Analysis
-
max time kernel
144s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 02:52
Behavioral task
behavioral1
Sample
nigger.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
nigger.exe
Resource
win10v2004-20240419-en
General
-
Target
nigger.exe
-
Size
41KB
-
MD5
7820f5d5245b72be9f24ed477f87287b
-
SHA1
84ce2f3d43accdfb55916e7ec6faf3cab9ed2497
-
SHA256
1ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0
-
SHA512
68d4561683a44f6b814d4e98e74b6c123323b98fb32f234b928146389d7c7c8af4987dd43d5dcb044edf293558e3c850dcf8e5c1e6a9e66a9e8741cf61cb7b2b
-
SSDEEP
768:cTFHrDMQVZYwCxJAuwKFjHKShtF5PG9+zqOwhj3EuX3:6wQEdrAulzKSTFI9+zqOwNFX3
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
uhdZU70lXCRBT2pC
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2952-0-0x0000000001130000-0x0000000001140000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\runbroker.exe family_xworm behavioral1/memory/2172-10-0x0000000001010000-0x0000000001020000-memory.dmp family_xworm behavioral1/memory/2652-15-0x0000000001190000-0x00000000011A0000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
nigger.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk nigger.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk nigger.exe -
Executes dropped EXE 3 IoCs
Processes:
runbroker.exerunbroker.exerunbroker.exepid process 2172 runbroker.exe 2652 runbroker.exe 320 runbroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nigger.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" nigger.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
nigger.exepid process 2952 nigger.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
nigger.exerunbroker.exerunbroker.exerunbroker.exedescription pid process Token: SeDebugPrivilege 2952 nigger.exe Token: SeDebugPrivilege 2952 nigger.exe Token: SeDebugPrivilege 2172 runbroker.exe Token: SeDebugPrivilege 2652 runbroker.exe Token: SeDebugPrivilege 320 runbroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nigger.exepid process 2952 nigger.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
nigger.exetaskeng.exedescription pid process target process PID 2952 wrote to memory of 1196 2952 nigger.exe schtasks.exe PID 2952 wrote to memory of 1196 2952 nigger.exe schtasks.exe PID 2952 wrote to memory of 1196 2952 nigger.exe schtasks.exe PID 2000 wrote to memory of 2172 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 2172 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 2172 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 2652 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 2652 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 2652 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 320 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 320 2000 taskeng.exe runbroker.exe PID 2000 wrote to memory of 320 2000 taskeng.exe runbroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nigger.exe"C:\Users\Admin\AppData\Local\Temp\nigger.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {5F1769E0-BCAB-40D1-B103-2BF5600F8516} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\runbroker.exeFilesize
41KB
MD57820f5d5245b72be9f24ed477f87287b
SHA184ce2f3d43accdfb55916e7ec6faf3cab9ed2497
SHA2561ff8fa09d7cd8aaa2a6f4f32965f25b2fcb0bd4993729ade01a16164389810c0
SHA51268d4561683a44f6b814d4e98e74b6c123323b98fb32f234b928146389d7c7c8af4987dd43d5dcb044edf293558e3c850dcf8e5c1e6a9e66a9e8741cf61cb7b2b
-
memory/2172-10-0x0000000001010000-0x0000000001020000-memory.dmpFilesize
64KB
-
memory/2652-15-0x0000000001190000-0x00000000011A0000-memory.dmpFilesize
64KB
-
memory/2952-0-0x0000000001130000-0x0000000001140000-memory.dmpFilesize
64KB
-
memory/2952-1-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmpFilesize
9.9MB
-
memory/2952-2-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB
-
memory/2952-11-0x000007FEF58E0000-0x000007FEF62CC000-memory.dmpFilesize
9.9MB
-
memory/2952-12-0x000000001B0F0000-0x000000001B170000-memory.dmpFilesize
512KB