Analysis
-
max time kernel
147s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
28/03/2024, 16:02
Behavioral task
behavioral1
Sample
wtf.exe
Resource
win10v2004-20240319-en
General
-
Target
wtf.exe
-
Size
216KB
-
MD5
9924acedacbac2b37e1569d187cb84f3
-
SHA1
6d55973b341ffc579cc9fe9741a9a294aacfa7e4
-
SHA256
a1bbc7ce33e95d187c6d8ccd8fd27c0a01025e2d3c408bee8821daf83ab464ee
-
SHA512
9d46581ab32b632b1e0ef3758725628ac1854c457c886a978b0f62e7127ff88447dcac1e2d2c3de136501ad79721c914cebbecad620e3a36606d3d0386e8face
-
SSDEEP
3072:SNpAeiFe92dOMFFxIghku1ILePsjaUTs18T2oceo3ziwWBWLkkkKvhVm4ESk59o9:See9qpymOeLKsc2jeLwxkkk09ESk5
Malware Config
Extracted
xworm
5.0
does-moment.gl.at.ply.gg:6969
COWvjV730xSBTMoz
-
Install_directory
%Public%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral1/memory/2052-0-0x0000000000AB0000-0x0000000000AEC000-memory.dmp family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation wtf.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk wtf.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk wtf.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Public\\Runtime Broker.exe" wtf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4056 powershell.exe 4056 powershell.exe 4056 powershell.exe 4212 powershell.exe 4212 powershell.exe 4212 powershell.exe 1596 powershell.exe 1596 powershell.exe 1596 powershell.exe 2300 powershell.exe 2300 powershell.exe 2300 powershell.exe 2052 wtf.exe 2052 wtf.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
description pid Process Token: SeDebugPrivilege 2052 wtf.exe Token: SeDebugPrivilege 4056 powershell.exe Token: SeDebugPrivilege 4212 powershell.exe Token: SeDebugPrivilege 1596 powershell.exe Token: SeDebugPrivilege 2300 powershell.exe Token: SeDebugPrivilege 2052 wtf.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2052 wtf.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2052 wrote to memory of 4056 2052 wtf.exe 98 PID 2052 wrote to memory of 4056 2052 wtf.exe 98 PID 2052 wrote to memory of 4212 2052 wtf.exe 103 PID 2052 wrote to memory of 4212 2052 wtf.exe 103 PID 2052 wrote to memory of 1596 2052 wtf.exe 107 PID 2052 wrote to memory of 1596 2052 wtf.exe 107 PID 2052 wrote to memory of 2300 2052 wtf.exe 110 PID 2052 wrote to memory of 2300 2052 wtf.exe 110
Processes
-
C:\Users\Admin\AppData\Local\Temp\wtf.exe"C:\Users\Admin\AppData\Local\Temp\wtf.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\wtf.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4056
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'wtf.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Public\Runtime Broker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1596
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4372 --field-trial-handle=2244,i,11986678581565715302,451159359636456336,262144 --variations-seed-version /prefetch:81⤵PID:4404
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5d85ba6ff808d9e5444a4b369f5bc2730
SHA131aa9d96590fff6981b315e0b391b575e4c0804a
SHA25684739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA5128c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249
-
Filesize
944B
MD56c47b3f4e68eebd47e9332eebfd2dd4e
SHA167f0b143336d7db7b281ed3de5e877fa87261834
SHA2568c48b1f2338e5b24094821f41121d2221f1cb3200338f46df49f64d1c4bc3e0c
SHA5120acf302a9fc971ef9df65ed42c47ea17828e54dff685f4434f360556fd27cdc26a75069f00dcdc14ba174893c6fd7a2cfd8c6c07be3ce35dafee0a006914eaca
-
Filesize
944B
MD596e3b86880fedd5afc001d108732a3e5
SHA18fc17b39d744a9590a6d5897012da5e6757439a3
SHA256c3077e4cadb4ed246c02abe55aa6cf832fee4c2546b7addb7d22cd1c7c8c1294
SHA512909b1968f7204fa7029109b02232d8cc5438f6b4dc7c9044e4e47c59fcee538199b13029e36592b12ed573d48a308dd4822d2ced4129ab08d4111897e02be55d
-
Filesize
944B
MD50dcbfef1c28cd8081b1fe48bb10147f0
SHA126993d9a89a783dd5e121d1327665a2206fed5db
SHA256c04593a35db9a9cd977943cc84c600df1889b2bd74322ad09879449e8976e5fd
SHA512f1b18a99e40871957a0f50ac5c1d9bb55d99d4bbcb23a2ecdbfac6bc8edf25eb68de1f865f8c3777d3f216b73f6408184f6a8cec197d32778d63087cf9275dc3
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82