Analysis
-
max time kernel
727s -
max time network
748s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 16:34
Behavioral task
behavioral1
Sample
wtf.exe
Resource
win10v2004-20240226-en
General
-
Target
wtf.exe
-
Size
216KB
-
MD5
9924acedacbac2b37e1569d187cb84f3
-
SHA1
6d55973b341ffc579cc9fe9741a9a294aacfa7e4
-
SHA256
a1bbc7ce33e95d187c6d8ccd8fd27c0a01025e2d3c408bee8821daf83ab464ee
-
SHA512
9d46581ab32b632b1e0ef3758725628ac1854c457c886a978b0f62e7127ff88447dcac1e2d2c3de136501ad79721c914cebbecad620e3a36606d3d0386e8face
-
SSDEEP
3072:SNpAeiFe92dOMFFxIghku1ILePsjaUTs18T2oceo3ziwWBWLkkkKvhVm4ESk59o9:See9qpymOeLKsc2jeLwxkkk09ESk5
Malware Config
Extracted
xworm
5.0
does-moment.gl.at.ply.gg:6969
COWvjV730xSBTMoz
-
Install_directory
%Public%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/1448-0-0x0000000000300000-0x000000000033C000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation wtf.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk wtf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk wtf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" wtf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4048 powershell.exe 4048 powershell.exe 5040 powershell.exe 5040 powershell.exe 2040 powershell.exe 2040 powershell.exe 4336 powershell.exe 4336 powershell.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe 1448 wtf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 1448 wtf.exe Token: SeDebugPrivilege 4048 powershell.exe Token: SeDebugPrivilege 5040 powershell.exe Token: SeDebugPrivilege 2040 powershell.exe Token: SeDebugPrivilege 4336 powershell.exe Token: SeDebugPrivilege 1448 wtf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1448 wtf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 1448 wrote to memory of 4048 1448 wtf.exe 88 PID 1448 wrote to memory of 4048 1448 wtf.exe 88 PID 1448 wrote to memory of 5040 1448 wtf.exe 93 PID 1448 wrote to memory of 5040 1448 wtf.exe 93 PID 1448 wrote to memory of 2040 1448 wtf.exe 95 PID 1448 wrote to memory of 2040 1448 wtf.exe 95 PID 1448 wrote to memory of 4336 1448 wtf.exe 97 PID 1448 wrote to memory of 4336 1448 wtf.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\wtf.exe"C:\Users\Admin\AppData\Local\Temp\wtf.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1448 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wtf.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4048
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wtf.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2040
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4336
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4272
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD5cadef9abd087803c630df65264a6c81c
SHA1babbf3636c347c8727c35f3eef2ee643dbcc4bd2
SHA256cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438
SHA5127278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085
-
Filesize
944B
MD56b62626c9199f4688488fc54a3c44277
SHA12ad24e90c73e200c49eab2a74bf93b2c4e357686
SHA2562c4d975787bde30963988a0a87f0b02e10c695ea795896f640169491a52884b8
SHA512d8856a30fe27a90d4366850313fe1f8ff61733df37e0cc49d15e3b51336d1a786f25813f90e90e894fbe4fba6352a57523f7fd0a9724f4b075a511686777459a
-
Filesize
944B
MD5dd1d0b083fedf44b482a028fb70b96e8
SHA1dc9c027937c9f6d52268a1504cbae42a39c8d36a
SHA256cab7944d29e0501dc0db904ac460ca7a87700e0ec7eb62298b7b97cbf40c424c
SHA51296bec38bfda176292ae65dcf735103e7888baa212038737c1d1e215fcb76e4c0355e4a827a1934303e7aecae91012fa412f13e38f382b732758bae985cc67973
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82