Analysis

  • max time kernel
    43s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 05:31

General

  • Target

    shexwormonmymemztilliminoxide.exe

  • Size

    41KB

  • MD5

    14f963e28858c6c3f653048a83621c89

  • SHA1

    8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6

  • SHA256

    355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b

  • SHA512

    2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2

  • SSDEEP

    768:xTFHrDMcksBqaEAOrHA7tF5PM96maOwh23EihHJ:XwcGvAwAxFS96maOwwlx

Malware Config

Extracted

Family

xworm

Version

5.0

C2

127.0.0.1:38630

147.185.221.19:38630

bay-currencies.gl.at.ply.gg:38630

and-organized.gl.at.ply.gg:38630

community-excess.gl.at.ply.gg:38630

Mutex

TelZ6nrHgxVFZl6W

Attributes
  • Install_directory

    %AppData%

  • install_file

    runbroker.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Disables Task Manager via registry modification
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Delays execution with timeout.exe 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 48 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 26 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 11 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe
    "C:\Users\Admin\AppData\Local\Temp\shexwormonmymemztilliminoxide.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2420
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"
      2⤵
      • Creates scheduled task(s)
      PID:4764
    • C:\Users\Admin\AppData\Local\Temp\fxexbg.exe
      "C:\Users\Admin\AppData\Local\Temp\fxexbg.exe"
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3356
        • C:\Windows\SysWOW64\reg.exe
          REG ADD hkcu\Software\Microsoft\Windows\CurrentVersion\policies\system /v DisableTaskMgr /t reg_dword /d 1 /f
          4⤵
          • Modifies registry key
          PID:4384
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "runbroker"
      2⤵
        PID:3408
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC5AC.tmp.bat""
        2⤵
          PID:3632
          • C:\Windows\system32\timeout.exe
            timeout 3
            3⤵
            • Delays execution with timeout.exe
            PID:1860
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ShowSave.xht
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2496 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:4908
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\ShowSave.xht
        1⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4236
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:4236 CREDAT:17410 /prefetch:2
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1056
      • C:\Users\Admin\AppData\Roaming\runbroker.exe
        C:\Users\Admin\AppData\Roaming\runbroker.exe
        1⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:1824
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2388 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
        1⤵
          PID:4468
        • C:\Windows\system32\AUDIODG.EXE
          C:\Windows\system32\AUDIODG.EXE 0x4d8 0x448
          1⤵
            PID:1632

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Execution

          Scheduled Task/Job

          1
          T1053

          Persistence

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Scheduled Task/Job

          1
          T1053

          Privilege Escalation

          Boot or Logon Autostart Execution

          1
          T1547

          Registry Run Keys / Startup Folder

          1
          T1547.001

          Scheduled Task/Job

          1
          T1053

          Defense Evasion

          Modify Registry

          3
          T1112

          Pre-OS Boot

          1
          T1542

          Bootkit

          1
          T1542.003

          Discovery

          Query Registry

          2
          T1012

          System Information Discovery

          2
          T1082

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            69712a07778fef53e4d3c14da65ea7a8

            SHA1

            9b5212b7cf5becae8a630318aee5b234204d5f03

            SHA256

            b11a24a82917f7a8f5d2488264bc256f7298ec1429bcd5f929a351f013d6755e

            SHA512

            b9e27c34a0c24a88ea089bc20270b28c193be6a99c7911b045ac04fc3af0a48434e5d6458c89535e5e1d3319114fb58d3b7fd3f16486601586b1964cf8cb0e19

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            d86e079a99f94ca12415e52117033baa

            SHA1

            c748016ee95e038cffe37e3581a999b386aec25d

            SHA256

            142d90a40c264616bc29e4655a7970be579c30ac9d59ee64e877f4e3299dfdfb

            SHA512

            39ce1f98b9ae678a611b791f71e41e69d711f080b298c3b111380133e2b8cc7b486c721f39d1164619155a01419b08a457436628135b882ab3ab0df5725cfe1b

          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            5b63c667f753ccf36d77cacdd32270a9

            SHA1

            c16a83e14ac5d0dc95d33d8bd9c0f1a555aadbab

            SHA256

            d1a245a1e4d0a71fb663f7d3e837f425f64d9c73742659e42fe1d12a1e9eba0a

            SHA512

            ba4ee5c176e5fe77218bf24b71e16a82dc8509d2f26e1a207b2b609fdefb0c259d2dbf132c28cc3d974df36f1c405fbec86f1451e871554da93656fb82f351e1

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9AF7B55B-0520-11EF-B9F7-E27D0092C90A}.dat
            Filesize

            3KB

            MD5

            6c24f4ede8db8860c78ea709c5d77136

            SHA1

            b40d745de1ffacb9ad22e7636b6a0f801197a89a

            SHA256

            181b52c1df52e76dba29a79f07fbe6030d8adec6ba2d614a3572f57a4df2c263

            SHA512

            e89fef8ca1133d2570f23a63ca6c49906efbdd06725d3690ff4d22f66375576216486c6294b54583dbe439f4ff0bddf786b48af24d77c0dc59c720d6ac9fe8ea

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9B1451D1-0520-11EF-B9F7-E27D0092C90A}.dat
            Filesize

            5KB

            MD5

            567c862ae05aa4885acf527030cfbb7d

            SHA1

            6487170316c6eadf8049b7ca843410c9b0faf8aa

            SHA256

            26c8c3b62aa45a89134d000e9782524a7384b746d26acbbf31089317b6effbf6

            SHA512

            bc51e4eecafbc09031304768ee80ece40f1f24424d7225873360668c11098eae37203e8f4be062bbcc921a6ebfee3a8e02eb2fcdf885843492836af9e9078793

          • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\ver72D9.tmp
            Filesize

            15KB

            MD5

            1a545d0052b581fbb2ab4c52133846bc

            SHA1

            62f3266a9b9925cd6d98658b92adec673cbe3dd3

            SHA256

            557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

            SHA512

            bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\O8VM10HV\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

          • C:\Users\Admin\AppData\Local\Temp\fxexbg.exe
            Filesize

            120KB

            MD5

            5e8ce90547acca8bd050fccb885558a2

            SHA1

            a65ca5ddbcabeca7a5b9a243131bf8ce6798e15a

            SHA256

            2829a026d0c7f6ca2fcba66eeef48606c3307312898fefef8af269dcb2158155

            SHA512

            ac4aace898b8fa9037590edcce478c649aed9daf4d7fc2285f045aecf0f86d25a69903b1458b96964f6f7e9d4fb8f79ce923896b5ff84008f9f32bf86ff11d8f

          • C:\Users\Admin\AppData\Local\Temp\tmpC5AC.tmp.bat
            Filesize

            181B

            MD5

            243f51ec0f666f6bc1253f4965ce4de5

            SHA1

            4c91ff3f0a6e2c11c227d8bc923377a32b9dbf32

            SHA256

            8b1f68a044c1ae104227216b7339c6aabcd63dd4c1b54e8eab9ddcd72665722c

            SHA512

            6b4fcf3b7642b1cc0dafd24232eed96d7837fe5e07f29a45e6db5edc4249ec9c1db274ce5fb8057e49f5e1f9ef9041f3cb7e47cf676e9e0dc86790b5d5919cf7

          • C:\Users\Admin\AppData\Roaming\runbroker.exe
            Filesize

            41KB

            MD5

            14f963e28858c6c3f653048a83621c89

            SHA1

            8c3a1d7d823e19558d80f35b0ee7d88f868ab5c6

            SHA256

            355b67101ba439f05337234d028ecba6641db094c6251aee15369f767c12dc3b

            SHA512

            2b6cc20e3b24752120ed007d8f07ba44c38bb964ab76b9dcb9d4f745db82450653dd6b5608812ba1bc325dc9e649ae1fb3600e6ad61565e7046ea4ed199a4bb2

          • memory/1824-11-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
            Filesize

            10.8MB

          • memory/1824-14-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
            Filesize

            10.8MB

          • memory/2420-0-0x0000000000970000-0x0000000000980000-memory.dmp
            Filesize

            64KB

          • memory/2420-2-0x000000001B680000-0x000000001B690000-memory.dmp
            Filesize

            64KB

          • memory/2420-1-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
            Filesize

            10.8MB

          • memory/2420-57-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
            Filesize

            10.8MB

          • memory/2420-23-0x000000001B670000-0x000000001B67C000-memory.dmp
            Filesize

            48KB

          • memory/2420-12-0x00007FFEAC100000-0x00007FFEACBC1000-memory.dmp
            Filesize

            10.8MB