Analysis
-
max time kernel
66s -
max time network
85s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
01-04-2023 20:31
Behavioral task
behavioral1
Sample
XWorm_V3.1/XWorm V3.1.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
XWorm_V3.1/XWorm V3.1.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
XWorm_V3.1/crack.exe
Resource
win7-20230220-en
General
-
Target
XWorm_V3.1/XWorm V3.1.exe
-
Size
7.2MB
-
MD5
c0897e921672c2619acc5d9ff1329860
-
SHA1
683d5c1b0858cd5089e4a60ba344872531584d35
-
SHA256
607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52
-
SHA512
696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff
-
SSDEEP
196608:FLQ6B/XKUDz9NoUXJzUWi7MYjBVvo5/UVC:ZFlaU/9NZXJZinjB9oxgC
Malware Config
Extracted
redline
DARKWEB
89.22.234.180:40608
-
auth_value
cf407bc0c9a8384bb62aa110b7844cfe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
XWorm V3.1.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation XWorm V3.1.exe -
Executes dropped EXE 2 IoCs
Processes:
XWorm V3.1.exedark.exepid process 4512 XWorm V3.1.exe 1016 dark.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 29 IoCs
Processes:
dark.exeXWorm V3.1.exepid process 1016 dark.exe 1016 dark.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe 4512 XWorm V3.1.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
XWorm V3.1.exedark.exeAUDIODG.EXEdescription pid process Token: SeDebugPrivilege 4512 XWorm V3.1.exe Token: SeDebugPrivilege 1016 dark.exe Token: 33 3816 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3816 AUDIODG.EXE -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
XWorm V3.1.exepid process 4512 XWorm V3.1.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
XWorm V3.1.exepid process 4512 XWorm V3.1.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
XWorm V3.1.exedescription pid process target process PID 4828 wrote to memory of 4512 4828 XWorm V3.1.exe XWorm V3.1.exe PID 4828 wrote to memory of 4512 4828 XWorm V3.1.exe XWorm V3.1.exe PID 4828 wrote to memory of 1016 4828 XWorm V3.1.exe dark.exe PID 4828 wrote to memory of 1016 4828 XWorm V3.1.exe dark.exe PID 4828 wrote to memory of 1016 4828 XWorm V3.1.exe dark.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWorm_V3.1\XWorm V3.1.exe"C:\Users\Admin\AppData\Local\Temp\XWorm_V3.1\XWorm V3.1.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\dark.exe"C:\Users\Admin\AppData\Local\Temp\dark.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x338 0x2481⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exeFilesize
6.9MB
MD537a9fdc56e605d2342da88a6e6182b4b
SHA120bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3
-
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exeFilesize
6.9MB
MD537a9fdc56e605d2342da88a6e6182b4b
SHA120bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3
-
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exeFilesize
6.9MB
MD537a9fdc56e605d2342da88a6e6182b4b
SHA120bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3
-
C:\Users\Admin\AppData\Local\Temp\dark.exeFilesize
159KB
MD50d1b1c61a083b253810ede683435e6bc
SHA13a1c3f7a2d18d614a76d938d94b3af6f75580d9f
SHA256fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb
SHA512dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3
-
C:\Users\Admin\AppData\Local\Temp\dark.exeFilesize
159KB
MD50d1b1c61a083b253810ede683435e6bc
SHA13a1c3f7a2d18d614a76d938d94b3af6f75580d9f
SHA256fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb
SHA512dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3
-
C:\Users\Admin\AppData\Local\Temp\dark.exeFilesize
159KB
MD50d1b1c61a083b253810ede683435e6bc
SHA13a1c3f7a2d18d614a76d938d94b3af6f75580d9f
SHA256fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb
SHA512dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3
-
memory/1016-156-0x0000000005610000-0x0000000005622000-memory.dmpFilesize
72KB
-
memory/1016-159-0x0000000005670000-0x00000000056AC000-memory.dmpFilesize
240KB
-
memory/1016-154-0x0000000000DB0000-0x0000000000DDE000-memory.dmpFilesize
184KB
-
memory/1016-155-0x0000000005B90000-0x00000000061A8000-memory.dmpFilesize
6.1MB
-
memory/1016-169-0x00000000069A0000-0x0000000006B62000-memory.dmpFilesize
1.8MB
-
memory/1016-157-0x0000000005740000-0x000000000584A000-memory.dmpFilesize
1.0MB
-
memory/1016-173-0x00000000056B0000-0x00000000056C0000-memory.dmpFilesize
64KB
-
memory/1016-171-0x0000000006830000-0x000000000684E000-memory.dmpFilesize
120KB
-
memory/1016-162-0x00000000056B0000-0x00000000056C0000-memory.dmpFilesize
64KB
-
memory/1016-170-0x0000000007680000-0x0000000007BAC000-memory.dmpFilesize
5.2MB
-
memory/1016-164-0x00000000059B0000-0x0000000005A16000-memory.dmpFilesize
408KB
-
memory/1016-165-0x0000000006550000-0x00000000065E2000-memory.dmpFilesize
584KB
-
memory/1016-166-0x0000000006BA0000-0x0000000007144000-memory.dmpFilesize
5.6MB
-
memory/1016-167-0x00000000065F0000-0x0000000006640000-memory.dmpFilesize
320KB
-
memory/1016-168-0x00000000066C0000-0x0000000006736000-memory.dmpFilesize
472KB
-
memory/4512-158-0x000000001D1A0000-0x000000001D1B0000-memory.dmpFilesize
64KB
-
memory/4512-163-0x000000001D1A0000-0x000000001D1B0000-memory.dmpFilesize
64KB
-
memory/4512-153-0x00000000007C0000-0x0000000000EB6000-memory.dmpFilesize
7.0MB
-
memory/4512-172-0x000000001D1A0000-0x000000001D1B0000-memory.dmpFilesize
64KB
-
memory/4512-174-0x000000001D1A0000-0x000000001D1B0000-memory.dmpFilesize
64KB
-
memory/4828-152-0x0000000000400000-0x0000000000B3D000-memory.dmpFilesize
7.2MB