Analysis
-
max time kernel
129s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
31-05-2024 01:16
Behavioral task
behavioral1
Sample
20235ee05aef546e34ddf783007e6779.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
20235ee05aef546e34ddf783007e6779.exe
Resource
win10v2004-20240508-en
General
-
Target
20235ee05aef546e34ddf783007e6779.exe
-
Size
70KB
-
MD5
20235ee05aef546e34ddf783007e6779
-
SHA1
999bda8ca538ef81fd3762cdfdf941253c4890d7
-
SHA256
f4140df465adf4050ecea61cb9659b757c97f65b8c3cca7afac5a5e89d203c36
-
SHA512
aa8d92869a44d638f17737d7a477aa6cfcef2dd43cf460b548110417eb6d62258d5285abf3a66fbfe0a44af8414db1cb3335bc04cd0b79d67b86061284fb7f6f
-
SSDEEP
1536:VmHeyoqqmb8/7kGkbaXtmkcL8U69q4WOZ0B86a:VmHbQTkbaX9FqxOZ0B86a
Malware Config
Extracted
xworm
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
-
pastebin_url
https://pastebin.com/raw/kYPYyCCf
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1808-1-0x0000000000C40000-0x0000000000C58000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3004 powershell.exe 2576 powershell.exe 2640 powershell.exe 2416 powershell.exe -
Drops startup file 2 IoCs
Processes:
20235ee05aef546e34ddf783007e6779.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk 20235ee05aef546e34ddf783007e6779.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk 20235ee05aef546e34ddf783007e6779.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
20235ee05aef546e34ddf783007e6779.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" 20235ee05aef546e34ddf783007e6779.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 3004 powershell.exe 2576 powershell.exe 2640 powershell.exe 2416 powershell.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
20235ee05aef546e34ddf783007e6779.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 1808 20235ee05aef546e34ddf783007e6779.exe Token: SeDebugPrivilege 3004 powershell.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2640 powershell.exe Token: SeDebugPrivilege 2416 powershell.exe Token: SeDebugPrivilege 1808 20235ee05aef546e34ddf783007e6779.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
20235ee05aef546e34ddf783007e6779.exedescription pid process target process PID 1808 wrote to memory of 3004 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 3004 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 3004 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2576 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2576 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2576 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2640 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2640 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2640 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2416 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2416 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2416 1808 20235ee05aef546e34ddf783007e6779.exe powershell.exe PID 1808 wrote to memory of 2960 1808 20235ee05aef546e34ddf783007e6779.exe schtasks.exe PID 1808 wrote to memory of 2960 1808 20235ee05aef546e34ddf783007e6779.exe schtasks.exe PID 1808 wrote to memory of 2960 1808 20235ee05aef546e34ddf783007e6779.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\20235ee05aef546e34ddf783007e6779.exe"C:\Users\Admin\AppData\Local\Temp\20235ee05aef546e34ddf783007e6779.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1808 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\20235ee05aef546e34ddf783007e6779.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3004
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '20235ee05aef546e34ddf783007e6779.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2576
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Runtime Broker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2640
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2416
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Creates scheduled task(s)
PID:2960
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3C0C3648-2E2F-4915-9272-467400A03910} S-1-5-21-330940541-141609230-1670313778-1000:KXIPPCKF\Admin:Interactive:[1]1⤵PID:1628
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\Q9UQWZM6410KTK3WO7SM.temp
Filesize7KB
MD58474b5a16574b650591fe6e355e77a10
SHA1f0140951c12fe557432801df9680b9c57c7241cc
SHA2566351f8793621279dcd6344fbb1a2d687c25fac13724385e637d8ce92f22d1aad
SHA512fec18fd09ea0ae86f30043539b9f77d5835056b0864222d195196b0348a2b482a0674adb53516ce82d1128c198c0fc28e3761f7579b24b25ae28ae5e93c6026b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e