

    • memory/1904-1-0x0000000000660000-0x0000000000670000-memory.dmp

      Filesize

      64KB

    • memory/1904-186-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB

    • memory/1904-187-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp

      Filesize

      9.9MB