Analysis
-
max time kernel
1800s -
max time network
1797s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
31-05-2024 10:45
Behavioral task
behavioral1
Sample
Injector2.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Injector2.exe
Resource
win10v2004-20240426-en
General
-
Target
Injector2.exe
-
Size
327KB
-
MD5
3e1b6c00c152ecd0945df66e71caa4c1
-
SHA1
6b4e5c1646cac905034b740205f6003a73e872dc
-
SHA256
1bee8362e0fffaa161de96775b92a2b6be47e65798251d0bfd4b82d134cfbd89
-
SHA512
82a8682d63cb88e74667b9a4824e8d832aa9116fd8854e9debc0912ce1a5437544db213e363a6cfbf42bd5a1b0ed6ba4f622803759ca66e6ab50c4ad34b4627b
-
SSDEEP
1536:MDW2YGf/GEjNLTkAD5eZZerr+bhsFz08ISAkTO/2jxSZEsFGfFuAYCRAutPsAzAz:MDrYW/rka5Rr+bhsjItGOOj0j
Malware Config
Extracted
xworm
rat234678235481254.ddns.net:4782
<Xwormmm>:3412
-
Install_directory
%AppData%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3216-1-0x0000000000380000-0x00000000003D6000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Runtime Broker.exe family_xworm -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Injector2.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation Injector2.exe -
Drops startup file 2 IoCs
Processes:
Injector2.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk Injector2.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk Injector2.exe -
Executes dropped EXE 30 IoCs
Processes:
Runtime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exepid process 3924 Runtime Broker.exe 2408 Runtime Broker.exe 4224 Runtime Broker.exe 4996 Runtime Broker.exe 4088 Runtime Broker.exe 2568 Runtime Broker.exe 4288 Runtime Broker.exe 2960 Runtime Broker.exe 4816 Runtime Broker.exe 1888 Runtime Broker.exe 744 Runtime Broker.exe 4264 Runtime Broker.exe 1272 Runtime Broker.exe 4420 Runtime Broker.exe 1220 Runtime Broker.exe 3976 Runtime Broker.exe 4668 Runtime Broker.exe 4884 Runtime Broker.exe 5092 Runtime Broker.exe 4628 Runtime Broker.exe 4752 Runtime Broker.exe 1808 Runtime Broker.exe 3620 Runtime Broker.exe 1184 Runtime Broker.exe 1000 Runtime Broker.exe 4888 Runtime Broker.exe 4380 Runtime Broker.exe 3028 Runtime Broker.exe 3056 Runtime Broker.exe 2240 Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Injector2.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\AppData\\Roaming\\Runtime Broker.exe" Injector2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
Injector2.exepid process 3216 Injector2.exe -
Suspicious use of AdjustPrivilegeToken 32 IoCs
Processes:
Injector2.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exeRuntime Broker.exedescription pid process Token: SeDebugPrivilege 3216 Injector2.exe Token: SeDebugPrivilege 3216 Injector2.exe Token: SeDebugPrivilege 3924 Runtime Broker.exe Token: SeDebugPrivilege 2408 Runtime Broker.exe Token: SeDebugPrivilege 4224 Runtime Broker.exe Token: SeDebugPrivilege 4996 Runtime Broker.exe Token: SeDebugPrivilege 4088 Runtime Broker.exe Token: SeDebugPrivilege 2568 Runtime Broker.exe Token: SeDebugPrivilege 4288 Runtime Broker.exe Token: SeDebugPrivilege 2960 Runtime Broker.exe Token: SeDebugPrivilege 4816 Runtime Broker.exe Token: SeDebugPrivilege 1888 Runtime Broker.exe Token: SeDebugPrivilege 744 Runtime Broker.exe Token: SeDebugPrivilege 4264 Runtime Broker.exe Token: SeDebugPrivilege 1272 Runtime Broker.exe Token: SeDebugPrivilege 4420 Runtime Broker.exe Token: SeDebugPrivilege 1220 Runtime Broker.exe Token: SeDebugPrivilege 3976 Runtime Broker.exe Token: SeDebugPrivilege 4668 Runtime Broker.exe Token: SeDebugPrivilege 4884 Runtime Broker.exe Token: SeDebugPrivilege 5092 Runtime Broker.exe Token: SeDebugPrivilege 4628 Runtime Broker.exe Token: SeDebugPrivilege 4752 Runtime Broker.exe Token: SeDebugPrivilege 1808 Runtime Broker.exe Token: SeDebugPrivilege 3620 Runtime Broker.exe Token: SeDebugPrivilege 1184 Runtime Broker.exe Token: SeDebugPrivilege 1000 Runtime Broker.exe Token: SeDebugPrivilege 4888 Runtime Broker.exe Token: SeDebugPrivilege 4380 Runtime Broker.exe Token: SeDebugPrivilege 3028 Runtime Broker.exe Token: SeDebugPrivilege 3056 Runtime Broker.exe Token: SeDebugPrivilege 2240 Runtime Broker.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Injector2.exepid process 3216 Injector2.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
Injector2.exedescription pid process target process PID 3216 wrote to memory of 1084 3216 Injector2.exe schtasks.exe PID 3216 wrote to memory of 1084 3216 Injector2.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Injector2.exe"C:\Users\Admin\AppData\Local\Temp\Injector2.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3216 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"2⤵
- Creates scheduled task(s)
PID:1084
-
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3924
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4224
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4996
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4088
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2568
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4288
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2960
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4816
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1888
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:744
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4264
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1272
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4420
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1220
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3976
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4668
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4884
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5092
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4628
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4752
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1808
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3620
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1000
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4888
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4380
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3028
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3056
-
C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"C:\Users\Admin\AppData\Roaming\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2240
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
327KB
MD53e1b6c00c152ecd0945df66e71caa4c1
SHA16b4e5c1646cac905034b740205f6003a73e872dc
SHA2561bee8362e0fffaa161de96775b92a2b6be47e65798251d0bfd4b82d134cfbd89
SHA51282a8682d63cb88e74667b9a4824e8d832aa9116fd8854e9debc0912ce1a5437544db213e363a6cfbf42bd5a1b0ed6ba4f622803759ca66e6ab50c4ad34b4627b