Analysis
-
max time kernel
149s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
-
submitted
24/02/2025, 03:04
General
-
Target
782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1.exe
-
Size
852KB
-
MD5
c7988c8d4e55ad226772a31c158747ab
-
SHA1
d7e2f3cca3d7d92eeaccce51734999a734321825
-
SHA256
782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1
-
SHA512
a22e1ab980fe49c8e7bfa521a9fc1197a46eff85eb40261cb03e683f4f3aefc245934362c6da181f28572bd314a6183d9bfd6671957af32e20450963d385b27b
-
SSDEEP
12288:YlMNMfURnHb+Qv6HNbwVAQXPZPT9VAGgQmLwy67Dq4JgDPEDW78RRVmevBqJC80Z:YZMRHPv6tkVvXxPosEgEozRRVBCMRH
Malware Config
Extracted
nanocore
1.2.2.0
lxtihmjohnson163.airdns.org:43366
3740d544-7efc-40b2-8c32-f31974309f7d
-
activate_away_mode
true
- backup_connection_host
-
backup_dns_server
8.8.4.4
-
buffer_size
65535
-
build_time
2024-10-21T12:36:42.768385536Z
-
bypass_user_account_control
false
-
bypass_user_account_control_data
PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTE2Ij8+DQo8VGFzayB2ZXJzaW9uPSIxLjIiIHhtbG5zPSJodHRwOi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL3dpbmRvd3MvMjAwNC8wMi9taXQvdGFzayI+DQogIDxSZWdpc3RyYXRpb25JbmZvIC8+DQogIDxUcmlnZ2VycyAvPg0KICA8UHJpbmNpcGFscz4NCiAgICA8UHJpbmNpcGFsIGlkPSJBdXRob3IiPg0KICAgICAgPExvZ29uVHlwZT5JbnRlcmFjdGl2ZVRva2VuPC9Mb2dvblR5cGU+DQogICAgICA8UnVuTGV2ZWw+SGlnaGVzdEF2YWlsYWJsZTwvUnVuTGV2ZWw+DQogICAgPC9QcmluY2lwYWw+DQogIDwvUHJpbmNpcGFscz4NCiAgPFNldHRpbmdzPg0KICAgIDxNdWx0aXBsZUluc3RhbmNlc1BvbGljeT5QYXJhbGxlbDwvTXVsdGlwbGVJbnN0YW5jZXNQb2xpY3k+DQogICAgPERpc2FsbG93U3RhcnRJZk9uQmF0dGVyaWVzPmZhbHNlPC9EaXNhbGxvd1N0YXJ0SWZPbkJhdHRlcmllcz4NCiAgICA8U3RvcElmR29pbmdPbkJhdHRlcmllcz5mYWxzZTwvU3RvcElmR29pbmdPbkJhdHRlcmllcz4NCiAgICA8QWxsb3dIYXJkVGVybWluYXRlPnRydWU8L0FsbG93SGFyZFRlcm1pbmF0ZT4NCiAgICA8U3RhcnRXaGVuQXZhaWxhYmxlPmZhbHNlPC9TdGFydFdoZW5BdmFpbGFibGU+DQogICAgPFJ1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+ZmFsc2U8L1J1bk9ubHlJZk5ldHdvcmtBdmFpbGFibGU+DQogICAgPElkbGVTZXR0aW5ncz4NCiAgICAgIDxTdG9wT25JZGxlRW5kPmZhbHNlPC9TdG9wT25JZGxlRW5kPg0KICAgICAgPFJlc3RhcnRPbklkbGU+ZmFsc2U8L1Jlc3RhcnRPbklkbGU+DQogICAgPC9JZGxlU2V0dGluZ3M+DQogICAgPEFsbG93U3RhcnRPbkRlbWFuZD50cnVlPC9BbGxvd1N0YXJ0T25EZW1hbmQ+DQogICAgPEVuYWJsZWQ+dHJ1ZTwvRW5hYmxlZD4NCiAgICA8SGlkZGVuPmZhbHNlPC9IaWRkZW4+DQogICAgPFJ1bk9ubHlJZklkbGU+ZmFsc2U8L1J1bk9ubHlJZklkbGU+DQogICAgPFdha2VUb1J1bj5mYWxzZTwvV2FrZVRvUnVuPg0KICAgIDxFeGVjdXRpb25UaW1lTGltaXQ+UFQwUzwvRXhlY3V0aW9uVGltZUxpbWl0Pg0KICAgIDxQcmlvcml0eT40PC9Qcmlvcml0eT4NCiAgPC9TZXR0aW5ncz4NCiAgPEFjdGlvbnMgQ29udGV4dD0iQXV0aG9yIj4NCiAgICA8RXhlYz4NCiAgICAgIDxDb21tYW5kPiIjRVhFQ1VUQUJMRVBBVEgiPC9Db21tYW5kPg0KICAgICAgPEFyZ3VtZW50cz4kKEFyZzApPC9Bcmd1bWVudHM+DQogICAgPC9FeGVjPg0KICA8L0FjdGlvbnM+DQo8L1Rhc2s+
-
clear_access_control
true
-
clear_zone_identifier
false
-
connect_delay
4000
-
connection_port
43366
-
default_group
JAMJAM01
-
enable_debug_mode
true
-
gc_threshold
1.048576e+07
-
keep_alive_timeout
30000
-
keyboard_logging
false
-
lan_timeout
2500
-
max_packet_size
1.048576e+07
-
mutex
3740d544-7efc-40b2-8c32-f31974309f7d
-
mutex_timeout
5000
-
prevent_system_sleep
false
-
primary_connection_host
lxtihmjohnson163.airdns.org
-
primary_dns_server
8.8.8.8
-
request_elevation
true
-
restart_delay
5000
-
run_delay
0
-
run_on_startup
false
-
set_critical_process
true
-
timeout_interval
5000
-
use_custom_dns_server
false
-
version
1.2.2.0
-
wan_timeout
8000
Extracted
xworm
5.0
tunhost.duckdns.org:57891
wintun.freemyip.com:57891
87.249.134.68:57891
-
install_file
琀㴀Ā ☀☀ �䔗渀瘀椀爀漀渀洀攀渀琀�眍椀渀搀椀爀�瀝漀眀攀爀猀栀攀氀氀⸀攀砀攀�醀-C schtasks.exe
Signatures
-
Detect Xworm Payload 3 IoCs
-
NanoCore
NanoCore is a remote access tool (RAT) with a variety of capabilities.
-
Nanocore family
-
UAC bypass 3 TTPs 1 IoCs
-
Xmrig family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 11 IoCs
-
Creates new service(s) 2 TTPs
-
Stops running service(s) 4 TTPs
-
Checks BIOS information in registry 2 TTPs 1 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Power Settings 1 TTPs 8 IoCs
powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.
-
Suspicious use of SetThreadContext 3 IoCs
-
UPX packed file 16 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in Program Files directory 2 IoCs
-
Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious behavior: SetClipboardViewer 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 24 IoCs
-
Suspicious use of WriteProcessMemory 46 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1.exe"C:\Users\Admin\AppData\Local\Temp\782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1.exe"C:\Users\Admin\AppData\Local\Temp\782cf5337d8a428867a0ab13d474628b427dbb1164d4449f7e8dc96bdab3c7b1.exe"2⤵
- Drops startup file
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3738.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "IMAP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp3796.tmp"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\winlogon.exe"3⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious behavior: SetClipboardViewer
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /delete /f /tn "Microsoft\Windows\Client Server Runtime Process"4⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /create /f /tn "Microsoft\Windows\Client Server Runtime Process" /xml "C:\Users\Admin\AppData\Local\Temp\tmp4E98.tmp"4⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\wanhost.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\reg.exe"reg.exe" ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f3⤵
- UAC bypass
- System Location Discovery: System Language Discovery
- Modifies registry key
-
-
C:\Users\Admin\AppData\Local\system32.exe"C:\Users\Admin\AppData\Local\system32.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 04⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AHMOQNZH"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AHMOQNZH" binpath= "C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe" start= "auto"4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop eventlog4⤵
- Launches sc.exe
-
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe start "AHMOQNZH"4⤵
- Launches sc.exe
-
-
-
C:\Users\Admin\AppData\Local\system32-checker.exe"C:\Users\Admin\AppData\Local\system32-checker.exe"3⤵
- Executes dropped EXE
-
-
-
C:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exeC:\ProgramData\ipbodjvyupmv\qshtkbttphgg.exe1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 02⤵
- Power Settings
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\conhost.exeC:\Windows\system32\conhost.exe2⤵
-
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Scheduled Task/Job
1Scheduled Task
1System Services
2Service Execution
2Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Power Settings
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
2Windows Service
2Scheduled Task/Job
1Scheduled Task
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
2Disable or Modify Tools
1Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5400f1cc1a0a0ce1cdabda365ab3368ce
SHA11ecf683f14271d84f3b6063493dce00ff5f42075
SHA256c8fa64f4b69df13ed6408fd4a204f318a36c2f38c85d4a4d42adfc9173f73765
SHA51214c8cfd58d097e5e89c8cabe1e665173f1ccf604a9ef70cdcb84116e265f90819c19c891be408e0ad7e29086a5c2ea2883b7a7d1184878dbbac63e2cabcd1c45
-
Filesize
1KB
MD5a8e6e58359df40222936fefc2da35772
SHA17723094dcd30c23cfca2db02ab16b01a1adb74da
SHA25665919ca0907955ff115e55fcd2900c410af45911e9fa780a4d31bf7f77595be2
SHA51293db7172e64f683911452bc1b47b2282259bb1d19f92ce61ba5fadc2405ecb2457cce3666a546cf762bd9d6ef2f8885e298776205ec11137f5344e39aa53632d
-
Filesize
1KB
MD54a0b600dc69a91b7134c8cedda9e49d3
SHA1788e74e33a9dc48a45074b7226730a299352f2ef
SHA256113b96e45fb075b17d381d3933db3eb2afcd1d08f7066a27b701ed9efd6c55f7
SHA512e2c7b7ad53ae28f895bbc8f5781b4748af1998832e6f6dadca77a961a123fc5507f84ddac3f1c6851a80d279416485515a7bd1798053aee5ff38e62ce4c7c44c
-
Filesize
1KB
MD555f737e134714dd479fb8d4417a14df5
SHA14195b4131fb1215140baaaf5a6d8e26f305572af
SHA256f306ee4e70a9dd3281131c476541b78f8cbe387a8a507f3b98a48ef34ecf2835
SHA512446fa2af1cfb7057fd96fbaa26b4dcec67427399c8859c85ed11d5fb7b64f6abca39581faa2f17ca32c5e57759a448266d4be6af39e730d5e596cc41701fd1bf
-
Filesize
6KB
MD57c1867586dfd01366878ae08415c612c
SHA14526353fbb9b8be77f3c0f46778a740f84882f83
SHA256521f29dd7236b22daba7ea9537ef6be31057a08eec9526805b4685d7970e1372
SHA512ef4ff7128de21fcdec5019322247ae958b46c2ff20b36d65f32fd6921e2f7c7bd018168fb3a7c0c728f071160057c790b3d5b691aad24cd5ebd975e7abc409ba
-
Filesize
2.5MB
MD5a5c4e57922031e587bf09fb90453d73e
SHA14bc3a265800ef4f7df8402292d8218553b2860b6
SHA2563720ffed8da2ba9d4cabbe64331f939f36e750e7dd3d5b9ff4d937325b35543b
SHA5120fd81c9ca1ea8587fa33f2da3f45896b9d22e9f8a014513316274674a4256a4f04654462ed4ed87021e999964c895734aa2814e5a37f23a2010c594ad113a491
-
Filesize
32KB
MD5bb88af07d7f92e77086eb2a090b508fd
SHA12fcf43147b61ed5c8e1d7d46398eb3749e649e78
SHA25677ce6f10d6034a1d7ab7768278cf8322b719729f612e6afe8cff72cb637cd6ec
SHA5127a41def72de640dbf057c41971b02213e75202a1863b41491e36644da17bcbfb16c41ae6c6af121b5b2f7fee4f0608f867a404f1bbbf8db5dc9444978868f7c3
-
Filesize
191KB
MD5ed3b00caa7c83ab730df4a14aeb5d6bf
SHA1453eeebd3cd4a0faf5e7eca63ea6cdb0ed96971a
SHA256456b4cf130884ff7283aa415425ff6e3f6c610211bc7504e41bba9346dacd827
SHA512fb64f0d53215cfcbd18f9de977e2f41323192b9329e67f7c26f53692970a2688f0a6a80f836c073945404e84364620f49790b22499bbf65c904341b90ccba954
-
Filesize
24KB
-
Filesize
7.7MB
-
Filesize
272KB
-
Filesize
224KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
104KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
40KB
-
Filesize
120KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
56KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
128KB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
8.2MB
-
Filesize
504KB
-
Filesize
40KB
-
Filesize
872KB
-
Filesize
5.6MB
-
Filesize
7.7MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB
-
Filesize
52KB