Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

RunTimeBroker.exe

windows10-2004-x64

10

RunTimeBroker.exe

windows11-21h2-x64

10

Resubmissions

28/06/2024, 23:46 UTC

240628-3sddwavhjc 10

28/06/2024, 14:25 UTC

240628-rrsavsthne 10

Analysis

  • max time kernel
    18s
  • max time network
    28s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28/06/2024, 14:25 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RunTimeBroker.exe

  • Size

    39KB

  • MD5

    0061dd18de7cfdd840fbce10433e8d73

  • SHA1

    9852fe23c191a11a387a7f7a7744c15b1d7d601a

  • SHA256

    06ebe0fa2a8df8fe5a51879b6e4a81292bd36668e619666f94db94641666abd9

  • SHA512

    4687b8357ef603dfbefd0661d103a454d7d1dc3448526d6e9d21823a2d60b485cea307eedf846dd695bc2009534abd1081461d03f39729dc9c642478a6d87411

  • SSDEEP

    768:N2CSKPu9Wkh6A9C96eutXwwTSmvAFU9OLj6SOMhNL575A:EVK6WgMs2moFU9Yj6SOM/pi

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

rTw9cIeh9w3su4g8

Attributes
  • Install_directory

    %AppData%

  • install_file

    Dllhost.exe

  • pastebin_url

    https://pastebin.com/raw/pw1j2xqz

aes.plain
1
ARywAfIcdhuSdHKBbbZonQ==

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RunTimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3964
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2972
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1132

Network

  • flag-us
    DNS
    ip-api.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    ip-api.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    ip-api.com
    IN A
  • flag-us
    DNS
    pastebin.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
  • flag-us
    DNS
    pastebin.com
    RunTimeBroker.exe
    Remote address:
    8.8.8.8:53
    Request
    pastebin.com
    IN A
No results found
  • 8.8.8.8:53
    ip-api.com
    dns
    RunTimeBroker.exe
    280 B
     5

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

    DNS Request

    ip-api.com

  • 8.8.8.8:53
    pastebin.com
    dns
    RunTimeBroker.exe
    232 B
     4

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

    DNS Request

    pastebin.com

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d3e9c29fe44e90aae6ed30ccf799ca8

    SHA1

    c7974ef72264bbdf13a2793ccf1aed11bc565dce

    SHA256

    2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

    SHA512

    60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    eb1ad317bd25b55b2bbdce8a28a74a94

    SHA1

    98a3978be4d10d62e7411946474579ee5bdc5ea6

    SHA256

    9e94e7c9ac6134ee30e79498558aa1a5a1ac79a643666c3f8922eed215dd3a98

    SHA512

    d011f266c0240d84470c0f9577cd9e4927309bd19bb38570ca9704ed8e1d159f9bea982a59d3eefef72ce7a10bd81208b82e88ef57c7af587f7437a89769adc0

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    b788676a1f23a5a36b5bd9ee0e9fbdce

    SHA1

    7dbe7cdff1011e1bb087166d0e497cdaa5d8fc38

    SHA256

    2ffe52964abc98695b81c1a3aacdbab4499edfcbb0cd10a68a52a9ba118f8ea4

    SHA512

    ea14ac1c44f223e4f352aff414ab03d15dd36eaac359c618ecbdf6c66fad745a79be2643b037e002de8e853c70241aaf1c8b07411f2eed0bc9977cbb7dd50742

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dlulb0jf.z0q.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/2092-2-0x000001E9770D0000-0x000001E9770F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2092-12-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2092-13-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2092-14-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/2092-17-0x00007FFD614D0000-0x00007FFD61F91000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3412-0-0x00007FFD614D3000-0x00007FFD614D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3412-1-0x0000000000B40000-0x0000000000B50000-memory.dmp

    Filesize

    64KB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.