Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20250207-en -
resource tags
-
submitted
25/03/2025, 10:02
General
-
Target
Nw-Inst64.exe
-
Size
1.8MB
-
MD5
3386e2abdfb0d9549bfba2cce6ca7689
-
SHA1
ed6cb1b6d742f644ea2d1450c84a715d0b342d5c
-
SHA256
6a4c87064969595078355dae42918fc19c3b71f422d6b5af9cee50a2af2d7b88
-
SHA512
8f5af4ba0f985ef0b2ebb0a1518f07ad39feac4c355587fa4b1db093d8f763bff4484488a7692550fa458499af696dc2d09c54266a7a2ecfe1340de97eacf8de
-
SSDEEP
49152:TRWp/PzUuHrGdkuxEiRMmWqf2/wzfUMrf5yfdoP+krDDjJOeZs:TEJPzXHrGdkuWJmWZ4CfdoPhXJOk
Malware Config
Extracted
xworm
89.39.121.169:9000
-
Install_directory
%AppData%
-
install_file
RunShell.exe
Signatures
-
DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
-
Dcrat family
-
Detect Xworm Payload 2 IoCs
-
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 2 IoCs
-
Stormkitty family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Executes dropped EXE 5 IoCs
-
Loads dropped DLL 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Runs ping.exe 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious use of AdjustPrivilegeToken 4 IoCs
-
Suspicious use of WriteProcessMemory 48 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Nw-Inst64.exe"C:\Users\Admin\AppData\Local\Temp\Nw-Inst64.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XClient.exe"C:\Users\Admin\AppData\Local\Temp\XClient.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\Build.exe"C:\Users\Admin\AppData\Local\Temp\Build.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2552 -s 10843⤵
- Loads dropped DLL
- Program crash
-
-
-
C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\WinnetCommonSvc\EF1rb20B7Zp52f5Q8odTU.vbe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ""C:\WinnetCommonSvc\ckg6ORaGrHhdrhoaDEIfOHU33jMcFfgqQelkNCXcy5pLINkbo7vRcc.bat" "4⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\WinnetCommonSvc\fontWinnet.exe"C:\WinnetCommonSvc/fontWinnet.exe"5⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGyOG7QWwi.bat"6⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650017⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost7⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
C:\WinnetCommonSvc\fontWinnet.exe"C:\WinnetCommonSvc\fontWinnet.exe"7⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"8⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650019⤵
-
-
C:\Windows\system32\PING.EXEping -n 10 localhost9⤵
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
894B
MD5cf7108d91aaa21ef7d1acd200a852791
SHA1de998bdb29bfa346e0ae0bc45901830a2e210f3b
SHA25689abb0191dd33854a4f596e23e071a4961515545eef531f5d275eb93c825d489
SHA5121f665500a331c6d7f8217a1769999fcefe05b6f8a90aaa25cb41d36fae4677b60e8f3ed5f6e8e44a12cc7388ba0d587b41d826b575368733ce3a9191bc92d14b
-
Filesize
97B
MD5d1aabe9d5d080bd31cf12b9815aa6066
SHA1dee0799fb7046a72126e104d96e71c41d6ea1b0f
SHA256bba5ca1271caebb5f2d7c68820702edb83eefc45c3d3b8419ceb1ca9ce69c1d6
SHA512544ec99e6c72ceecdc33cb5abbb1906f2dcef7d9b945bcc44088c1ba624d04674a771f15cbce8410c39fc783f57780a98c256b89c81ec74a854d8643078c53f0
-
Filesize
530B
MD53d4fae3aa13c067c2d155f16c91dfebc
SHA1bcceda94872d9e29a08461a6adfbfc83ad984827
SHA2564d08e0aeb314a1de977168f044b6f59a830c3366ad5df55f76413c4dd6a01a8e
SHA512c7fe931b333f5324049f106ac73fe0b7c17e1464db37344b4e50bf0303f102e510420d1c8dc7f6b206a8410cf270ed30dbd5cf1c3fb76459dd59315137f86543
-
Filesize
250KB
MD5b8f3934b55afbaa069717cd2e2eda6dd
SHA1b33071c576f2637bd679002f01ca68e4df5112ec
SHA2567cd58601d62de54c16bf279d2eb477a0e5b85f62cbe387268c1bec578db2a1e3
SHA5122bab25ed6f190e56a96986400e5004956d44e3c9fe6e95e0b6540e503ad232ed3c08c85aaf3926a7bab3041fdbe64e363785c07fce9c011fc09abf2c39fde0c1
-
Filesize
2.2MB
MD5730239632db99d16b9f2656950408bcc
SHA1ae877e836becf0b7727cf61c0277446c1c5ed381
SHA2566dbcdb70833bb9ac5656887e6eae082ade4d197bcf6516c70e10ab196a23d292
SHA512bd3b2973c54ee9754f19ef5eba73d9252de285c5d574611b01db0ea3f0c3c145686e319dc2a9f6b8aff94728eb1bfb8485a98152175cca5deed52b6318c16da5
-
Filesize
161B
MD538391754138d21656a9a2b09364fc944
SHA1207a81a8c3265872f18c8aeb509c34f4586b37e6
SHA2560af09acacc0c6105ad2f39aa65876ef403d5320f246a34590e7f1aa86492ad4f
SHA51270bee0c11972710a1b3238919e9491b70e3ede41522b52206386a6629e02ea2a8d7a32be0017639c491d9ed6dcd3c0f4d68210482730a04f555512066862a6aa
-
Filesize
215B
MD522f18908879a32c3e648fc1fe39a96b5
SHA14d54cd7e47e08a85ec8360eec3e2c2b2c5d27400
SHA25617820e7493cc11ccdbdb1930ff99f7ddb1712c306b7be31c0edd8cc5a76292a9
SHA51233353f3b18bd66a11ea977ef0412e2744d12fd1ec5bf8cbcd5b6ac2d4d7f88576912a5c18529c0d5358a321091c48f3b613ecbb0d9df98efdebcd36e23adb1e1
-
Filesize
64KB
MD531d745f5009eeda2da51b2d05d9711c5
SHA126c27b236bed8cb2046acddcc1c7d7b642b7c610
SHA25637330d19e9479d225bf3934cf1b7bb233adc6bf0c8c876f181b814759d7c0b0f
SHA5128319478d1ef266243e26592edbef9acbb07eb6de059043981e7f824424501691d41eef4736f6fe05e7ffc718ed0133489d22bd850c7a6773f7f50bf34207da4b
-
Filesize
261B
MD58c949c7d2dad3d666be24871c3cd2e86
SHA1e5bff45b38740a81b34063f947ea990416aeb34c
SHA2562c2fb24dcd1d7808b80af11a6420d65c749493f7ca99e0aed71fa21e6e79d413
SHA5122562ac108b09b86db207a604a46c861b9537d86afb074bd323c1146364993312ec32d514dca747b29ad0e751c3e87cebf9b2a6542ce0c6a12ee5790c89ad7ee4
-
Filesize
83B
MD5e3d05c748c224cdf88397b5053b3aa04
SHA1cfa935201d435272f06f31b3f6e54b012b0f00ee
SHA25681d20fe2c13c6997ad46c5d814a899947cae4ffa06e58ee62b67b893635b9377
SHA512d71133f141b7f627e8eae1ecd60d6573e3a0c4d1d14b22a83b5988afdc058c4342ce3ae5eab2949177b08b99ceafc2c7ee1f043dc0bfab3e663f6b188d580ec4
-
Filesize
247B
MD58fbc46f9794e1b89929cd710e53f0459
SHA115453a386f1c94b5ea4cd0ec41aa3c79c5dd2f54
SHA256aaa6ca00879bea0f370824f57a72071aea49ae438ad2abb3eb4c9faddbab3d86
SHA512b9fe28c4b771eae1f2261e4e17ec9e6d6055e17a5a2a5a32f8ecc7aaba9cf73f14e89ffafcc3455ed57cfa48fdde6d393630f585349f8ce4d2302543f323dc9b
-
Filesize
920B
MD52390960603661fe67f194b503f57a3c0
SHA16c4d90ffe7f1405edad83f9f944698d49cf143a1
SHA25646280c26021f6d18768827e400cf95ec2217bbfd6774a2a26f8ef0149f4d05fb
SHA5121c8a5d87bb07a85394d956f89b3ea4c5a596d4378e023c0aa44b51059c71cd66673aab1f097de8e27a1253d3b743f46c5895fc416fbe1a533d0c463369041f06
-
Filesize
89B
MD5f2c017fa853e79d1fc9f0ef254fbd9b7
SHA1911039790cbad8fd3d7ff7d5dd3ed0099adc4ed9
SHA2568848856354f6c99d5821c08136a03c75597f43dbfe1f8475998db4b19e833b13
SHA512ec1af3b307d7c7d30011ef7a9d0d1b7c53f15cdc7f028163fa40db3711e9d83271dc4a089160d9c9a6b4687ddd87b0cd6fd5bda2e375a080c8d0a6badc4885ca
-
Filesize
1.9MB
MD5a5696185d5f9c88887e304e46944a366
SHA1dd3daef6d70edcfbff6e58a123a25e212534941f
SHA2563672ce6a54d5f04368c85ca8d46b2f0d67b548d05703bb14cf3492dc21fff8da
SHA5129dadc5dfec936039b09aeed6c49a58cbe1162a9939283efa27d8660ea8aeeafc28d246ddf4270df93d89af15822d1f8b4aebc8d74ba040969753975013b3d579
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
88KB
-
Filesize
1.9MB
-
Filesize
272KB
-
Filesize
56KB
-
Filesize
96KB
-
Filesize
48KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
112KB
-
Filesize
1.9MB