Analysis
-
max time kernel
117s -
max time network
117s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 05:31
Behavioral task
behavioral1
Sample
shexwormonmymemztilliminoxide.exe
Resource
win7-20240215-en
General
-
Target
shexwormonmymemztilliminoxide.exe
-
Size
41KB
-
MD5
14f963e28858c6c3f653048a83621c89
-
SHA1
8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
-
SHA256
355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
-
SHA512
2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
-
SSDEEP
768:xTFHrDMcksBqaEAOrHA7tF5PM96maOwh23EihHJ:XwcGvAwAxFS96maOwwlx
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
TelZ6nrHgxVFZl6W
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2416-0-0x00000000000C0000-0x00000000000D0000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\runbroker.exe family_xworm behavioral1/memory/1560-12-0x00000000011E0000-0x00000000011F0000-memory.dmp family_xworm -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1792 cmd.exe -
Drops startup file 2 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk shexwormonmymemztilliminoxide.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk shexwormonmymemztilliminoxide.exe -
Executes dropped EXE 1 IoCs
Processes:
runbroker.exepid process 1560 runbroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" shexwormonmymemztilliminoxide.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2680 timeout.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exepid process 2416 shexwormonmymemztilliminoxide.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
shexwormonmymemztilliminoxide.exerunbroker.exedescription pid process Token: SeDebugPrivilege 2416 shexwormonmymemztilliminoxide.exe Token: SeDebugPrivilege 2416 shexwormonmymemztilliminoxide.exe Token: SeDebugPrivilege 1560 runbroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
shexwormonmymemztilliminoxide.exepid process 2416 shexwormonmymemztilliminoxide.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
shexwormonmymemztilliminoxide.exetaskeng.execmd.exedescription pid process target process PID 2416 wrote to memory of 2672 2416 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2416 wrote to memory of 2672 2416 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2416 wrote to memory of 2672 2416 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2472 wrote to memory of 1560 2472 taskeng.exe runbroker.exe PID 2472 wrote to memory of 1560 2472 taskeng.exe runbroker.exe PID 2472 wrote to memory of 1560 2472 taskeng.exe runbroker.exe PID 2416 wrote to memory of 2520 2416 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2416 wrote to memory of 2520 2416 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2416 wrote to memory of 2520 2416 shexwormonmymemztilliminoxide.exe schtasks.exe PID 2416 wrote to memory of 1792 2416 shexwormonmymemztilliminoxide.exe cmd.exe PID 2416 wrote to memory of 1792 2416 shexwormonmymemztilliminoxide.exe cmd.exe PID 2416 wrote to memory of 1792 2416 shexwormonmymemztilliminoxide.exe cmd.exe PID 1792 wrote to memory of 2680 1792 cmd.exe timeout.exe PID 1792 wrote to memory of 2680 1792 cmd.exe timeout.exe PID 1792 wrote to memory of 2680 1792 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"2⤵
- Creates scheduled task(s)
PID:2672 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "runbroker"2⤵PID:2520
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp.bat""2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\timeout.exetimeout 33⤵
- Delays execution with timeout.exe
PID:2680
-
C:\Windows\system32\taskeng.exetaskeng.exe {0A7B15BB-95D2-4E2F-B540-45AC3B12ECEF} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1560
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp15B2.tmp.batFilesize
181B
MD51f2675368a54bb9f91bf785ad6dad238
SHA1074095a050a84a41da0504fe1f1753f29bf47302
SHA256722ed289680bf26bbe110a20bce078a41b5da3cf7dedaccba7e8d2d68afb1140
SHA512db7ab9714f5cce7818dd96eeb83ffd4043bf463195feed983203b8d6e915447bb1061a45a93da9680894952ad5ce516571432cfec140381cb35f9cc645fed26a
-
C:\Users\Admin\AppData\Roaming\runbroker.exeFilesize
41KB
MD514f963e28858c6c3f653048a83621c89
SHA18c3a1d7d823e19558d80f35b0ee7d88f868ab5c6
SHA256355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b
SHA5122b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2
-
memory/1560-12-0x00000000011E0000-0x00000000011F0000-memory.dmpFilesize
64KB
-
memory/2416-0-0x00000000000C0000-0x00000000000D0000-memory.dmpFilesize
64KB
-
memory/2416-1-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmpFilesize
9.9MB
-
memory/2416-2-0x000000001B1D0000-0x000000001B250000-memory.dmpFilesize
512KB
-
memory/2416-7-0x0000000002140000-0x000000000214C000-memory.dmpFilesize
48KB
-
memory/2416-8-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmpFilesize
9.9MB
-
memory/2416-13-0x000000001B1D0000-0x000000001B250000-memory.dmpFilesize
512KB
-
memory/2416-25-0x000007FEF5CE0000-0x000007FEF66CC000-memory.dmpFilesize
9.9MB