Analysis
-
max time kernel
117s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
28-04-2024 06:11
Behavioral task
behavioral1
Sample
nigga.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
nigga.exe
Resource
win10v2004-20240419-en
General
-
Target
nigga.exe
-
Size
41KB
-
MD5
2050f7f1b36613662a5b4bf5756589f4
-
SHA1
5203b9e7928342b7c40ab9865b9701effcd818c1
-
SHA256
9e776e42d46f0ea879002d936b62f7494e1d770c72238d739e9c2683d88745e0
-
SHA512
25ada35957fed8f825350fe711ad98de669ce551a449a9b3ee94c43bdf07f8895d82ca2e652ba72e9e6685e3eb035e4ba3622c55bd08aabb08cf02d91fd5cbbe
-
SSDEEP
768:9TFHrDMQVZYwCxsAuwKFjHKShtF5PG9+bOwhO3EuXA:DwQEdOAulzKSTFI9+bOwgFXA
Malware Config
Extracted
xworm
5.0
127.0.0.1:38630
147.185.221.19:38630
bay-currencies.gl.at.ply.gg:38630
and-organized.gl.at.ply.gg:38630
community-excess.gl.at.ply.gg:38630
YfT9WSgF2TVkrY89
-
Install_directory
%AppData%
-
install_file
runbroker.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/2336-0-0x0000000000870000-0x0000000000880000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\runbroker.exe family_xworm behavioral1/memory/2500-12-0x00000000000F0000-0x0000000000100000-memory.dmp family_xworm behavioral1/memory/2992-15-0x00000000008A0000-0x00000000008B0000-memory.dmp family_xworm -
Drops startup file 2 IoCs
Processes:
nigga.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk nigga.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\runbroker.lnk nigga.exe -
Executes dropped EXE 2 IoCs
Processes:
runbroker.exerunbroker.exepid process 2500 runbroker.exe 2992 runbroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
nigga.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\runbroker = "C:\\Users\\Admin\\AppData\\Roaming\\runbroker.exe" nigga.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
nigga.exepid process 2336 nigga.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
nigga.exerunbroker.exerunbroker.exedescription pid process Token: SeDebugPrivilege 2336 nigga.exe Token: SeDebugPrivilege 2336 nigga.exe Token: SeDebugPrivilege 2500 runbroker.exe Token: SeDebugPrivilege 2992 runbroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
nigga.exepid process 2336 nigga.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
nigga.exetaskeng.exedescription pid process target process PID 2336 wrote to memory of 2676 2336 nigga.exe schtasks.exe PID 2336 wrote to memory of 2676 2336 nigga.exe schtasks.exe PID 2336 wrote to memory of 2676 2336 nigga.exe schtasks.exe PID 3028 wrote to memory of 2500 3028 taskeng.exe runbroker.exe PID 3028 wrote to memory of 2500 3028 taskeng.exe runbroker.exe PID 3028 wrote to memory of 2500 3028 taskeng.exe runbroker.exe PID 3028 wrote to memory of 2992 3028 taskeng.exe runbroker.exe PID 3028 wrote to memory of 2992 3028 taskeng.exe runbroker.exe PID 3028 wrote to memory of 2992 3028 taskeng.exe runbroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nigga.exe"C:\Users\Admin\AppData\Local\Temp\nigga.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker" /tr "C:\Users\Admin\AppData\Roaming\runbroker.exe"2⤵
- Creates scheduled task(s)
-
C:\Windows\system32\taskeng.exetaskeng.exe {CBA6727B-360F-4AE9-B68F-7D5056C11081} S-1-5-21-1298544033-3225604241-2703760938-1000:IZKCKOTP\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\runbroker.exeC:\Users\Admin\AppData\Roaming\runbroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\runbroker.exeFilesize
41KB
MD52050f7f1b36613662a5b4bf5756589f4
SHA15203b9e7928342b7c40ab9865b9701effcd818c1
SHA2569e776e42d46f0ea879002d936b62f7494e1d770c72238d739e9c2683d88745e0
SHA51225ada35957fed8f825350fe711ad98de669ce551a449a9b3ee94c43bdf07f8895d82ca2e652ba72e9e6685e3eb035e4ba3622c55bd08aabb08cf02d91fd5cbbe
-
memory/2336-0-0x0000000000870000-0x0000000000880000-memory.dmpFilesize
64KB
-
memory/2336-1-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmpFilesize
9.9MB
-
memory/2336-2-0x000000001A970000-0x000000001A9F0000-memory.dmpFilesize
512KB
-
memory/2336-7-0x000007FEF54C0000-0x000007FEF5EAC000-memory.dmpFilesize
9.9MB
-
memory/2336-8-0x000000001A970000-0x000000001A9F0000-memory.dmpFilesize
512KB
-
memory/2500-12-0x00000000000F0000-0x0000000000100000-memory.dmpFilesize
64KB
-
memory/2992-15-0x00000000008A0000-0x00000000008B0000-memory.dmpFilesize
64KB