Analysis
-
max time kernel
140s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
02/05/2024, 23:31
General
-
Target
nigger.exe
-
Size
58KB
-
MD5
abb96dc265c42a9e9357b69cd911ffce
-
SHA1
96a3619977f5b58a1cede6b960adca942e82d4e6
-
SHA256
53fa4aaf3bd78521f9d402d0c793078353e6ff8f9d0ff7efcd8c686c79c69560
-
SHA512
c56af566bb3ddf2731daa2a74936f0500b32ee36bd8184ee7c17924c9ed730b64bd4552a91fc55b870754e49196a30e6d414ba77bee960b18d4c9136e51087fb
-
SSDEEP
1536:Bvf7dvzwTr1JVEUrq1xLAhhaL5b7JkbutjkfZNJN99Opv8gJaed:Bvf8CUrqMhILjkbu4Nn99OpEgTd
Malware Config
Extracted
xworm
dc-coleman.gl.at.ply.gg:42550
-
Install_directory
%AppData%
-
install_file
runbroker300.exe
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 19 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\nigger.exe"C:\Users\Admin\AppData\Local\Temp\nigger.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker300" /tr "C:\Users\Admin\AppData\Roaming\runbroker300.exe"2⤵
- Creates scheduled task(s)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://google.com/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1536 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {128F6D4B-68F8-447D-BA0B-AD4E162712A6} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\runbroker300.exeC:\Users\Admin\AppData\Roaming\runbroker300.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\runbroker300.exeC:\Users\Admin\AppData\Roaming\runbroker300.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\runbroker300.exeC:\Users\Admin\AppData\Roaming\runbroker300.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
914B
MD5e4a68ac854ac5242460afd72481b2a44
SHA1df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA5125622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
1KB
MD5a266bb7dcc38a562631361bbf61dd11b
SHA13b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA5120da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc
-
Filesize
252B
MD58cc300dcaebeee9d279626cf1ddb7c4f
SHA1b536a0138b003991d7d33dc2359fc10d75248c4f
SHA2567a1f14f003b1bbd221218c558f3fe41c76fb121cf23646ef7aa980ccf45442bf
SHA512e48d9c1dbb881850d9ac84416c2d16cd4f9cfe4e83355a3ecfcb333c73ca2d8491b3e1b33bc83bebb123dcca1e95608fbe2a8022f2ddfad582f6b0532fee37bd
-
Filesize
344B
MD5f0412aa2dcdf821ba140b424a87905fe
SHA1f53d800a9d09fd97e398df240a9e120029f54bbc
SHA256a63253d4908a9b09ccd782f23ab179fb7d77850d65509debc754d6ac0aebdea7
SHA5124a7f3dab1e97f1111799ba5ad121ee8509e64fa1b2c4b74bc8a292a967aff1e6dc6acd7273037ab66a70aaf9121a29ab5e11522e6abd03e0e06c7df7f0717b6d
-
Filesize
344B
MD5766a602b7c6425c8a1610e5e1dcbc498
SHA18bda6b049b64df95969c656f0da95c7d89ea0492
SHA25642d9a2ac37f6bdb471d9318355f5ba4c486666e2f2d605a95e48f574a8d15d52
SHA5129d217d210ae5d80d0d2d2ec37aed0479bd36827d4fea655853598201c0d93e035966907909675af7a85762d93d8eae34c9cb5a0cb0844abd4c32aaaf6ca7fd5a
-
Filesize
344B
MD5c2226c2c949666891940ebced2135754
SHA1bcfd6f073e02c4d8c5d218105a27d0cd0eadee44
SHA256c2fc8e012565ceaed1f9827bd7f1eb03eea04642456142d45d3c65461c3abfad
SHA512c163057aa629b212d9eb62c742254759bc43721006ca34620f3c5770efafdebee7b80237d7c3befb7a28b3c1c42513102ff8169a02242b84f51eb2d3efde8414
-
Filesize
344B
MD526b7600d864155e361ed5c1d3773dc39
SHA15d93f350eff20d6a9cea56a909f9894a14c62597
SHA25613b9136328f9892bcf2ddc30b89389e3bf01807fdd56f82071b602d072048add
SHA512dd2188012331617509eed7668aa316a5dd39e8076dcc3073bd50f9505b7da89d9711b322e1f139666ee93b3a596e1bd31824d2990e484df9d6406277ce5bf02f
-
Filesize
344B
MD53a04a7237c60fc859960bd98bf0f1ce2
SHA1552ef1ec74fe9c0a62dad47ae80cffbac702443d
SHA2568ce192e222df9dc658a143447a6bfeeded3b71d10a1ca957ab5fd45e81f42dec
SHA512c9bba8bcddb9ee8ebe6cfc0fb9fbb98d78c4aa5c31df378d7e57af1e4c97118ff466d1b5ea031f954681d372a91083ad0716b8d4b16026f806d4856a80d9b11b
-
Filesize
344B
MD5ee9c3b1bd505a59879e277728c4d30d1
SHA1d8ae812f2c46515249bc9b88fea763c4741d2ffb
SHA256c4ae39e05851aafdca084920be4ce349a9d991d8c3a8ab3dd7d29adaadf36201
SHA51218b57af44f2deec64c2d03a97f4390587a801b3c6ec323a24001efa1af72f402d0cbf35ceeac8ec0373464a5005fd4a9bb643542f136d29980301a329e5ea5b1
-
Filesize
344B
MD55302f3a61b299b8b0a03967e65aa466c
SHA1cf8cf5a0b8c32c720b4d42eb2986802addf07c97
SHA2563326672ea7889488c699dd94cb4b0437a855da139f028da4d3b9fed404ef1b07
SHA5127090f4df0ba02ed682b0df266790d4da0912403f062cbf5e006e1e4fbc2308442036b07326cd612aafa55ca0e21f20daa0be991c1dc3bd2dd7e644fe2cddcd5e
-
Filesize
344B
MD5b89e20b24895f5937eb307b40cb67946
SHA185ca3d37b5f0a04448cea89f77aed0a477f08cfb
SHA25680ade960f905881f4025aff4c5b09e78df414ca66e8e45e08257ce0d5b1e3cf5
SHA5122c79352337302b1aa0139c7eb79fe42a98fdf42dfb5cea2bbafc8e9cf8a9ef6133aa185cffb9434059c376c4777d7d14dc5bf849e94b9cbe7ba0285b955047a2
-
Filesize
344B
MD5c0318aa702fcf54057a4b5232c333563
SHA180dc9175d0f2e10007cc7eeb0f32a12ccbd9339f
SHA25659aa613d54647c922abed3849d8157e4f737f403efe0e4d3897e10ab21bc59ba
SHA5120ed9441112f7b44aa69be08cf603c864fff87c7727e7f050cec0b7fb90ed17d4b7493dc4a6179d981c0404dba2a03fed41aabb3d40b2ca6fcfa86482e305280a
-
Filesize
344B
MD5de38b4604154e30e7d20ea4d516d1c76
SHA1357291d33edecabd04bcfcdefff2c0fd6fe58888
SHA256f2b0186e02ec87cf78d5f96bd5b256ed0e9c1a99e5238c2c346209aa3f4d248b
SHA51244ee55f9b301b3accacf4711a14fb0dccc3b33fe58c9032590225c61e376fabb6fc4810571d9fd1607c31359436037c5a919bf2ae2d8df31fc19a3e2f4154d88
-
Filesize
344B
MD545db60f58e6713de036a6a42bc991516
SHA180da864882c1dccd33778f0aa450e8c3ab425c27
SHA2568d8e3581cc2b5f6e865bf292f4f710f959d1e88b2fef077b70c3c52baa975ceb
SHA51209ace808c469f93f60afc69655e83ed8b7d548522f32b24d92935cbe64d521b8402c5deb4d704b52d2014bb0482ba0454e58e6c36a3b5324a45f219c89e02c18
-
Filesize
344B
MD50e76387d12549a3b1b51358b56f852c2
SHA1809ea9a1c2d77ff36a50ace2ca806753b555bbc0
SHA256d30524a99e9db281136fafc43d2c10d1d123ee7361e66576ad6e86b70c6cdd08
SHA5125bda9d59bd2c902f46f66eda46cd946d2ca3358ea9ba2dcf144199e4f37981caaa0f96cbae25ba07a63940ba50c229468797dac9cc2738a442505ce220d65e56
-
Filesize
344B
MD5dfae4bcff4fc63da5ad3c2a571eaa6a2
SHA1e33ed0e6fa7da9b6353596de1c8a81066830d27b
SHA256b61329ed1c52929e006a005c3464389f434dd9a90fd1250c6af7f541df0c879c
SHA512063f4a75f2df57e3125455e155fe4d7d3cda659af2791141a929c03d0d0aa3906c98f24afdccffd2c5cf1ce525cc352873950044d76dcd6fdbf6152ff75bbc0b
-
Filesize
344B
MD555caebfe4dab020869e1b4ae1aa672a2
SHA1a906333b3fe6bb4b9050023e716d58665380002b
SHA256afc9c20b172795bba2db5c5b4bc318439264152f6d1f59012c0644a05296f3a5
SHA512c356c49339715cd33a3e8fd240201d7fcf694876cb7ae84aee517809b7244e2c06a7730f4df5da823302da3730aff03404a1f8d07aeddd81e9f83739557025e4
-
Filesize
344B
MD57a569cf01e8a97f9eced4ed1367c0e27
SHA1fcfdd140e25637d0802fdb29b0cdf8c4dd2b4266
SHA25634ca1ee6ffb9992cf5e524e351586adcb851e6fb9348cfe651a98f48510bdee8
SHA51210344704743ec3288c71322581f5f8e62c6fa59d31d80fcb918f085d99fd149fe7d2e32d92c5052172354d761bd9664a76683b07c9b4b8bd792446d9532285ea
-
Filesize
344B
MD5e01748d60a362703a93c381e15ad599f
SHA16b9e584ac0c9b787a7e8f85b02457784e0bf3ab4
SHA25695d2950a862e25323db8798d01646faf5d109d16b65caac9c99f327e156be4b7
SHA512271fb51efb84b415464759b5f8e242d2f2274ae7f06e0032aa79b66f5d03ef337fde17d891333f96ec50dddc95592f2d0595890535692d6a61ebbadd1e4200a5
-
Filesize
344B
MD5e502b74eec580f4c9781011af4b2964d
SHA1b144520bd630fb8f5977e9418aa9501cb9b9551e
SHA256445cc5729df58cdee27148cf79f49b4941f46c7f44c95324e1e02eb3802e5457
SHA512cd76dc5675c9df11d5eb3501e4541a598fa1e8eecfa231769fafbde9406a3b5ed34ddc50dfa95e6a3ef80edce3736506256c13e1857b0269c9840b3df174cc6a
-
Filesize
344B
MD5bdea22aed88df517d76ffe7b42ef4f14
SHA1109bbed99eaa96c1e598ba5276580a4b621f2103
SHA25690a387df039cdda9092d355d7880f15051cf216ca30bbdf300b03e05fcc8417c
SHA5120bd49d464c548e5005d11f215f1a797e54fdf773afd7108096a01213fb48098c79a9b679bedf7fc04dab054687e7fc8c9e638f391835f515fbe11df56a96dd39
-
Filesize
344B
MD51d986ce2cb3f07144a5de2979807ded6
SHA1d4376e4c5ddb7f48c9ae0cd53bbcbeec9ab0da85
SHA2562b046cf91fe376eea04d25d63feb32cc466a345394103c42c033b58f7c2a9a94
SHA512b70e4bff2a5f3f0f852ba3c9a998df41feee397573645d7b9d31db3b9a64ada923cf79576d35172ca89d2b66c1038ddb88291e4f9749d1da7c3458d93b3c7824
-
Filesize
344B
MD5aafc3c7460e8f98582ee829314733b6c
SHA13949ffd99d22a0c4c3702726ec3f3aa7e07172ad
SHA256f274f76e41895bc91476ae437a66002203cbc31da8b556af8f70fb32cfef1eb0
SHA512739cbf8375d6deacfada67b5b4d878b1d0b33708cab2d904b4d1de4b6afb23352a0adade8e11d2546bc24457f3546beed27f1e237506881edd19a9851d205550
-
Filesize
242B
MD5fba15273b44dff8979472936a8cededb
SHA195dd17cf35401d96b1eb8c3cd492831b49440c75
SHA25618c4985dc2e732c87e97331a533a5410da70edd437deb9fb2624fe912377e56d
SHA51205abef2ccf3cf67bfd502ef69dbffe82923ec3b9b39aaa9b82f9493d16188a94b1969ac251179e7a2c94e1eda09cc13e04cd79186bcbaeba8a64de8076f01f87
-
Filesize
5KB
MD5740e6daa2bf21b7f832b1015358974d2
SHA1e43b6b506d6bf42c785a6f9d86e7be2a986c6e97
SHA25606ef084a521b4212bd80c7741d6a82783a4b43348e6b3424993a517ff9fa7de1
SHA5122d66c7df1afcda6a19324a0913322790da97b281119280d28203711758cbb8484e3c6b8ff7d17b43a1d7f42fe35c32eed5072cb213cc8315095ad923075fefbf
-
Filesize
5KB
MD5f3418a443e7d841097c714d69ec4bcb8
SHA149263695f6b0cdd72f45cf1b775e660fdc36c606
SHA2566da5620880159634213e197fafca1dde0272153be3e4590818533fab8d040770
SHA51282d017c4b7ec8e0c46e8b75da0ca6a52fd8bce7fcf4e556cbdf16b49fc81be9953fe7e25a05f63ecd41c7272e8bb0a9fd9aedf0ac06cb6032330b096b3702563
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
58KB
MD5abb96dc265c42a9e9357b69cd911ffce
SHA196a3619977f5b58a1cede6b960adca942e82d4e6
SHA25653fa4aaf3bd78521f9d402d0c793078353e6ff8f9d0ff7efcd8c686c79c69560
SHA512c56af566bb3ddf2731daa2a74936f0500b32ee36bd8184ee7c17924c9ed730b64bd4552a91fc55b870754e49196a30e6d414ba77bee960b18d4c9136e51087fb
-
Filesize
100KB
MD51b942faa8e8b1008a8c3c1004ba57349
SHA1cd99977f6c1819b12b33240b784ca816dfe2cb91
SHA256555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc
SHA5125aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43
-
Filesize
80KB
-
Filesize
80KB
-
Filesize
9.9MB
-
Filesize
56KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
4KB
-
Filesize
232KB
-
Filesize
80KB