Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

RunTimeBroker.exe

windows10-2004-x64

10

RunTimeBroker.exe

windows11-21h2-x64

10

Resubmissions

28/06/2024, 23:46

240628-3sddwavhjc 10

28/06/2024, 14:25

240628-rrsavsthne 10

Analysis

  • max time kernel
    21s
  • max time network
    28s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240611-en
  • resource tags

    arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    28/06/2024, 14:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RunTimeBroker.exe

  • Size

    39KB

  • MD5

    0061dd18de7cfdd840fbce10433e8d73

  • SHA1

    9852fe23c191a11a387a7f7a7744c15b1d7d601a

  • SHA256

    06ebe0fa2a8df8fe5a51879b6e4a81292bd36668e619666f94db94641666abd9

  • SHA512

    4687b8357ef603dfbefd0661d103a454d7d1dc3448526d6e9d21823a2d60b485cea307eedf846dd695bc2009534abd1081461d03f39729dc9c642478a6d87411

  • SSDEEP

    768:N2CSKPu9Wkh6A9C96eutXwwTSmvAFU9OLj6SOMhNL575A:EVK6WgMs2moFU9Yj6SOM/pi

Score
10/10
xwormexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

Mutex

rTw9cIeh9w3su4g8

Attributes
  • Install_directory

    %AppData%

  • install_file

    Dllhost.exe

  • pastebin_url

    https://pastebin.com/raw/pw1j2xqz

aes.plain

Signatures

  • Detect Xworm Payload 1 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe
    "C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RunTimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3788
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'RunTimeBroker.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3816
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2276
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Dllhost.exe'
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e3840d9bcedfe7017e49ee5d05bd1c46

    SHA1

    272620fb2605bd196df471d62db4b2d280a363c6

    SHA256

    3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

    SHA512

    76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    f8c40f7624e23fa92ae2f41e34cfca77

    SHA1

    20e742cfe2759ac2adbc16db736a9e143ca7b677

    SHA256

    c51a52818a084addbfa913d2bb4bb2b0e60c287a4cf98e679f18b8a521c0aa7b

    SHA512

    f1da3ec61403d788d417d097a7ed2947203c6bff3cf1d35d697c31edecdf04710b3e44b2aa263b886e297b2ce923fea410ccc673261928f1d0cd81252740dbe7

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    34e3230cb2131270db1af79fb3d57752

    SHA1

    21434dd7cf3c4624226b89f404fd7982825f8ac6

    SHA256

    0f162f27548a84db1638bcf46d03661b5bcb3032e765fafdb597cc107639ba39

    SHA512

    3756cb01e82dbda681b562eae74d0b8ef8b3787b126119a51a92c51a78204a7805b9bdd60c00c50a3be23b843e78bb153b656540767069f739ce421b9bc02335

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fvhbc3dm.g4f.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/3788-12-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3788-13-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3788-16-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3788-17-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3788-11-0x00007FFD70AD0000-0x00007FFD71592000-memory.dmp

    Filesize

    10.8MB

    Download

  • memory/3788-2-0x0000021D690D0000-0x0000021D690F2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/4816-0-0x00007FFD70AD3000-0x00007FFD70AD5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4816-1-0x0000000000DE0000-0x0000000000DF0000-memory.dmp

    Filesize

    64KB

    Download