Analysis Overview
SHA256
e748fa958fa9bcc470e3417d8241b69bdf94434840600a8a1a9e7111d39041cf
Threat Level: Known bad
The file Nursultan.exe was found to be: Known bad.
Malicious Activity Summary
Xworm
Xworm family
Detect Xworm Payload
Command and Scripting Interpreter: PowerShell
Drops startup file
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Unsigned PE
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-21 20:16
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-21 20:16
Reported
2024-06-21 20:17
Platform
win10-20240611-en
Max time kernel
49s
Max time network
56s
Command Line
Signatures
Detect Xworm Payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Xworm
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cmd.lnk | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\cmd = "C:\\Users\\Admin\\AppData\\Roaming\\cmd.exe" | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | 6.tcp.eu.ngrok.io | N/A | N/A |
| N/A | 5.tcp.eu.ngrok.io | N/A | N/A |
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Nursultan.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Nursultan.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\cmd.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'cmd.exe'
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 6.tcp.eu.ngrok.io | udp |
| DE | 3.69.157.220:24920 | 6.tcp.eu.ngrok.io | tcp |
| DE | 3.69.157.220:24920 | 6.tcp.eu.ngrok.io | tcp |
| N/A | 127.0.0.1:24920 | tcp | |
| US | 8.8.8.8:53 | 5.tcp.eu.ngrok.io | udp |
| DE | 3.67.62.142:24920 | 5.tcp.eu.ngrok.io | tcp |
Files
memory/1904-0-0x00007FFCA9A13000-0x00007FFCA9A14000-memory.dmp
memory/1904-1-0x0000000000660000-0x0000000000670000-memory.dmp
memory/1716-6-0x0000020531840000-0x0000020531862000-memory.dmp
memory/1716-9-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp
memory/1716-10-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp
memory/1716-11-0x0000020549EF0000-0x0000020549F66000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bd4ol3zi.i3a.ps1
| MD5 | c4ca4238a0b923820dcc509a6f75849b |
| SHA1 | 356a192b7913b04c54574d18c28d46e6395428ab |
| SHA256 | 6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b |
| SHA512 | 4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a |
memory/1716-40-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp
memory/1716-50-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp
memory/1716-51-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 8592ba100a78835a6b94d5949e13dfc1 |
| SHA1 | 63e901200ab9a57c7dd4c078d7f75dcd3b357020 |
| SHA256 | fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c |
| SHA512 | 87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c024c7da42ba9c9bf1b94386acabd002 |
| SHA1 | 8db4774defd2e7acec2388ae9a5b1f3aa3bd7238 |
| SHA256 | 109927085d3b19738f9bd0c6f809d98c189e3a9666df6954a5ddc7d60c2e0aa9 |
| SHA512 | 1b5433866580c82f760621d2693d166bfb12ba38176836e92e4a9101f9bbc0e3845187efcb4bdb0931bdff46200a332ee46046070ad7cc7239e792a0468d40af |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c098d0dce72fdc2767092ee60bea2cb3 |
| SHA1 | 43dd5626ad4a4cd912d23fe9aae7727740489f0c |
| SHA256 | 325de7928584f09e80af81ff96b75d6bdf8241c7a1dd49dcc599e423d97b435a |
| SHA512 | a2418a7ef8c6e0c77029eec1859321cfa04015bc9d387b5dc6edd4446d00d5ef11448ea0b7a1d6346fe56d85e8f385d15495fbc2220b51ab4ec4c74d6a568a0b |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | f41ab028b4a8c3be10541f66f56d9eae |
| SHA1 | cca9d98e6b05e59f4687ea47c748bd22cb212c6b |
| SHA256 | d5c714152db27988d839dcac5e8371da4abb406898278df97e3668e2de4e4d16 |
| SHA512 | 3b7ec374803bb577ffb04e21508382ed3f7b4acbb938975960226df946c6f489793516500140b415f4eb6680a2a05820fd06f3935b5b85a2bbea32c4b3c48188 |
memory/1904-186-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp
memory/1904-187-0x00007FFCA9A10000-0x00007FFCAA3FC000-memory.dmp