Analysis
-
max time kernel
149s -
max time network
134s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
26-05-2024 02:51
Behavioral task
behavioral1
Sample
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe
Resource
win10v2004-20240508-en
General
-
Target
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe
-
Size
81KB
-
MD5
48288bec5481f6f9cd06650bd69709cf
-
SHA1
9a5cf4bfe69765120a5150a8f8983afee07b7005
-
SHA256
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424
-
SHA512
b1df25415674e06b625c3385f5ddd17f37fb992c863fb48d6ae73316a0447c647a7ca602e92e15dc9905594c1f55b1fe6cf30346dbddf6603fd3b28e964f471b
-
SSDEEP
1536:CMbWRTlmZ6Zzevqkklj0D0VyQx/Sc/NbAqFaGaeo6HO90jz0vKc1:pbYZm0zUY0OLx/S4bxROS0v1
Malware Config
Extracted
xworm
lot-feeds.gl.at.ply.gg:55815
-
Install_directory
%AppData%
-
install_file
RuntimeBroker.exe
Signatures
-
Detect Xworm Payload 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-1-0x0000000000830000-0x000000000084A000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe family_xworm behavioral1/memory/1076-34-0x00000000000A0000-0x00000000000BA000-memory.dmp family_xworm behavioral1/memory/896-39-0x00000000009C0000-0x00000000009DA000-memory.dmp family_xworm -
Detects Windows executables referencing non-Windows User-Agents 4 IoCs
Processes:
resource yara_rule behavioral1/memory/1684-1-0x0000000000830000-0x000000000084A000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/1076-34-0x00000000000A0000-0x00000000000BA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral1/memory/896-39-0x00000000009C0000-0x00000000009DA000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 2628 powershell.exe 2876 powershell.exe 2476 powershell.exe 3032 powershell.exe -
Drops startup file 2 IoCs
Processes:
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RuntimeBroker.lnk c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe -
Executes dropped EXE 3 IoCs
Processes:
RuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exepid process 1076 RuntimeBroker.exe 896 RuntimeBroker.exe 1984 RuntimeBroker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "C:\\Users\\Admin\\AppData\\Roaming\\RuntimeBroker.exe" c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 4 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exec769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exepid process 2628 powershell.exe 2876 powershell.exe 2476 powershell.exe 3032 powershell.exe 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe -
Suspicious use of AdjustPrivilegeToken 9 IoCs
Processes:
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exedescription pid process Token: SeDebugPrivilege 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe Token: SeDebugPrivilege 2628 powershell.exe Token: SeDebugPrivilege 2876 powershell.exe Token: SeDebugPrivilege 2476 powershell.exe Token: SeDebugPrivilege 3032 powershell.exe Token: SeDebugPrivilege 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe Token: SeDebugPrivilege 1076 RuntimeBroker.exe Token: SeDebugPrivilege 896 RuntimeBroker.exe Token: SeDebugPrivilege 1984 RuntimeBroker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exepid process 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exetaskeng.exedescription pid process target process PID 1684 wrote to memory of 2628 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2628 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2628 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2876 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2876 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2876 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2476 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2476 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2476 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 3032 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 3032 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 3032 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe powershell.exe PID 1684 wrote to memory of 2596 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe schtasks.exe PID 1684 wrote to memory of 2596 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe schtasks.exe PID 1684 wrote to memory of 2596 1684 c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe schtasks.exe PID 1884 wrote to memory of 1076 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 1076 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 1076 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 896 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 896 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 896 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 1984 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 1984 1884 taskeng.exe RuntimeBroker.exe PID 1884 wrote to memory of 1984 1884 taskeng.exe RuntimeBroker.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe"C:\Users\Admin\AppData\Local\Temp\c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1684 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2628
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2876
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2476
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RuntimeBroker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3032
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "RuntimeBroker" /tr "C:\Users\Admin\AppData\Roaming\RuntimeBroker.exe"2⤵
- Creates scheduled task(s)
PID:2596
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {C44C93A2-480D-4BA1-9D4C-119D41200222} S-1-5-21-3627615824-4061627003-3019543961-1000:SCFGBRBT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1076
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:896
-
-
C:\Users\Admin\AppData\Roaming\RuntimeBroker.exeC:\Users\Admin\AppData\Roaming\RuntimeBroker.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1984
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD562768c92b66a5390a18f9712a8162a0b
SHA13102cdc773de4af533bef82ca23cda62d66cf951
SHA2565aa126ab7b4411043a3cf65e7d95128a9632af9d1792b697b65ab3cb934caa81
SHA5121468e7cc1e472c5876107b87fa636bd504b471c51cf8a7f9b2371e36d80a618d006c5bfb7206b35f54a06b5145fd1b0126c721e0ca15cf708b819a9f0580f296
-
Filesize
81KB
MD548288bec5481f6f9cd06650bd69709cf
SHA19a5cf4bfe69765120a5150a8f8983afee07b7005
SHA256c769ef621852a1cd8219c535827fcbce8ffb301eece3d34e8cf89db3e7452424
SHA512b1df25415674e06b625c3385f5ddd17f37fb992c863fb48d6ae73316a0447c647a7ca602e92e15dc9905594c1f55b1fe6cf30346dbddf6603fd3b28e964f471b