Analysis
-
max time kernel
237s -
max time network
175s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
31-01-2024 21:45
General
-
Target
DreddedsMT_V2 (1).exe
-
Size
325KB
-
MD5
6cb37737df71985fa41dd732e4cebf2c
-
SHA1
1cba30161e7a6cf9514e1d7e46e7f72dd8da2a57
-
SHA256
c56c6f394fe19e834ab6e6c1230f227fee52246d00236951d15f05c278016eed
-
SHA512
36c8bedc2cfcce83bb1e6ec9fbac1da6e7906ec0097e288765663c347eb102202200114cb3883265e7fd32de7ddc498b1a4ad0d5242e0363aebfc02cac22b30e
-
SSDEEP
3072:exiie1oWClkHsn0JaAB+UTbnLmPvR59RQKiypXg5qm9LxFYbs:erNPuMUaAAWnS35iyFg5qs9
Malware Config
Extracted
xworm
5.0
Signatures
-
An infostealer written in Python and packaged with PyInstaller. 1 IoCs
-
Detect Xworm Payload 4 IoCs
-
Xworm
Xworm is a remote access trojan written in C#.
-
crealstealer
An infostealer written in Python and packaged with PyInstaller.
-
Drops startup file 3 IoCs
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Delays execution with timeout.exe 1 IoCs
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
-
Modifies Internet Explorer settings 1 TTPs 28 IoCs
-
Modifies registry class 11 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 13 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SetWindowsHookEx 10 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\DreddedsMT_V2 (1).exe"C:\Users\Admin\AppData\Local\Temp\DreddedsMT_V2 (1).exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\discord.exe"C:\Users\Admin\AppData\Roaming\discord.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\epicgameslauncher'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epicgameslauncher'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "epicgameslauncher" /tr "C:\Users\Admin\AppData\Roaming\epicgameslauncher"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Roaming\microsoft.py2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\microsoft.py3⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:856 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\microsoft.py4⤵
-
-
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat" "2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\chcp.comchcp 650013⤵
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {CAFAE778-F379-418D-824E-73C80C72861C} S-1-5-21-1603059206-2004189698-4139800220-1000:AILVMYUM\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\epicgameslauncherC:\Users\Admin\AppData\Roaming\epicgameslauncher2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Roaming\epicgameslauncherC:\Users\Admin\AppData\Roaming\epicgameslauncher2⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\epicgameslauncher'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epicgameslauncher'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\epicgameslauncher'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epicgameslauncher'3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "epicgameslauncher" /tr "C:\Users\Admin\AppData\Roaming\epicgameslauncher"3⤵
- Creates scheduled task(s)
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /delete /f /tn "epicgameslauncher"3⤵
-
-
C:\Windows\system32\cmd.execmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpED8A.tmp.bat""3⤵
-
C:\Windows\system32\timeout.exetimeout 34⤵
- Delays execution with timeout.exe
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD529e128febb7a1dbbfc3d9983b14b72fb
SHA163cfecf3805000c4aede57ed23a458650fde0ca9
SHA256b32fbfdbf9c821d3e052082dbe34a4ea8aeb8ec27c35726f01c24cdcf809aab1
SHA512e46f90e17262f8157633a93b47ef28dafb688d79fa1ca55ff03086f2ab5e43d2e8c3182fde54828240c835b6a781d5c4bbe0abdf4d590d021597cce0383c2a27
-
Filesize
344B
MD544a82c737f53cfbfa8963f48e2b9c33b
SHA1b2f4d3714067ec4b014036a452fa3787190a3cf0
SHA2567f6fe7dcea7cd3fc6fcb219ee18dd483077a22fe7b3ecdfe8ebe58bf9c709e8d
SHA5128e60aee81850c30fd83abf874864fab4f0e8fbcf88e3ef1ef77755b89cd9b3d537161d8c72fd9a18ceb67c566b6b94b54be3de7c320adeceffba2d9f33323811
-
Filesize
344B
MD58d2a1b09afb2db87e16259681a8265ab
SHA11ebcb91ea3a453e47150f63598c3d54fdfc2fcc1
SHA256ef76dc27833822f37f338fb596154d66b3b247be3bb1d268db1b5feff90c145a
SHA512339929caad1005d3c88da513c85dd7869644eb42e65c6b48e8e41ff36e3a70a14e0c8de5ea20ae6dc7d8326dd17a5031507407922250ebb0751ca2826581f901
-
Filesize
344B
MD55e47c51be214190c850c7dc00c3b4d77
SHA16ae5857c391df3da880c12ac236f4ece541c1c92
SHA2569972c1a89c39b679d46b2a441806c46189b7e95da83d5f137733b6b2b92b248f
SHA51231343c5c607d13805e42f9c27560474db99e8dd8498ee5353d169a889b575bdf54dbd00ec5d6f42ef0f44e14e513721c90bc119b5459c1ec4b58214ba4047603
-
Filesize
344B
MD5f1de7c90df0892c9e994189e0524b2cb
SHA1808155b521cad62eee271e4901b677c15ba0941c
SHA256341b2a0fe9878ae42c8911e47c66aa04ce12192cfb6b49b9abeecfe339a0287a
SHA51279bac58feede6bb1154d2a4856be357aa921efaae1c018ccf1ecd0db1975c3b33ea9484ef1ac87a85af05e85008420cb91ef6ec6f132e0116b26fe594b9e4fd1
-
Filesize
344B
MD51eb4697d6afbb641c7411ee2fbb9efee
SHA12d286d7576503841090a8e667cfdf9bcc2046269
SHA256fc7817fd244eb7f4d774274ca05f2fd501dc4e1d51d6cbb16d6f57834737506f
SHA512ed53e86549e57d6105b33095c65a3d4729e41a5936f378fd40716a773802ada4e55e80d09746d35435b2fcd0c997a3274cad61919aaae8d98f78e6c4eccc1adb
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
162B
MD5a10c02d19df86a8bc71ed6766d1bdd06
SHA16d2e8525c752176d32ecc86b2456ef76ac8b5a56
SHA256d852425dfda79bc3ce7b896bca023b27d7cc168d36b0a797784db24d78c66bf7
SHA51225cca614b032217701e966b2286f4716422ab35b0f727a2b4e652cbfa2a4c9bfbfa4b7add780d6a500ba364c7878c3c971029a8018f4019a28b19dc26f9ee03f
-
Filesize
5KB
MD5ab56972290ddce5aac7fa4bc3436efab
SHA13e0a65413a467ac4c4925366766701f016db173c
SHA256fdb6f0c1731c5ba1ee0598b85620ab83a9e1f6ffe708c1d8ed0055b6eb7d67c1
SHA51275ade9804e223bc37837513aaaa0a80d8e4ddab25363261b597d4a8bf33ed6def3736a99c0519b1cd20e04cb2761a8c3956ff3b4bff5a87b48d94c47a6c45754
-
Filesize
7KB
MD5f0466e6a05abe0e802feed769fe87168
SHA151ea5c6db32eae746649334319241c59bfb4fbe1
SHA256b0f0d0ea19dc0b8c1cb507ff1ad4022236fd92b1d6918496e390e68b2c3c7175
SHA512ccc6809a784ee038409b225b6a93be571e69ebb4975b112df236362871de421c3420c49a7e3765182b50bdab333bf864aad75b48d0756506bde5eb1c1e2319a9
-
Filesize
7KB
MD5a62657e5c66decc910b8ff4c007f26d3
SHA1dadbe7b9ac7a99fbde7a322859f65e44e484caa2
SHA256e800b18e679a4c3ea261376b7ab72a7c33d78a22d44767ede79ff4c4c89904de
SHA512b92855d72c366d7ab0573eb19235d3f0cfa09cff0f961e69f8fc60f2f31626003c8dcca9a9e814bf922480e9e01d612a059ae5caa427130d27490b65e7f7b265
-
Filesize
720B
MD5929ce8d4e7870e63f45ff870a566f80a
SHA1c332b9b68f85ffb355e389383c12aa10690a3e47
SHA25699dccb4d5d997a02575e5020250174bed50133d825d4af10e0b4dfbad0d027fb
SHA512f00acaf05d9b07c33702e2fc6de14fc7b6437c44ee259c47c99dc8cbbe679ff33bfd6fb7aeb67f8f09de79b75cfa860fdd9c2c54012b785661b90679e000a6ef
-
Filesize
41KB
MD572ef95ae3368f3e40bb087ddaa1fa5c2
SHA120d810b3e8623916c7eb09ab3a4d1df45fb1cf62
SHA256dd0eaf0b079081d4e1b37f79c28ea5503e84517a67200b8f2b20a9b9683f5154
SHA5125a7d657c375a4d83c56903e3d0f327939a27c032d24fc309c11dfe2d2deddafab6c56eea33a9ca4e9293e208ced9ef20d4312f3f827c00316f9d8d8490540ae9
-
Filesize
78KB
MD556858a6f2411a10b07e553dafc76f2cc
SHA151fde952fd7ac4a4ad5afe00ee77116120c1f60b
SHA256ad2c20dc31883ca97884043544fe004cc370270be97ba1bf447b9358c4bd5f92
SHA51262e529809f42460bd13752fa97c0fc6a19b33e82d8350be10d187e336638d1abf12325ebba79535d22d6666d97698a234d0dcc86c542f97bcf80d34b403676cb
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
412KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
412KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
9.6MB
-
Filesize
9.9MB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
344KB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
64KB
-
Filesize
9.9MB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
32KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
512KB
-
Filesize
9.6MB
-
Filesize
2.9MB
-
Filesize
9.6MB