Overview

overview

10

Static

static

10

Recycle Bin.exe

windows7-x64

10

Recycle Bin.exe

windows10-2004-x64

10

Resubmissions

23/06/2024, 14:41

240623-r2vtqsvbqg 10

23/06/2024, 14:41

240623-r2laasybkp 10

23/06/2024, 12:34

240623-prw8pszgqg 10

Analysis

  • max time kernel
    1047s
  • max time network
    839s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2024, 14:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Recycle Bin.exe

  • Size

    66KB

  • MD5

    0680a239ba405c1935c687ebdf6d4540

  • SHA1

    bf2cc8de357fe1af9888e120e1c139ca2bc77c15

  • SHA256

    10db45b88db5377749bce89b2fe511917e38d027e539ac652ea79829fb82985d

  • SHA512

    09ff2d0449404f7b704cb8270ceecfc87d84c42c202a55ce20fb425230d81f5bf8a798c1c52a2a1ed19c599ad8d2f72188c561d734dd79ac70b7973fbd07fc73

  • SSDEEP

    1536:44Sw2KfDxiZcy2fdbdFSQ37E6vObaKjG:4OL1yGdbdF5ZObPG

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

medical-m.gl.at.ply.gg:28857

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    Runtime Broker.exe

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\Recycle Bin.exe
    "C:\Users\Admin\AppData\Local\Temp\Recycle Bin.exe"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Recycle Bin.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2784
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Recycle Bin.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2576
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2364
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Runtime Broker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2900
    • C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Runtime Broker" /tr "C:\ProgramData\Runtime Broker.exe"
      2⤵
      • Scheduled Task/Job: Scheduled Task
      PID:1040
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {402E61C5-C35B-49F7-B01E-9F147A1D10DF} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
    1⤵
      PID:1316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
      Filesize

      7KB

      MD5

      fa8e4a57233d31ac8a066df6989c1090

      SHA1

      50b137c6b29848883c077d8322c18ff02ae5cc75

      SHA256

      e2f315ccc1c4a9236d31ae6fa91d8eb2313764c0001245896a63d99bc5f06108

      SHA512

      f46fdec2c52750a39773dff1c95280bf67e18a03fffdc64b97aa4f0bc2532b89a8ee44e6726d899479c6255fcce427aa528d75a2cad28d8ae80fdedb4187c24c

      Download Submit

    • memory/2576-16-0x000000001B630000-0x000000001B912000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2576-17-0x0000000001D90000-0x0000000001D98000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2784-8-0x0000000002CA0000-0x0000000002D20000-memory.dmp

      Filesize

      512KB

      Download

    • memory/2784-9-0x000000001B690000-0x000000001B972000-memory.dmp

      Filesize

      2.9MB

      Download

    • memory/2784-10-0x0000000001F70000-0x0000000001F78000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2972-0-0x000007FEF5853000-0x000007FEF5854000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2972-1-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/2972-2-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2972-3-0x000007FEF5853000-0x000007FEF5854000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2972-32-0x000007FEF5850000-0x000007FEF623C000-memory.dmp

      Filesize

      9.9MB

      Download