Overview

overview

10

Static

static

3

Nursultan.exe

windows7-x64

10

Nursultan.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-11-2024 10:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan.exe

  • Size

    491KB

  • MD5

    d326a49628c02672b8199e2d7f6eefd6

  • SHA1

    3d7bfcb1055df6d9a99b9a861735643d979dbef1

  • SHA256

    78faa3006a538ebb08d194b94ffaec25e5a704a40e0aafa533f3e5c538d453ad

  • SHA512

    95be9d339665ac48bce1e09de17e85f03bc6e4cbee590a2d3fa6f134ae63cacd1b995f7a9d929105fbbb81f3f31c5d77eb6f1f7d1fd0dfee0c07fd9ede5c52d7

  • SSDEEP

    3072:qaXN3R7KFl0QuPcwo6AWDw32wgD29avk48DosgRARZKBzcoFRJvmFdJZJbvRNpG:lN39QIjHDC229avr8D+WKzjJ+FDH

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

19.ip.gl.ply.gg:33519

Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3924
    • C:\Users\Admin\AppData\Roaming\Nursultan.exe
      "C:\Users\Admin\AppData\Roaming\Nursultan.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Nursultan.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1292
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Nursultan.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4588
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3340
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4348
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\..bat" "
      2⤵
        PID:3488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      440cb38dbee06645cc8b74d51f6e5f71

      SHA1

      d7e61da91dc4502e9ae83281b88c1e48584edb7c

      SHA256

      8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

      SHA512

      3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      4d8567f2d1c8a09bbfe613145bf78577

      SHA1

      f2af10d629e6d7d2ecec76c34bd755ecf61be931

      SHA256

      7437b098af4618fbcefe7522942c862aeaf39a0b82ce05b0797185c552f22a3c

      SHA512

      89130e5c514e33f5108e308f300614dc63989f3e6a4e762a12982af341ab1c5748dd93fd185698dcf6d3a1ea7234228d04ad962e4ee0a15a683e988f115a84ea

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      18470dd1aa7811c5a9825ea59429223b

      SHA1

      75859ea7baf1a8f5ba652ca783bb15f07615cc32

      SHA256

      98616a32e387ad9ae2f6faddc53cd60e0ba50fe4088abdc51b82b309cc8771bd

      SHA512

      cc8ff35595460d3ef16589cbab347ac07eff8b62766bfbceb386507ac631d433a2aa9187b0d6cef2b30b1fa08c92bc5a0061e984cc37c378119dcf51212f3def

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      272dc716c99407615cc54be63824cd1e

      SHA1

      6aeeeee0a254473427af394b161c1020cf74ec0a

      SHA256

      0e772f1d15426881d1c79b319c8d52919383d1c1b861d1893a94c0e8bd472f06

      SHA512

      5a32034ea515f358ef4ec2e2f198fdc0dd0c5900645c4a8e8e1da7922ee19836d735ee726ce7d60b3015ab7abc10ebec2602fec24dca4f4e0798db2a7bf5aaf2

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5rmzntrd.g0t.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\..bat
      Filesize

      11B

      MD5

      9905e5a33c6edd8eb5f59780afbf74de

      SHA1

      64b2cd0186ff6fe05072ee88e2bb54476023772e

      SHA256

      c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

      SHA512

      e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Nursultan.exe
      Filesize

      273KB

      MD5

      05559d83ce9b8984e66740f882a2dac9

      SHA1

      afdf7442e86627d46d987ed8982f141926cdf3f1

      SHA256

      fb2aa53b1c2c105ac321abf3448afb452eedff2f0407846fb3d85a8b6236e357

      SHA512

      1b8e0141db5986a8117ae1c3aba26fb0551fbd24948a07745d8e36705bcf813803ec8570f8290d41ae8ed5d4da0d7690621b86b42e6d46575ea62fa733638364

      Download Submit

    • memory/1292-30-0x0000026526580000-0x00000265265A2000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3924-1-0x0000000000470000-0x00000000004F0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/3924-0-0x00007FFEC1A63000-0x00007FFEC1A65000-memory.dmp

      Filesize

      8KB

      Download

    • memory/4864-17-0x0000000000B50000-0x0000000000B9A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/4864-20-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4864-18-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4864-71-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4864-72-0x00007FFEC1A60000-0x00007FFEC2521000-memory.dmp

      Filesize

      10.8MB

      Download