Overview

overview

10

Static

static

10

nerest.exe

windows7-x64

10

nerest.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    297s
  • max time network
    297s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    08/03/2025, 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nerest.exe

  • Size

    61KB

  • MD5

    e2f4633e3effce36ddcbd83ea3ff7834

  • SHA1

    ee5390249a715c415a2b91450e1ff3059dcc5f0c

  • SHA256

    be5bc874511f4713385e40e7b8e1f8d57ee58ba6a25d959fa83739eaf3137d41

  • SHA512

    18afe4ad52dedd1600be8e1ce432cc80e79f6a7a472204a794986b22b12fc9831a360e73036e7a15277929d8fec0a5340dcda555a11be65223ec4965fdfa07de

  • SSDEEP

    1536:LHlznYyP4mGgRLHxDkbmakqJtF6qcDROdE8OQ8JZ:zlzvPFGgpVkbmClc1OdrOQ8JZ

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

info-power.gl.at.ply.gg:23360

Attributes
  • Install_directory

    %AppData%

  • install_file

    chrome.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\nerest.exe
    "C:\Users\Admin\AppData\Local\Temp\nerest.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2112
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\nerest.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2820
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'nerest.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2824
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'chrome.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2068

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e1e8fd6e6e2d6cc60a966527e2c59891

    SHA1

    d1130463c0c285a309d1e43ec56c83f9b77dc939

    SHA256

    85a28912710e8dba2ab6a73b6da80b599faa8d64c3b23b254b4bdcb0a601a62b

    SHA512

    6a190bda416141e812617efa1fa72fbac5681d8ef3f7baf9745e197ae52d1b36c517a48b08120b0b12f4e192859a0ef75d130685525735cab926f9e7406524fc

    Download Submit

  • memory/2112-0-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-1-0x00000000000D0000-0x00000000000E6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2112-32-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2112-33-0x000007FEF5593000-0x000007FEF5594000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2112-34-0x000000001B1B0000-0x000000001B230000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2820-6-0x00000000029E0000-0x0000000002A60000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2820-7-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2820-8-0x0000000002240000-0x0000000002248000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2824-14-0x000000001B750000-0x000000001BA32000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2824-15-0x0000000001F70000-0x0000000001F78000-memory.dmp

    Filesize

    32KB

    Download