General
-
Target
RuntimeBroker.bat
-
Size
95KB
-
Sample
240531-z6lqmadf91
-
MD5
9174f5a3530ff5f966d35b38cb69e3c4
-
SHA1
228c9fcf922074c56aab5798e5f03bcbc6d6cb05
-
SHA256
0b98d1633f196fd8de2c57840d8c610c80e7513713f59416c65b618a577d3a29
-
SHA512
cc2bcceeee6daec0d414060841dddfbafe0be1fb81c88e8374af7303d1f41791f06fa0d4e3834563b90f5fe96f0ba936b99fd4ca4ce65d049352ed4116816b5f
-
SSDEEP
1536:DnbK+6KWfEqYYlQIWLCBYZeDMK3h+ltXRAU/IV8st+Nj9UMwA0ysfu44:zj6NW3ZXKR+CSmoj3wAofY
Static task
static1
Behavioral task
behavioral1
Sample
RuntimeBroker.bat
Resource
win10-20240404-en
Behavioral task
behavioral2
Sample
RuntimeBroker.bat
Resource
win10v2004-20240426-en
Malware Config
Extracted
xworm
bbcslimer-34082.portmap.io:34082
-
install_file
USB.exe
Targets
-
-
Target
RuntimeBroker.bat
-
Size
95KB
-
MD5
9174f5a3530ff5f966d35b38cb69e3c4
-
SHA1
228c9fcf922074c56aab5798e5f03bcbc6d6cb05
-
SHA256
0b98d1633f196fd8de2c57840d8c610c80e7513713f59416c65b618a577d3a29
-
SHA512
cc2bcceeee6daec0d414060841dddfbafe0be1fb81c88e8374af7303d1f41791f06fa0d4e3834563b90f5fe96f0ba936b99fd4ca4ce65d049352ed4116816b5f
-
SSDEEP
1536:DnbK+6KWfEqYYlQIWLCBYZeDMK3h+ltXRAU/IV8st+Nj9UMwA0ysfu44:zj6NW3ZXKR+CSmoj3wAofY
-
Detect Xworm Payload
-
Blocklisted process makes network request
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-