Analysis
-
max time kernel
125s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 05:33
Behavioral task
behavioral1
Sample
tjFUD.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tjFUD.exe
Resource
win10v2004-20240226-en
General
-
Target
tjFUD.exe
-
Size
40KB
-
MD5
9126c26063b71116148ea1f40db8c941
-
SHA1
300cdd5589e1ce8642a328f5e80f4246e9d0b062
-
SHA256
28a9ed9884a7f52e49a8026b03b757422a7e3d3a594e6cb7a13946191650b78a
-
SHA512
afff315fdd006cbf2589845700f2433b57c6062497b4f1b59d4096bafe3acee6fca81e4a15f05443dd03f39362eabd0c03312dec6e0dc56d22cb7f9f65071a8f
-
SSDEEP
768:kKpxOlNtidwAmJRXFuO5tF5PT95lvOMh23Ep:k/MWAmJ1FuOLFx95ZOMoW
Malware Config
Extracted
xworm
5.0
127.0.0.1:12547
147.185.221.19:12547
bay-currencies.gl.at.ply.gg:12547
and-organized.gl.at.ply.gg:12547
T8blWdnjot1TC8dy
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2212-0-0x0000000000310000-0x0000000000320000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
tjFUD.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjFUD.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjFUD.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tjFUD.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" tjFUD.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 7 IoCs
Processes:
tjFUD.exepid process 2212 tjFUD.exe 2212 tjFUD.exe 2212 tjFUD.exe 2212 tjFUD.exe 2212 tjFUD.exe 2212 tjFUD.exe 2212 tjFUD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tjFUD.exedescription pid process Token: SeDebugPrivilege 2212 tjFUD.exe Token: SeDebugPrivilege 2212 tjFUD.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tjFUD.exepid process 2212 tjFUD.exe
Processes
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2212-0-0x0000000000310000-0x0000000000320000-memory.dmpFilesize
64KB
-
memory/2212-1-0x000007FEF5A30000-0x000007FEF641C000-memory.dmpFilesize
9.9MB
-
memory/2212-2-0x000000001B370000-0x000000001B3F0000-memory.dmpFilesize
512KB
-
memory/2212-7-0x000007FEF5A30000-0x000007FEF641C000-memory.dmpFilesize
9.9MB
-
memory/2212-8-0x000000001B370000-0x000000001B3F0000-memory.dmpFilesize
512KB