Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

noratnik.exe

windows10-1703-x64

10

noratnik.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    299s
  • max time network
    277s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240704-en
  • resource tags

    arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    09/07/2024, 08:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    noratnik.exe

  • Size

    208KB

  • MD5

    7923c75699529f65b63ba064c9f512f6

  • SHA1

    f61cece0e51c1119a30e0f05a99dd6e141853388

  • SHA256

    22f802dad03ce14bec556b441955def133bf22dd04e42e247390c418f1c7be4a

  • SHA512

    21a28a417f3d6c43f86cc4d2251eb8712685b6654b27475541f84ea9e8851fa3b3eb48449fa4df6a757753bbfe3d97970b831b1975b01c7104d33bbd70b8e21c

  • SSDEEP

    3072:BmAwnYqFn98ZOua8SKfbzxcwg7es6/Vsb8VKTup49oJMfF/H9N3Ky9NzLn3:BmxnYsn9nUhcX7elbKTuq9bfF/H9d9n

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

GOBm8p0NnvNTIR9x

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    system.exe

  • pastebin_url

    https://pastebin.com/raw/H3wFXmEi

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 63 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\noratnik.exe
    "C:\Users\Admin\AppData\Local\Temp\noratnik.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3212
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\noratnik.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3136
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'noratnik.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:792
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\system.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4560
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4792
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
    1⤵
      PID:4532
    • C:\Windows\System32\oobe\UserOOBEBroker.exe
      C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
      1⤵
      • Drops file in Windows directory
      PID:1372
    • C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
      C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
      1⤵
        PID:1168
      • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
        "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
        1⤵
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:4076

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        5ba388a6597d5e09191c2c88d2fdf598

        SHA1

        13516f8ec5a99298f6952438055c39330feae5d8

        SHA256

        e6b6223094e8fc598ad12b3849e49f03a141ccd21e0eaa336f81791ad8443eca

        SHA512

        ead2a2b5a1c2fad70c1cf570b2c9bfcb7364dd9f257a834eb819e55b8fee78e3f191f93044f07d51c259ca77a90ee8530f9204cbae080fba1d5705e1209f5b19

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        ca6377e0364987a60026b50b7d16c5db

        SHA1

        fe51dafbb7f6e6fb5b22152326e34b0ef8f339ec

        SHA256

        d51c75942569d68f771f14ad589a6b3a33eda85a99025e812b47abcd96bcc033

        SHA512

        017def6386f99dbd0fa8ed7c0192c4f781c4b8dbb6ae2c53f66119d1378a1caf3970ec8cc4215eb3aa142644d44a027f6b3803c3c041122be4cbaf737e2ecacc

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        d9fe75ae4e4c756199c5a679047e071d

        SHA1

        c9d380f0c5e5f43ddccf4182a476d0bd9ffbf340

        SHA256

        612ad7573cdb7beee36bea28c8d64fe89b3e78ca32c17215d166db2ec604a46c

        SHA512

        eb13e9008eb73382b01920fc39ac8891d29638084561b1ff12018de3b46d429a9ec8f54762ca9c242bc6d1a9119019099b3653a7120f99a956a7d8ee5ecc708a

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        05c6846bbca7b01c6f834b5f37da43b7

        SHA1

        e88c19451c20bb658df2ad4e14a21d2290e28f9b

        SHA256

        75fab4b59d3340da36c26678b271939175aed633c3f988f5f44c5634a4f0fff3

        SHA512

        48091404c6136e24aaf9488592d935ec0a4a40997a549aacec96c58ff49ee4c1262eabd354dbd194f3bbaa565d23165499ca22293fda4d0b3c7a6f5e87cc7783

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
        Filesize

        10KB

        MD5

        00d55e92419b7a500fac6fbff94aeab6

        SHA1

        85c20b3b1230158f73d1da99f8cb539bd0f1b1bd

        SHA256

        4fb34ca1daed6bd2f358a2529dfe2d60c546c4c1bda5e9a7c61a65418f76d321

        SHA512

        cefb98597ece4f6f8802dca0c16fcc8812e523dcb7853ff15888ea125b87e3ae1436de10cd9c23e9bd3a5ce236273b6d9b07824bcb51432ae94708587810c521

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2vkekfyr.5rd.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/3136-11-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3136-14-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3136-17-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3136-13-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3136-12-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3136-10-0x000001A020360000-0x000001A020382000-memory.dmp

        Filesize

        136KB

        Download

      • memory/3212-0-0x00007FF9E7F73000-0x00007FF9E7F75000-memory.dmp

        Filesize

        8KB

        Download

      • memory/3212-53-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3212-54-0x00007FF9E7F70000-0x00007FF9E8A32000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/3212-1-0x0000000000A90000-0x0000000000ACA000-memory.dmp

        Filesize

        232KB

        Download