xworm | c34b2138f03116aa6c92db57158c89f03106591653e5cf2bba16b25bd6ee9a7c

Analysis

max time kernel
150s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
30-12-2024 23:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nursultan.exe
Size

18.5MB
MD5

0c2f4844e01c34341f0a755ab3b2859e
SHA1

ace281f4ebedaf320de215d90fa196f87cf58697
SHA256

c34b2138f03116aa6c92db57158c89f03106591653e5cf2bba16b25bd6ee9a7c
SHA512

daa8be1529142195ab69f27ec0918e5c98390a503a44b48c280c676d7efa5d6f12644970373edb248559b93672efd5c357e43a1b15d0ba63d9ae3731ae62dfda
SSDEEP

393216:IDCj0wdRR8jO7Fi+2Y8DFHCT5rCT8dp2C4wt1MQWJJpVrdh0lfSho:IkkjOr2YkFiTRY8dpF4wt1MJrga

Score

10^/10

xworm execution persistence pyinstaller rat trojan upx

Malware Config

Extracted

Family

xworm

127.0.0.1:40708

under-calculation.gl.at.ply.gg:40708

Attributes

Install_directory
%AppData%
install_file
svchost.exe

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/files/0x0009000000016ce8-7.dat	family_xworm
behavioral1/memory/1672-10-0x0000000000E90000-0x0000000000EAA000-memory.dmp	family_xworm
behavioral1/memory/1732-150-0x0000000000EF0000-0x0000000000F0A000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1908	powershell.exe
2040	powershell.exe
2336	powershell.exe
1132	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost.lnk	svchost.exe

Executes dropped EXE 9 IoCs

pid	Process
1672	svchost.exe
2852	NursultanClientLauncher.exe
2148	NursultanAlphaCrackFIX.exe
3024	NursultanAlphaCrackFIX.exe
2516	NursultanCrackAlphaFIXv2.exe
2476	NursultanCrackAlphaFIXv2.exe
1732	svchost.exe
2928	svchost.exe
1204	Process not Found

Loads dropped DLL 9 IoCs

pid	Process
1716	Nursultan.exe
2148	NursultanAlphaCrackFIX.exe
3024	NursultanAlphaCrackFIX.exe
1716	Nursultan.exe
2516	NursultanCrackAlphaFIXv2.exe
2476	NursultanCrackAlphaFIXv2.exe
1204	Process not Found
1204	Process not Found
1204	Process not Found

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00050000000196a0-45.dat	upx
behavioral1/memory/3024-47-0x000007FEEE770000-0x000007FEEEDD5000-memory.dmp	upx
behavioral1/files/0x000500000001a4d4-103.dat	upx
behavioral1/memory/2476-105-0x000007FEEE180000-0x000007FEEE768000-memory.dmp	upx
behavioral1/memory/2476-137-0x000007FEEE180000-0x000007FEEE768000-memory.dmp	upx

Detects Pyinstaller 1 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0005000000019cd5-50.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
1132	powershell.exe
1908	powershell.exe
2040	powershell.exe
2336	powershell.exe
1672	svchost.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	1716	Nursultan.exe
Token: SeDebugPrivilege	1672	svchost.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	1672	svchost.exe
Token: SeDebugPrivilege	1732	svchost.exe
Token: SeDebugPrivilege	2928	svchost.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1672	svchost.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2776	1716	Nursultan.exe	29
PID 1716 wrote to memory of 2776	1716	Nursultan.exe	29
PID 1716 wrote to memory of 2776	1716	Nursultan.exe	29
PID 1716 wrote to memory of 1672	1716	Nursultan.exe	30
PID 1716 wrote to memory of 1672	1716	Nursultan.exe	30
PID 1716 wrote to memory of 1672	1716	Nursultan.exe	30
PID 1716 wrote to memory of 2852	1716	Nursultan.exe	31
PID 1716 wrote to memory of 2852	1716	Nursultan.exe	31
PID 1716 wrote to memory of 2852	1716	Nursultan.exe	31
PID 1716 wrote to memory of 2148	1716	Nursultan.exe	32
PID 1716 wrote to memory of 2148	1716	Nursultan.exe	32
PID 1716 wrote to memory of 2148	1716	Nursultan.exe	32
PID 2148 wrote to memory of 3024	2148	NursultanAlphaCrackFIX.exe	33
PID 2148 wrote to memory of 3024	2148	NursultanAlphaCrackFIX.exe	33
PID 2148 wrote to memory of 3024	2148	NursultanAlphaCrackFIX.exe	33
PID 1716 wrote to memory of 2516	1716	Nursultan.exe	34
PID 1716 wrote to memory of 2516	1716	Nursultan.exe	34
PID 1716 wrote to memory of 2516	1716	Nursultan.exe	34
PID 2516 wrote to memory of 2476	2516	NursultanCrackAlphaFIXv2.exe	35
PID 2516 wrote to memory of 2476	2516	NursultanCrackAlphaFIXv2.exe	35
PID 2516 wrote to memory of 2476	2516	NursultanCrackAlphaFIXv2.exe	35
PID 1672 wrote to memory of 1132	1672	svchost.exe	36
PID 1672 wrote to memory of 1132	1672	svchost.exe	36
PID 1672 wrote to memory of 1132	1672	svchost.exe	36
PID 1672 wrote to memory of 1908	1672	svchost.exe	38
PID 1672 wrote to memory of 1908	1672	svchost.exe	38
PID 1672 wrote to memory of 1908	1672	svchost.exe	38
PID 1672 wrote to memory of 2040	1672	svchost.exe	40
PID 1672 wrote to memory of 2040	1672	svchost.exe	40
PID 1672 wrote to memory of 2040	1672	svchost.exe	40
PID 1672 wrote to memory of 2336	1672	svchost.exe	42
PID 1672 wrote to memory of 2336	1672	svchost.exe	42
PID 1672 wrote to memory of 2336	1672	svchost.exe	42
PID 1672 wrote to memory of 1152	1672	svchost.exe	44
PID 1672 wrote to memory of 1152	1672	svchost.exe	44
PID 1672 wrote to memory of 1152	1672	svchost.exe	44
PID 1128 wrote to memory of 1732	1128	taskeng.exe	49
PID 1128 wrote to memory of 1732	1128	taskeng.exe	49
PID 1128 wrote to memory of 1732	1128	taskeng.exe	49
PID 1128 wrote to memory of 2928	1128	taskeng.exe	50
PID 1128 wrote to memory of 2928	1128	taskeng.exe	50
PID 1128 wrote to memory of 2928	1128	taskeng.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
"C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\defender.vbs"
  2⤵
  PID:2776
- C:\Users\Admin\AppData\Local\Temp\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\svchost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1132
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2040
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2336
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1152
- C:\Users\Admin\AppData\Local\Temp\NursultanClientLauncher.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanClientLauncher.exe"
  2⤵
  - Executes dropped EXE
  PID:2852
- C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3024
- C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe
  "C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe
    "C:\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2476

C:\Windows\system32\taskeng.exe
taskeng.exe {87EB617D-222E-4D22-A8E3-8390ADC6455A} S-1-5-21-3551809350-4263495960-1443967649-1000:NNYJZAHP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1128
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1732
- C:\Users\Admin\AppData\Roaming\svchost.exe
  C:\Users\Admin\AppData\Roaming\svchost.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\NursultanClientLauncher.exe

Filesize
514KB

MD5
a599f52a4f2dfddb7f9904480be156f5

SHA1
2653d5f88bd179ef66e3471aba9ab03909fd3562

SHA256
bd41639c7c4c57773059ba36358993f78b7ebcb7cb421d79232238446546cd6f

SHA512
dac11bb6bce81313f8a3ad8946204edee7c4ab0eba67f62e501d11b2dec2326be52d2b51dcab37ce3946f044ced57a0dc5c0de135cc89204e7cb21b7658cfc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21482\python313.dll

Filesize
1.8MB

MD5
9a3d3ae5745a79d276b05a85aea02549

SHA1
a5e60cac2ca606df4f7646d052a9c0ea813e7636

SHA256
09693bab682495b01de8a24c435ca5900e11d2d0f4f0807dae278b3a94770889

SHA512
46840b820ee3c0fa511596124eb364da993ec7ae1670843a15afd40ac63f2c61846434be84d191bd53f7f5f4e17fad549795822bb2b9c792ac22a1c26e5adf69

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI25162\python311.dll

Filesize
1.6MB

MD5
db09c9bbec6134db1766d369c339a0a1

SHA1
c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b

SHA256
b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79

SHA512
653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

Download Submit
C:\Users\Admin\AppData\Local\Temp\svchost.exe

Filesize
77KB

MD5
d268090047c087541676230b6a0dbebe

SHA1
0bc38e1125eb1b8360b07f61a4b45b731e3ef5f6

SHA256
b5cd8c7b2a5244f00d4afc0feaffda1ffbe44b9ebc27f31744de138b5d5d494a

SHA512
2f8865f0925298c875fba1da85876e5f66f8658cbad9878a73354a8616d0c365537a9ae738cf3422aa9260e9533929208f7ffaf262beab24700cf82d935090c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\QKC513SUURY8UXMTHYC8.temp

Filesize
7KB

MD5
5db74c564462acd1ac542494d2f9a956

SHA1
ac150ebdac54b7b5db022d6ecfe5ee5eb00e2b16

SHA256
6e7f8747b20770e0cd84a65e6d030be0f371f75a64f54660505bc4f3ae17ba80

SHA512
ec6913d3e587ca12af00de2c39b83739caa6ad76b45e2d99581aee089f4bd882da558b1475f3cdf0599025da7859655ee8fb1566048e2bf6f3b7bb0819e791a9

Download Submit
\Users\Admin\AppData\Local\Temp\NursultanAlphaCrackFIX.exe

Filesize
16.0MB

MD5
bc2b38448dbf6f24ff5b940fc16e657f

SHA1
b44e0c8f509032dcfa2eaa104e5f3fe444413c71

SHA256
019005d4204328ae80d2afef15e9c82f9ada14b4447fc8c61d70c0ab168ac271

SHA512
b949ce5164b5e1af46ccf1f2081818d0984c95085678d4ef731626573708f4a10c306bbdccbd0288c0952f5cb315e33fffedc8e82260d10c9e62b14a79ac0191

Download Submit
\Users\Admin\AppData\Local\Temp\NursultanCrackAlphaFIXv2.exe

Filesize
15.8MB

MD5
5965c6002db89d72cbf1a6c70cff04d2

SHA1
aee09f545fd3617f2621ef3fb25722ad5fbb03a9

SHA256
8ee8afb04deafb089862cc4ea1e29b0c118c30ba3af596db41f214ecb54106aa

SHA512
874ff3f703444bf475fe53cf9eff912581b64eeed3ba9d6a2e1db66547f671cf0264b1c91210a769ac9db8cbbf6c589501833f5d5cbe0f51c2d81d3092e08f5a

Download Submit
memory/1132-112-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/1132-111-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1672-15-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-106-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-138-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-134-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1672-10-0x0000000000E90000-0x0000000000EAA000-memory.dmp

Filesize
104KB

Download
memory/1716-0-0x000007FEF55F3000-0x000007FEF55F4000-memory.dmp

Filesize
4KB

Download
memory/1716-2-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1716-1-0x0000000000CB0000-0x0000000001F3C000-memory.dmp

Filesize
18.5MB

Download
memory/1716-100-0x000007FEF55F0000-0x000007FEF5FDC000-memory.dmp

Filesize
9.9MB

Download
memory/1732-150-0x0000000000EF0000-0x0000000000F0A000-memory.dmp

Filesize
104KB

Download
memory/1908-119-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1908-118-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2476-105-0x000007FEEE180000-0x000007FEEE768000-memory.dmp

Filesize
5.9MB

Download
memory/2476-137-0x000007FEEE180000-0x000007FEEE768000-memory.dmp

Filesize
5.9MB

Download
memory/2852-14-0x0000000001020000-0x00000000010A6000-memory.dmp

Filesize
536KB

Download
memory/3024-47-0x000007FEEE770000-0x000007FEEEDD5000-memory.dmp

Filesize
6.4MB

Download