Overview

overview

10

Static

static

10

RuntimeBroker.exe

windows7-x64

10

RuntimeBroker.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    17-02-2024 18:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RuntimeBroker.exe

  • Size

    77KB

  • MD5

    7f3d8bc2d995a6d0780aeb80c3172a82

  • SHA1

    781de6ee7e83ce7d159031f16e9677d7aff91516

  • SHA256

    4288137e125d257cce26bdabf57533f03f8aa7476ab6f3c33bc009d3a9f81df0

  • SHA512

    a6997ecde20919abc259b37bd8352b79908e0a0aab6a78cb8293d676e1249af66deeffd8d545227b17513f725a22f0503fa321403cf3c4f40811f8d58cce87cd

  • SSDEEP

    1536:N0A5d1cL+IvRpH4/NbbnjIvUG64OeTIOMbeeSTuX1kC47:NDq5pHyNb3MdTIOweeIK1kP7

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

K1NGonTop-39501.portmap.io:39501

<Xwormmm>:1
Attributes
  • Install_directory

    %Public%

  • install_file

    RuntimeBroker.exe

Signatures

  • Detect Xworm Payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Deletes itself 1 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2492
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2884
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2632
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1496
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Public\RuntimeBroker.exe"
      2⤵
      • Creates scheduled task(s)
      PID:2004
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "RuntimeBroker"
      2⤵
        PID:1988
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp.bat""
        2⤵
        • Deletes itself
        • Suspicious use of WriteProcessMemory
        PID:2116
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:1444
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {7112508F-F51A-4718-A43E-A922433BA18F} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:2328
      • C:\Users\Public\RuntimeBroker.exe
        C:\Users\Public\RuntimeBroker.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1400

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3A90.tmp.bat
      Filesize

      165B

      MD5

      09b034ccbe9deedf00e59f0bc4cb5248

      SHA1

      f862c154fcf88d177d05002fb8d3c087a0c462b2

      SHA256

      073689add7cdb7b0e5e30be45572a0aa30c2947eef5d61144d4fe4f26999f155

      SHA512

      330bb897d2d2b99f2af57ed50327301c1ece70948911657237e4b9d1873c430e1db754b73ed9d8248ccf67402fb30f30fa6cfe0c1440b0d0a33523068b47a224

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      23b88027cae1ee8411c6da7c10a8b848

      SHA1

      47b0b73b92703c4bf255c0e96fc94dd66bb35b98

      SHA256

      02c8d44177ac3be7b28bf417e83671cedffd825d3bff4d0fbcd743ce68353fa1

      SHA512

      c65f12ef1f14b8a2f1060855f44bd0507f2653696ad9215631263a456b3392801b771dfe64a9a1eac179309f35ea2f4d5c61985351499a8d293558c0bdc304de

      Download Submit

    • C:\Users\Public\RuntimeBroker.exe
      Filesize

      77KB

      MD5

      7f3d8bc2d995a6d0780aeb80c3172a82

      SHA1

      781de6ee7e83ce7d159031f16e9677d7aff91516

      SHA256

      4288137e125d257cce26bdabf57533f03f8aa7476ab6f3c33bc009d3a9f81df0

      SHA512

      a6997ecde20919abc259b37bd8352b79908e0a0aab6a78cb8293d676e1249af66deeffd8d545227b17513f725a22f0503fa321403cf3c4f40811f8d58cce87cd

      Download Submit

    • memory/1400-65-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1400-64-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1400-63-0x0000000000340000-0x0000000000358000-memory.dmp

      Filesize

      96KB

      Download

    • memory/1496-55-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1496-54-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1496-53-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/1496-52-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1496-51-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1496-50-0x0000000002590000-0x0000000002610000-memory.dmp

      Filesize

      512KB

      Download

    • memory/1496-49-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2492-28-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-0-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

      Filesize

      96KB

      Download

    • memory/2492-76-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-1-0x000007FEF5350000-0x000007FEF5D3C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2492-2-0x000000001B280000-0x000000001B300000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2492-41-0x000000001B280000-0x000000001B300000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2572-30-0x000000000299B000-0x0000000002A02000-memory.dmp

      Filesize

      412KB

      Download

    • memory/2572-26-0x0000000002990000-0x0000000002A10000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2572-21-0x000000001B180000-0x000000001B462000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2572-27-0x0000000002990000-0x0000000002A10000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2572-24-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-23-0x0000000002660000-0x0000000002668000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2572-29-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2572-25-0x0000000002990000-0x0000000002A10000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2572-22-0x000007FEEDCA0000-0x000007FEEE63D000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2632-38-0x000007FEEE640000-0x000007FEEEFDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2632-42-0x0000000002A50000-0x0000000002AD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-43-0x000007FEEE640000-0x000007FEEEFDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2632-40-0x0000000002A50000-0x0000000002AD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-39-0x0000000002A50000-0x0000000002AD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-37-0x0000000002A50000-0x0000000002AD0000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2632-36-0x000007FEEE640000-0x000007FEEEFDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2884-15-0x000007FEEE640000-0x000007FEEEFDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2884-11-0x000007FEEE640000-0x000007FEEEFDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2884-10-0x000007FEEE640000-0x000007FEEEFDD000-memory.dmp

      Filesize

      9.6MB

      Download

    • memory/2884-9-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2884-8-0x000000001B270000-0x000000001B552000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2884-7-0x0000000002690000-0x0000000002710000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2884-13-0x0000000002690000-0x0000000002710000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2884-12-0x0000000002690000-0x0000000002710000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2884-14-0x0000000002690000-0x0000000002710000-memory.dmp

      Filesize

      512KB

      Download