Analysis
-
max time kernel
111s -
max time network
53s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:26
Behavioral task
behavioral1
Sample
shexwormonmymemztilliminoxide.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
shexwormonmymemztilliminoxide.exe
Resource
win10v2004-20240419-en
General
-
Target
shexwormonmymemztilliminoxide.exe
-
Size
41KB
-
MD5
14f963e28858c6c3f653048a83621c89
-
SHA1
8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
-
SHA256
355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
-
SHA512
2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
-
SSDEEP
768:xTFHrDMcksBqaEAOrHA7tF5PM96maOwh23EihHJ:XwcGvAwAxFS96maOwwlx
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
TelZ6nrHgxVFZl6W
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/1768-0-0x0000000000550000-0x0000000000560000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\runbroker.exe family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation shexwormonmymemztilliminoxide.exe -
Drops startup file 2 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk shexwormonmymemztilliminoxide.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk shexwormonmymemztilliminoxide.exe -
Executes dropped EXE 2 IoCs
Processes:
runbroker.exerunbroker.exepid process 4044 runbroker.exe 4576 runbroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" shexwormonmymemztilliminoxide.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 3 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 53 IoCs
Processes:
shexwormonmymemztilliminoxide.exepid process 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe 1768 shexwormonmymemztilliminoxide.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
shexwormonmymemztilliminoxide.exerunbroker.exerunbroker.exedescription pid process Token: SeDebugPrivilege 1768 shexwormonmymemztilliminoxide.exe Token: SeDebugPrivilege 1768 shexwormonmymemztilliminoxide.exe Token: SeDebugPrivilege 4044 runbroker.exe Token: SeDebugPrivilege 4576 runbroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exepid process 1768 shexwormonmymemztilliminoxide.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription pid process target process PID 1768 wrote to memory of 2848 1768 shexwormonmymemztilliminoxide.exe schtasks.exe PID 1768 wrote to memory of 2848 1768 shexwormonmymemztilliminoxide.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"2⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\runbroker.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Roaming\runbroker.exeFilesize
41KB
MD514f963e28858c6c3f653048a83621c89
SHA18c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
SHA256355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
SHA5122b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
-
memory/1768-0-0x0000000000550000-0x0000000000560000-memory.dmpFilesize
64KB
-
memory/1768-1-0x00007FFB38C00000-0x00007FFB396C1000-memory.dmpFilesize
10.8MB
-
memory/1768-2-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/1768-7-0x00007FFB38C00000-0x00007FFB396C1000-memory.dmpFilesize
10.8MB
-
memory/1768-8-0x0000000002730000-0x0000000002740000-memory.dmpFilesize
64KB
-
memory/4044-27-0x00007FFB38C00000-0x00007FFB396C1000-memory.dmpFilesize
10.8MB
-
memory/4044-29-0x00007FFB38C00000-0x00007FFB396C1000-memory.dmpFilesize
10.8MB