Overview

overview

10

Static

static

10

Nursultan.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-02-2025 06:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Nursultan.exe

  • Size

    462KB

  • MD5

    5e87192e88d28da6e48574dba90b159f

  • SHA1

    ab209d00616ba41d1ee823d1d24fb8869dd77ad9

  • SHA256

    85e840236b64e2e801a97b5ebaae10358d642bb832e93f7f7dca7ed791ab6bd4

  • SHA512

    2442167a5a33d8f9a5fd896061007d67689478c8b009776b8d647832a740d85e716935b313eefdcaec635851237e52ee566341c3547bfde66acb7cd9b5c2af34

  • SSDEEP

    12288:dhoZtL+EP8HUwLYe5xysXKYZd8JV2x2gFM+bAWoHUQZEuM:dfI80wLYe5xysXKYZd8JV4JMYolM

Score
10/10
umbralxwormdiscoveryratstealertrojan

Malware Config

Signatures

  • Detect Umbral payload 3 IoCs
  • Detect Xworm Payload 1 IoCs
  • Umbral

    Umbral stealer is an opensource moduler stealer written in C#.

    stealerumbral
  • Umbral family
    umbral
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Nursultan.exe
    "C:\Users\Admin\AppData\Local\Temp\Nursultan.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:340
    • C:\Users\Admin\AppData\Local\Temp\NursultanInjector.exe
      "C:\Users\Admin\AppData\Local\Temp\NursultanInjector.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:708
      • C:\Windows\System32\Wbem\wmic.exe
        "wmic.exe" csproduct get uuid
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2972

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\NursultanInjector.exe
    Filesize

    231KB

    MD5

    619d520faf97efa9102187521480dc1d

    SHA1

    77b764bb329befe38d3e0e1320b5488e580fcbb5

    SHA256

    adac041d9043499bd007dc7710ddb650d909207d9292a042523d7dc677b0687e

    SHA512

    d2aa2a948e7b127ce16df3ccd8f5c9b6b8043d2187ea56bf347882f138d7fd35d9efaa80b27d7e6cb29bed769f194144a26cba1aa97599c20238c3edbde9dbb4

    Download Submit

  • memory/340-12-0x0000000000400000-0x000000000047B000-memory.dmp

    Filesize

    492KB

    Download

  • memory/708-11-0x00007FFB81F63000-0x00007FFB81F65000-memory.dmp

    Filesize

    8KB

    Download

  • memory/708-13-0x00000219DD970000-0x00000219DD9B0000-memory.dmp

    Filesize

    256KB

    Download

  • memory/708-14-0x00007FFB81F60000-0x00007FFB82A21000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/708-16-0x00007FFB81F60000-0x00007FFB82A21000-memory.dmp

    Filesize

    10.8MB

    Download