Analysis
-
max time kernel
150s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 05:33
Behavioral task
behavioral1
Sample
tjFUD.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
tjFUD.exe
Resource
win10v2004-20240226-en
General
-
Target
tjFUD.exe
-
Size
40KB
-
MD5
9126c26063b71116148ea1f40db8c941
-
SHA1
300cdd5589e1ce8642a328f5e80f4246e9d0b062
-
SHA256
28a9ed9884a7f52e49a8026b03b757422a7e3d3a594e6cb7a13946191650b78a
-
SHA512
afff315fdd006cbf2589845700f2433b57c6062497b4f1b59d4096bafe3acee6fca81e4a15f05443dd03f39362eabd0c03312dec6e0dc56d22cb7f9f65071a8f
-
SSDEEP
768:kKpxOlNtidwAmJRXFuO5tF5PT95lvOMh23Ep:k/MWAmJ1FuOLFx95ZOMoW
Malware Config
Extracted
xworm
5.0
127.0.0.1:12547
147.185.221.19:12547
bay-currencies.gl.at.ply.gg:12547
and-organized.gl.at.ply.gg:12547
T8blWdnjot1TC8dy
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3012-0-0x0000000000FE0000-0x0000000000FF0000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
tjFUD.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjFUD.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk tjFUD.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
tjFUD.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" tjFUD.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 11 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
tjFUD.exepid process 3012 tjFUD.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
tjFUD.exedescription pid process Token: SeDebugPrivilege 3012 tjFUD.exe Token: SeDebugPrivilege 3012 tjFUD.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
tjFUD.exepid process 3012 tjFUD.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tjFUD.exe"C:\Users\Admin\AppData\Local\Temp\tjFUD.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3012
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4244 --field-trial-handle=2284,i,9807419199535700662,2319175108930815708,262144 --variations-seed-version /prefetch:81⤵PID:2776
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3012-0-0x0000000000FE0000-0x0000000000FF0000-memory.dmpFilesize
64KB
-
memory/3012-1-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmpFilesize
10.8MB
-
memory/3012-2-0x000000001BC60000-0x000000001BC70000-memory.dmpFilesize
64KB
-
memory/3012-7-0x00007FFE5FD40000-0x00007FFE60801000-memory.dmpFilesize
10.8MB