Overview

overview

10

Static

static

10

Runtime Broker.exe

windows7-x64

10

Runtime Broker.exe

windows10-2004-x64

10

Resubmissions

23/06/2024, 11:45

240623-nwp5hstaqp 10

22/06/2024, 22:40

240622-2lpb5axgle 10

22/06/2024, 22:29

240622-2epz3sxdmh 10

22/06/2024, 22:12

240622-14q31awgnf 10

22/06/2024, 22:02

240622-1x59cawdqf 10

22/06/2024, 22:00

240622-1wyg4swdlc 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Runtime Broker.exe

  • Size

    72KB

  • Sample

    240622-14q31awgnf

  • MD5

    89af2aaffc3ddda07a0fc977c8bb2236

  • SHA1

    412bd5812599d5729a51d0350df48030b0d04e1a

  • SHA256

    637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69

  • SHA512

    8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae

  • SSDEEP

    1536:b0nLpERHZ5P56srqpbTXw3cYUo6IfI4WOyL6KqGi:bcY7P56tbTXb6IvOyyGi

Score
10/10
stormkittyxwormevasionexecutionpersistenceprivilege_escalationransomwareratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

medical-m.gl.at.ply.gg:28857

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Runtime Broker.exe

Targets

    • Target

      Runtime Broker.exe

    • Size

      72KB

    • MD5

      89af2aaffc3ddda07a0fc977c8bb2236

    • SHA1

      412bd5812599d5729a51d0350df48030b0d04e1a

    • SHA256

      637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69

    • SHA512

      8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae

    • SSDEEP

      1536:b0nLpERHZ5P56srqpbTXw3cYUo6IfI4WOyL6KqGi:bcY7P56tbTXb6IvOyyGi

    Score
    10/10
    xwormrattrojanstormkittyevasionexecutionpersistenceprivilege_escalationransomwarespywarestealer

    • Contains code to disable Windows Defender

      A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

    • Detect Xworm Payload

    • Modifies Windows Defender Real-time Protection settings

      evasiontrojan

    • StormKitty

      StormKitty is an open source info stealer written in C#.

      stealerstormkitty

    • StormKitty payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • UAC bypass

      evasiontrojan

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Disables Task Manager via registry modification

      evasion

    • Modifies Windows Firewall

      evasion

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Uses the VBS compiler for execution

    • Adds Run key to start application

      persistence

    • Drops desktop.ini file(s)

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Sets desktop wallpaper using registry

      ransomware
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Scripting

1
T1064

Persistence

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Active Setup

1
T1547.014

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Event Triggered Execution

1
T1546

Netsh Helper DLL

1
T1546.007

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

3
T1562

Disable or Modify System Firewall

1
T1562.004

Disable or Modify Tools

2
T1562.001

Modify Registry

7
T1112

Scripting

1
T1064

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Data from Local System

1
T1005

Command and Control

Exfiltration

Impact

Defacement

1
T1491

Tasks