Overview

overview

10

Static

static

3

NerestPC.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    62s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-01-2025 00:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NerestPC.exe

  • Size

    5.0MB

  • MD5

    36ce218e741638ecff00c9a8a4bafee4

  • SHA1

    7a99e8d39c9fc5d6526a1230d68f08ce38007a8e

  • SHA256

    0c94444657b966a20aabb6df5917cb801d5587a6d8948516f1c18254965047f8

  • SHA512

    0aeff3cd96d3788d054e841f4335149c18337ac9e934ad8da90a27294d506aafc96c3527bc17baddc5d52ea4bef4a88308dd36859d40eda7d50bf2806ad2cb1d

  • SSDEEP

    6144:F9A6JRlmHikG0dE74e1iAkfLPfglyunnoU8S+P2N3DrrFGP:MSKik2ke1iNglymC25DrrFG

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

early-doll.gl.at.ply.gg:17002

purpose-terror.gl.at.ply.gg:19882
Attributes
  • Install_directory

    %AppData%

  • install_file

    java.exe

Signatures

  • Detect Xworm Payload 4 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NerestPC.exe
    "C:\Users\Admin\AppData\Local\Temp\NerestPC.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\javav.exe
      "C:\Users\Admin\AppData\Local\Temp\javav.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4360
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\javav.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4408
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'javav.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2648
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\java.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:632
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'java.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3276
    • C:\Users\Admin\AppData\Local\Temp\narost.exe
      "C:\Users\Admin\AppData\Local\Temp\narost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4904
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\narost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2004
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'narost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5040
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    796B

    MD5

    0781480bf2350bd775a7a0592c95ad57

    SHA1

    53d3ee88c4f89de098d8a5a7ac429c1dacc67d90

    SHA256

    0f42c7bd12227c6e1160b0bc85899469e2d30441166e5ab6a65cb4eed97497b4

    SHA512

    7d123bd9cbdaad6cb0fd86b0e737409e45d86ad8bf506e707fd1cc00e41809fb840a9caa8e05bc2726704ccfdd2f0df51012d5539f7dc2387970072a47f55701

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    15dde0683cd1ca19785d7262f554ba93

    SHA1

    d039c577e438546d10ac64837b05da480d06bf69

    SHA256

    d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

    SHA512

    57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    d8cb3e9459807e35f02130fad3f9860d

    SHA1

    5af7f32cb8a30e850892b15e9164030a041f4bd6

    SHA256

    2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

    SHA512

    045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_14cz0fgf.wwy.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\javav.exe
    Filesize

    80KB

    MD5

    aa534db340b1b35db372e813adb5b455

    SHA1

    f804f2ff56c5ef470e9d3c10870b1a51ccb8935e

    SHA256

    548db9521bf2d74ea3a1fbe5e6500be2e64fd00f8794661af90fdffc4e4f7b06

    SHA512

    6b24c74990e9fd8f42819b0a6f0e51f63556ac71ea2bcbd755dfe7ee53d8027b3bd3765bc1aad69c65300d9c5d3649c479cf392487bb9c57b9503b88a8cfd3bb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\narost.exe
    Filesize

    69KB

    MD5

    9780dbb7a7441d01b52c00d4c99f3a4f

    SHA1

    ec64405fac16aa937f30810ff333e18f80041811

    SHA256

    4df3aa6eb3e855fa2cf99659d58e112c976501c52d29bbe507b71a6f297791ac

    SHA512

    a5b4ad0f753fa755b5ee59faf4606c0a9c313c2b415efa3f162e6a0b8e46920cca90cd5b470c744304fc650160ef3d8f5813ab17c03202828f9062a76b4ec94c

    Download Submit

  • memory/3068-1-0x0000000000B10000-0x0000000000B72000-memory.dmp

    Filesize

    392KB

    Download

  • memory/3068-10-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3068-0-0x00007FFFA2C73000-0x00007FFFA2C75000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3068-29-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4360-27-0x0000000000550000-0x000000000056A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/4360-28-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4360-130-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4360-131-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4360-134-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4408-36-0x000002376F450000-0x000002376F472000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4904-30-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4904-26-0x0000000000630000-0x0000000000648000-memory.dmp

    Filesize

    96KB

    Download

  • memory/4904-125-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4904-132-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/4904-133-0x00007FFFA2C70000-0x00007FFFA3731000-memory.dmp

    Filesize

    10.8MB

    Download