Analysis
-
max time kernel
120s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 05:26
Behavioral task
behavioral1
Sample
shexwormonmymemztilliminoxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
shexwormonmymemztilliminoxide.exe
Resource
win10v2004-20240419-en
General
-
Target
shexwormonmymemztilliminoxide.exe
-
Size
41KB
-
MD5
14f963e28858c6c3f653048a83621c89
-
SHA1
8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
-
SHA256
355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
-
SHA512
2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
-
SSDEEP
768:xTFHrDMcksBqaEAOrHA7tF5PM96maOwh23EihHJ:XwcGvAwAxFS96maOwwlx
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
TelZ6nrHgxVFZl6W
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2868-0-0x0000000000E70000-0x0000000000E80000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\runbroker.exe family_xworm behavioral1/memory/580-12-0x00000000012B0000-0x00000000012C0000-memory.dmp family_xworm -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2060 cmd.exe -
Drops startup file 2 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk shexwormonmymemztilliminoxide.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk shexwormonmymemztilliminoxide.exe -
Executes dropped EXE 1 IoCs
Processes:
runbroker.exepid process 580 runbroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" shexwormonmymemztilliminoxide.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2092 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exepid process 2868 shexwormonmymemztilliminoxide.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
shexwormonmymemztilliminoxide.exerunbroker.exedescription pid process Token: SeDebugPrivilege 2868 shexwormonmymemztilliminoxide.exe Token: SeDebugPrivilege 2868 shexwormonmymemztilliminoxide.exe Token: SeDebugPrivilege 580 runbroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exepid process 2868 shexwormonmymemztilliminoxide.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
shexwormonmymemztilliminoxide.exetaskeng.execmd.exedescription pid process target process PID 2868 wrote to memory of 2588 2868 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2868 wrote to memory of 2588 2868 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2868 wrote to memory of 2588 2868 shexwormonmymemztilliminoxide.exe schtasks.exe PID 1360 wrote to memory of 580 1360 taskeng.exe runbroker.exe PID 1360 wrote to memory of 580 1360 taskeng.exe runbroker.exe PID 1360 wrote to memory of 580 1360 taskeng.exe runbroker.exe PID 2868 wrote to memory of 3000 2868 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2868 wrote to memory of 3000 2868 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2868 wrote to memory of 3000 2868 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2868 wrote to memory of 2060 2868 shexwormonmymemztilliminoxide.exe cmd.exe PID 2868 wrote to memory of 2060 2868 shexwormonmymemztilliminoxide.exe cmd.exe PID 2868 wrote to memory of 2060 2868 shexwormonmymemztilliminoxide.exe cmd.exe PID 2060 wrote to memory of 2092 2060 cmd.exe timeout.exe PID 2060 wrote to memory of 2092 2060 cmd.exe timeout.exe PID 2060 wrote to memory of 2092 2060 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "runbroker"2⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4C2.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\taskeng.exetaskeng.exe {CB2D2D7B-49E0-4E45-903A-CB0825FE555F} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp4C2.tmp.batFilesize
180B
MD5385193735e70954cd7c0dd3b42ae0d72
SHA170e49541268943f0c61eb029b86ccb4178704715
SHA2569b5c18fe5fa476e45ce84b1cdccddc5ec4128cb47aeea410da9dd6dbd73ddbdc
SHA5124f178982128e83484a8c75e39a24578705b43ae8bf1a275419c0d4ff1dfe30c11581c7b989f0d9293d645a512062d7a254607473fc9fcdb5a238ceba045d1170
-
C:\Users\Admin\AppData\Roaming\runbroker.exeFilesize
41KB
MD514f963e28858c6c3f653048a83621c89
SHA18c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
SHA256355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
SHA5122b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
-
memory/580-12-0x00000000012B0000-0x00000000012C0000-memory.dmpFilesize
64KB
-
memory/2868-0-0x0000000000E70000-0x0000000000E80000-memory.dmpFilesize
64KB
-
memory/2868-1-0x000007FEF5A70000-0x000007FEF645C000-memory.dmpFilesize
9.9MB
-
memory/2868-2-0x000000001B5C0000-0x000000001B640000-memory.dmpFilesize
512KB
-
memory/2868-7-0x000007FEF5A70000-0x000007FEF645C000-memory.dmpFilesize
9.9MB
-
memory/2868-8-0x000000001B5C0000-0x000000001B640000-memory.dmpFilesize
512KB
-
memory/2868-14-0x00000000023B0000-0x00000000023BC000-memory.dmpFilesize
48KB
-
memory/2868-24-0x000007FEF5A70000-0x000007FEF645C000-memory.dmpFilesize
9.9MB