Malware Analysis Report

2024-09-23 02:07

Sample ID 240623-nwp5hstaqp
Target Runtime Broker.exe
SHA256 637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69
Tags
xworm execution persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69

Threat Level: Known bad

The file Runtime Broker.exe was found to be: Known bad.

Malicious Activity Summary

xworm execution persistence rat trojan

Xworm family

Xworm

Detect Xworm Payload

Command and Scripting Interpreter: PowerShell

Checks computer location settings

Drops startup file

Executes dropped EXE

Adds Run key to start application

Looks up external IP address via web service

Unsigned PE

Enumerates physical storage devices

Uses Task Scheduler COM API

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-23 11:45

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-23 11:45

Reported

2024-06-23 11:47

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

89s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Xworm

trojan rat xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\Runtime Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4084 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3784 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4084 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 4084 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"

C:\ProgramData\Runtime Broker.exe

"C:\ProgramData\Runtime Broker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 medical-m.gl.at.ply.gg udp

Files

memory/4084-1-0x00000000006A0000-0x00000000006B8000-memory.dmp

memory/4084-0-0x00007FF9036E3000-0x00007FF9036E5000-memory.dmp

memory/4084-2-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

memory/4576-8-0x0000026CEC310000-0x0000026CEC332000-memory.dmp

memory/4576-13-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eqb4m30x.xjv.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4576-14-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

memory/4576-15-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

memory/4576-18-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 77d622bb1a5b250869a3238b9bc1402b
SHA1 d47f4003c2554b9dfc4c16f22460b331886b191b
SHA256 f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb
SHA512 d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

memory/3784-31-0x000001A4FBCF0000-0x000001A4FBF0C000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 0256bd284691ed0fc502ef3c8a7e58dc
SHA1 dcdf69dc8ca8bf068f65d20ef1563bbe283e2413
SHA256 e2fb83098e114084f51ed7187334f861ce670051046c39f338928296ca9a49cf
SHA512 c5b29c1e0a15ddb68b0579848066774fa7cdc6f35087bbbf47c05a5c0dcc1eb3e61b2ddadfbded8c1ed9820e637596a9f08a97db8fb18000d168e6b159060c42

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 eb033be02578f9635ec47bdc1de5c3fb
SHA1 ec356bc87381354a06baa9c30e8c3ac3d30e0f6f
SHA256 bd827af3192bf83c75a32e51ed2de83bd3b90d6b99350721a189a57cec15d063
SHA512 4d8778503646f7016df73ff9d204760f4fe4d2b24157920ac3e5651653373975b2f2d229530143059f11b16c42822ad7963e628ad6066022ee712c17d90595ed

memory/4788-54-0x000001B0FA540000-0x000001B0FA75C000-memory.dmp

memory/4084-59-0x00007FF9036E0000-0x00007FF9041A1000-memory.dmp

C:\ProgramData\Runtime Broker.exe

MD5 89af2aaffc3ddda07a0fc977c8bb2236
SHA1 412bd5812599d5729a51d0350df48030b0d04e1a
SHA256 637aff987be6ea158b7182de9de5de0054407077511019516270d82a6f2e9b69
SHA512 8c2b26d0f1b0ae80149a2aaadef329ab7fb3495bdfbccb7f8ff60368094cd955829b2cb1217b16808ac41a223661d48c2dcf88d3daeddc6b699aa88272be75ae

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-23 11:45

Reported

2024-06-23 11:47

Platform

win7-20240508-en

Max time kernel

146s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm

trojan rat xworm

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Runtime Broker.lnk C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\Runtime Broker = "C:\\ProgramData\\Runtime Broker.exe" C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2828 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1792 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 1624 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1700 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 1700 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe
PID 1700 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe C:\Windows\System32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe

"C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'

C:\Windows\System32\schtasks.exe

"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"

C:\Windows\system32\taskeng.exe

taskeng.exe {A5039DF8-C743-48AB-AC7F-E7431CD0F161} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 8.8.8.8:53 medical-m.gl.at.ply.gg udp

Files

memory/1700-0-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/1700-1-0x0000000000AC0000-0x0000000000AD8000-memory.dmp

memory/1700-2-0x000007FEF5D53000-0x000007FEF5D54000-memory.dmp

memory/1700-3-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp

memory/1536-8-0x0000000002990000-0x0000000002A10000-memory.dmp

memory/1536-9-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

memory/1536-10-0x0000000001E20000-0x0000000001E28000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 6bc1955f85875147a08d6b63319211c9
SHA1 8b2bfa354372fdb0d2dcb5eb2ac90dc0efc0e0e9
SHA256 83a721755b5c533245feeee84072a15f6b0ce491fae09666752a929f08c0c234
SHA512 6bce5f3788c73d7e906de6364da43bcb64f3c1ba5f65291d8ed6337c8d9974aea849cad3d5f3afe02a8e7094b045b5f2076817a5fb177d664ccc69650ff0a310

memory/2828-16-0x000000001B580000-0x000000001B862000-memory.dmp

memory/2828-17-0x0000000001E70000-0x0000000001E78000-memory.dmp

memory/1700-32-0x000007FEF5D50000-0x000007FEF673C000-memory.dmp