Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

RunTimeBroker.exe

windows7-x64

10

RunTimeBroker.exe

windows10-2004-x64

10

Resubmissions

28/06/2024, 23:46

240628-3sddwavhjc 10

28/06/2024, 14:25

240628-rrsavsthne 10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    28/06/2024, 23:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RunTimeBroker.exe

  • Size

    39KB

  • MD5

    0061dd18de7cfdd840fbce10433e8d73

  • SHA1

    9852fe23c191a11a387a7f7a7744c15b1d7d601a

  • SHA256

    06ebe0fa2a8df8fe5a51879b6e4a81292bd36668e619666f94db94641666abd9

  • SHA512

    4687b8357ef603dfbefd0661d103a454d7d1dc3448526d6e9d21823a2d60b485cea307eedf846dd695bc2009534abd1081461d03f39729dc9c642478a6d87411

  • SSDEEP

    768:N2CSKPu9Wkh6A9C96eutXwwTSmvAFU9OLj6SOMhNL575A:EVK6WgMs2moFU9Yj6SOM/pi

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

rTw9cIeh9w3su4g8

Attributes
  • Install_directory

    %AppData%

  • install_file

    Dllhost.exe

  • pastebin_url

    https://pastebin.com/raw/pw1j2xqz

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 47 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1432
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2684
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RunTimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2624
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2464
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2216

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    b7b2b30ca8daa346756c6f5ad12e9795

    SHA1

    ca547149ba0e1a676ce11520a0dab0b4e8a781e0

    SHA256

    94e73b2bd496760ae2e1b4031b3a0bb3fbc8802aa71b65e85f39392627cd90fb

    SHA512

    bae3213501ef562b479e626a44cb738320a1d3cc45b6e5c019f8f5e3b6f17a837d4a78880d56acb8064ad92c6edcd951ff42fcbe5faf8bbe17db3b1ea3d78834

    Download Submit

  • memory/1432-0-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-1-0x0000000000E10000-0x0000000000E20000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1432-2-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1432-28-0x000007FEF5263000-0x000007FEF5264000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1432-29-0x000007FEF5260000-0x000007FEF5C4C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2624-15-0x000000001B770000-0x000000001BA52000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2624-16-0x00000000028E0000-0x00000000028E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2684-7-0x0000000002960000-0x00000000029E0000-memory.dmp

    Filesize

    512KB

    Download

  • memory/2684-8-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2684-9-0x00000000027E0000-0x00000000027E8000-memory.dmp

    Filesize

    32KB

    Download