Overview

overview

10

Static

static

10

Recycle Bin.exe

windows7-x64

Recycle Bin.exe

windows10-2004-x64

10

Resubmissions

23/06/2024, 14:41 UTC

240623-r2vtqsvbqg 10

23/06/2024, 14:41 UTC

240623-r2laasybkp 10

23/06/2024, 12:34 UTC

240623-prw8pszgqg 10

Analysis

  • max time kernel
    985s
  • max time network
    951s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/06/2024, 12:34 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Recycle Bin.exe

  • Size

    66KB

  • MD5

    0680a239ba405c1935c687ebdf6d4540

  • SHA1

    bf2cc8de357fe1af9888e120e1c139ca2bc77c15

  • SHA256

    10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d

  • SHA512

    09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73

  • SSDEEP

    1536:44Sw2KfDxiZcy2fdbdFSQ37E6vObaKjG:4OL1yGdbdF5ZObPG

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

medical-m.gl.at.ply.gg:28857

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 16 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Recycle Bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Recycle Bin.exe"
    1⤵
    • Checks computer location settings
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2596
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Recycle Bin.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3164
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Recycle Bin.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4476
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2912
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3504
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:2692
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1972
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4292
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3088
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4952
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4404
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3408
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2104
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3164
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3704
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3228
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3520
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:952
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:740
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2532
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1688
  • C:\ProgramData\Runtime Broker.exe
    "C:\ProgramData\Runtime Broker.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2192

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    ip-api.com
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    medical-m.gl.at.ply.gg
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    medical-m.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    medical-m.gl.at.ply.gg
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    medical-m.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    medical-m.gl.at.ply.gg
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    medical-m.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    medical-m.gl.at.ply.gg
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    medical-m.gl.at.ply.gg
    IN A
  • flag-us
    DNS
    medical-m.gl.at.ply.gg
    Recycle Bin.exe
    Remote address:
    8.8.8.8:53
    Request
    medical-m.gl.at.ply.gg
    IN A
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    330 B
     5

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    ip-api.com
    dns
    Recycle Bin.exe
    280 B
     5

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

  • 8.8.8.8:53
    medical-m.gl.at.ply.gg
    dns
    Recycle Bin.exe
    340 B
     5

    DNS Request

    medical-m.gl.at.ply.gg

    DNS Request

    medical-m.gl.at.ply.gg

    DNS Request

    medical-m.gl.at.ply.gg

    DNS Request

    medical-m.gl.at.ply.gg

    DNS Request

    medical-m.gl.at.ply.gg

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Runtime Broker.exe
    Filesize

    66KB

    MD5

    0680a239ba405c1935c687ebdf6d4540

    SHA1

    bf2cc8de357fe1af9888e120e1c139ca2bc77c15

    SHA256

    10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d

    SHA512

    09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Runtime Broker.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    77d622bb1a5b250869a3238b9bc1402b

    SHA1

    d47f4003c2554b9dfc4c16f22460b331886b191b

    SHA256

    f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

    SHA512

    d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    51cf8df21f531e31f7740b4ec487a48a

    SHA1

    40c6a73b22d71625a62df109aefc92a5f9b9d13e

    SHA256

    263d9b98a897d1d66da4832af640c4bf5ab0ae91125ba12243453dfe714f3d0d

    SHA512

    57a85461f6ea96b26a8b53d3a9cca18543e4ddbe996e8f412fc4cf7cf6e9ffe558c96da7b322a42f18bef62020e65aee119bed6102f75e2f605df09b02ec6368

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    340b40d863485995ea7eaab9c386dc21

    SHA1

    47c7de08001050abece764110b8cc028e3c9cb8f

    SHA256

    5087735f420e1649e208017b143c45d25893b36fe32fd4fa7c97cebf5fe87f19

    SHA512

    1d007bfeca3aee0312cc64db448746db3153b4a7d77997d3d63b0bc7efe646dc6ebc1ba5fc1a0f62f48c18cdb07d8c0343d1433c13f7ecd62dc281d018d45eed

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uaidtlic.u1w.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2596-1-0x00000000000C0000-0x00000000000D6000-memory.dmp

    Filesize

    88KB

    Download

  • memory/2596-2-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2596-4-0x00007FFB82733000-0x00007FFB82735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2596-0-0x00007FFB82733000-0x00007FFB82735000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2596-58-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3164-3-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3164-19-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3164-15-0x000001E461DB0000-0x000001E461DD2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/3164-16-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3164-5-0x00007FFB82730000-0x00007FFB831F1000-memory.dmp

    Filesize

    10.8MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.