Overview

overview

10

Static

static

10

nigger.exe

windows7-x64

10

nigger.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-05-2024 23:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    nigger.exe

  • Size

    58KB

  • MD5

    abb96dc265c42a9e9357b69cd911ffce

  • SHA1

    96a3619977f5b58a1cede6b960adca942e82d4e6

  • SHA256

    53fa4aaf3bd78521f9d402d0c793078353e6ff8f9d0ff7efcd8c686c79c69560

  • SHA512

    c56af566bb3ddf2731daa2a74936f0500b32ee36bd8184ee7c17924c9ed730b64bd4552a91fc55b870754e49196a30e6d414ba77bee960b18d4c9136e51087fb

  • SSDEEP

    1536:Bvf7dvzwTr1JVEUrq1xLAhhaL5b7JkbutjkfZNJN99Opv8gJaed:Bvf8CUrqMhILjkbu4Nn99OpEgTd

Score
10/10
xwormpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

dc-coleman.gl.at.ply.gg:42550

Attributes
  • Install_directory

    %AppData%

  • install_file

    runbroker300.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\nigger.exe
    "C:\Users\Admin\AppData\Local\Temp\nigger.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2920
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "runbroker300" /tr "C:\Users\Admin\AppData\Roaming\runbroker300.exe"
      2⤵
      • Creates scheduled task(s)
      PID:3684
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /delete /f /tn "runbroker300"
      2⤵
        PID:3060
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp3B4F.tmp.bat""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2084
        • C:\Windows\system32\timeout.exe
          timeout 3
          3⤵
          • Delays execution with timeout.exe
          PID:2600
    • C:\Users\Admin\AppData\Roaming\runbroker300.exe
      C:\Users\Admin\AppData\Roaming\runbroker300.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4944

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp3B4F.tmp.bat
      Filesize

      158B

      MD5

      defb2d8f8015a35ed866e728df7f50ec

      SHA1

      2e591864570cfe6377fbf8668240c2cddcba5fcb

      SHA256

      f3313b62384dfd43686d1ce0482477e41f4ec1994212bc0cc1d56a3178f29533

      SHA512

      e2e70041a4cc9be5a5f6ab373fbb354147b5dc82c3d6604a42bc787122007d2547fac9b2a95d83f28b5d9657305623001483147e8f01de676fb725e9edee48a6

      Download Submit

    • C:\Users\Admin\AppData\Roaming\runbroker300.exe
      Filesize

      58KB

      MD5

      abb96dc265c42a9e9357b69cd911ffce

      SHA1

      96a3619977f5b58a1cede6b960adca942e82d4e6

      SHA256

      53fa4aaf3bd78521f9d402d0c793078353e6ff8f9d0ff7efcd8c686c79c69560

      SHA512

      c56af566bb3ddf2731daa2a74936f0500b32ee36bd8184ee7c17924c9ed730b64bd4552a91fc55b870754e49196a30e6d414ba77bee960b18d4c9136e51087fb

      Download Submit

    • memory/2920-0-0x00007FFC22A73000-0x00007FFC22A75000-memory.dmp

      Filesize

      8KB

      Download

    • memory/2920-1-0x0000000000210000-0x0000000000224000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2920-6-0x00007FFC22A70000-0x00007FFC23531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2920-12-0x00007FFC22A70000-0x00007FFC23531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2920-19-0x00007FFC22A70000-0x00007FFC23531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4944-9-0x00007FFC22A70000-0x00007FFC23531000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4944-11-0x00007FFC22A70000-0x00007FFC23531000-memory.dmp

      Filesize

      10.8MB

      Download