Overview

overview

10

Static

static

10

XWorm_V3.1....1.exe

windows7-x64

10

XWorm_V3.1....1.exe

windows10-2004-x64

10

XWorm_V3.1/crack.exe

windows7-x64

10

XWorm_V3.1/crack.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    66s
  • max time network
    85s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-04-2023 20:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    XWorm_V3.1/XWorm V3.1.exe

  • Size

    7.2MB

  • MD5

    c0897e921672c2619acc5d9ff1329860

  • SHA1

    683d5c1b0858cd5089e4a60ba344872531584d35

  • SHA256

    607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52

  • SHA512

    696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff

  • SSDEEP

    196608:FLQ6B/XKUDz9NoUXJzUWi7MYjBVvo5/UVC:ZFlaU/9NZXJZinjB9oxgC

Score
10/10
redlinedarkwebdiscoveryinfostealerspywarestealer

Malware Config

Extracted

Family

redline

Botnet

DARKWEB

C2

89.22.234.180:40608

Attributes
  • auth_value

    cf407bc0c9a8384bb62aa110b7844cfe

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWorm_V3.1\XWorm V3.1.exe
    "C:\Users\Admin\AppData\Local\Temp\XWorm_V3.1\XWorm V3.1.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4828
    • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
      "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:4512
    • C:\Users\Admin\AppData\Local\Temp\dark.exe
      "C:\Users\Admin\AppData\Local\Temp\dark.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1016
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:3652
    • C:\Windows\system32\AUDIODG.EXE
      C:\Windows\system32\AUDIODG.EXE 0x338 0x248
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3816

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Credentials in Files

    2
    T1081

    Discovery

    Query Registry

    2
    T1012

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Data from Local System

    2
    T1005

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
      Filesize

      6.9MB

      MD5

      37a9fdc56e605d2342da88a6e6182b4b

      SHA1

      20bc3df33bbbb676d2a3c572cff4c1d58c79055d

      SHA256

      422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

      SHA512

      f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
      Filesize

      6.9MB

      MD5

      37a9fdc56e605d2342da88a6e6182b4b

      SHA1

      20bc3df33bbbb676d2a3c572cff4c1d58c79055d

      SHA256

      422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

      SHA512

      f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
      Filesize

      6.9MB

      MD5

      37a9fdc56e605d2342da88a6e6182b4b

      SHA1

      20bc3df33bbbb676d2a3c572cff4c1d58c79055d

      SHA256

      422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

      SHA512

      f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dark.exe
      Filesize

      159KB

      MD5

      0d1b1c61a083b253810ede683435e6bc

      SHA1

      3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

      SHA256

      fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

      SHA512

      dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dark.exe
      Filesize

      159KB

      MD5

      0d1b1c61a083b253810ede683435e6bc

      SHA1

      3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

      SHA256

      fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

      SHA512

      dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\dark.exe
      Filesize

      159KB

      MD5

      0d1b1c61a083b253810ede683435e6bc

      SHA1

      3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

      SHA256

      fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

      SHA512

      dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

      Download Submit
    • memory/1016-156-0x0000000005610000-0x0000000005622000-memory.dmp
      Filesize

      72KB

      Download
    • memory/1016-159-0x0000000005670000-0x00000000056AC000-memory.dmp
      Filesize

      240KB

      Download
    • memory/1016-154-0x0000000000DB0000-0x0000000000DDE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1016-155-0x0000000005B90000-0x00000000061A8000-memory.dmp
      Filesize

      6.1MB

      Download
    • memory/1016-169-0x00000000069A0000-0x0000000006B62000-memory.dmp
      Filesize

      1.8MB

      Download
    • memory/1016-157-0x0000000005740000-0x000000000584A000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/1016-173-0x00000000056B0000-0x00000000056C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-171-0x0000000006830000-0x000000000684E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/1016-162-0x00000000056B0000-0x00000000056C0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/1016-170-0x0000000007680000-0x0000000007BAC000-memory.dmp
      Filesize

      5.2MB

      Download
    • memory/1016-164-0x00000000059B0000-0x0000000005A16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1016-165-0x0000000006550000-0x00000000065E2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1016-166-0x0000000006BA0000-0x0000000007144000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1016-167-0x00000000065F0000-0x0000000006640000-memory.dmp
      Filesize

      320KB

      Download
    • memory/1016-168-0x00000000066C0000-0x0000000006736000-memory.dmp
      Filesize

      472KB

      Download
    • memory/4512-158-0x000000001D1A0000-0x000000001D1B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4512-163-0x000000001D1A0000-0x000000001D1B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4512-153-0x00000000007C0000-0x0000000000EB6000-memory.dmp
      Filesize

      7.0MB

      Download
    • memory/4512-172-0x000000001D1A0000-0x000000001D1B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4512-174-0x000000001D1A0000-0x000000001D1B0000-memory.dmp
      Filesize

      64KB

      Download
    • memory/4828-152-0x0000000000400000-0x0000000000B3D000-memory.dmp
      Filesize

      7.2MB

      Download