Overview

overview

10

Static

static

3

DreddedsMT_V2 (1).exe

windows7-x64

10

DreddedsMT_V2 (1).exe

windows10-2004-x64

10

Analysis

  • max time kernel
    275s
  • max time network
    295s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-01-2024 21:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DreddedsMT_V2 (1).exe

  • Size

    325KB

  • MD5

    6cb37737df71985fa41dd732e4cebf2c

  • SHA1

    1cba30161e7a6cf9514e1d7e46e7f72dd8da2a57

  • SHA256

    c56c6f394fe19e834ab6e6c1230f227fee52246d00236951d15f05c278016eed

  • SHA512

    36c8bedc2cfcce83bb1e6ec9fbac1da6e7906ec0097e288765663c347eb102202200114cb3883265e7fd32de7ddc498b1a4ad0d5242e0363aebfc02cac22b30e

  • SSDEEP

    3072:exiie1oWClkHsn0JaAB+UTbnLmPvR59RQKiypXg5qm9LxFYbs:erNPuMUaAAWnS35iyFg5qs9

Score
10/10
crealstealerxwormpersistenceratstealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

aes.plain

Signatures

  • An infostealer written in Python and packaged with PyInstaller. 1 IoCs
  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • crealstealer

    An infostealer written in Python and packaged with PyInstaller.

    stealercrealstealer
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 32 IoCs
    adwarespyware
  • Modifies registry class 13 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 24 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\DreddedsMT_V2 (1).exe
    "C:\Users\Admin\AppData\Local\Temp\DreddedsMT_V2 (1).exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3300
    • C:\Users\Admin\AppData\Roaming\discord.exe
      "C:\Users\Admin\AppData\Roaming\discord.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2824
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\discord.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:224
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'discord.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\epicgameslauncher'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:556
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'epicgameslauncher'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4352
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "epicgameslauncher" /tr "C:\Users\Admin\AppData\Roaming\epicgameslauncher"
        3⤵
        • Creates scheduled task(s)
        PID:2984
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2568
      • C:\Windows\system32\chcp.com
        chcp 65001
        3⤵
          PID:4700
        • C:\Windows\system32\ipconfig.exe
          ipconfig
          3⤵
          • Gathers network information
          PID:3228
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2924
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Roaming\microsoft.py
        2⤵
        • Modifies Internet Explorer Phishing Filter
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1100
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1100 CREDAT:17410 /prefetch:2
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1896
    • C:\Users\Admin\AppData\Roaming\epicgameslauncher
      C:\Users\Admin\AppData\Roaming\epicgameslauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3920
    • C:\Users\Admin\AppData\Roaming\epicgameslauncher
      C:\Users\Admin\AppData\Roaming\epicgameslauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1804
    • C:\Users\Admin\AppData\Roaming\epicgameslauncher
      C:\Users\Admin\AppData\Roaming\epicgameslauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3244
    • C:\Users\Admin\AppData\Roaming\epicgameslauncher
      C:\Users\Admin\AppData\Roaming\epicgameslauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3660
    • C:\Users\Admin\AppData\Roaming\epicgameslauncher
      C:\Users\Admin\AppData\Roaming\epicgameslauncher
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2972

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      471B

      MD5

      bcace81d477f3c718f9b8caa06bbbdcc

      SHA1

      966f9283be355a4397633243c28a26ace4f8f5db

      SHA256

      536e164c1bcbbe417f805d4d9722d6e8d934ee957fb54bb0a1faeb65336f6294

      SHA512

      99e5175ccc544a20ce6a1d944002ceee21022eee15c9815ec61fa51785480ff43071c239c0fc9ccbeb0a036fe1b7cd62a4f45b1d9e30da7889410e26f747b679

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      Filesize

      404B

      MD5

      5d844b20d8c94bbdfa2704f8af92a58b

      SHA1

      50b079ef6fe4169b12f8c6d18e6dbe5cff792ba8

      SHA256

      d61162507d40e38425cf71172e6757a5e9b8f3e04a988410a69f096d86c23f46

      SHA512

      4d329f43c960433fd0bf93852b0446d0434de50d7198ca9dbbc75fdc396e822d842faa1d30694a6cc4ca15df51f2a278eb89c172d3a0e02ffa858bd7d343be32

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\epicgameslauncher.log
      Filesize

      654B

      MD5

      2ff39f6c7249774be85fd60a8f9a245e

      SHA1

      684ff36b31aedc1e587c8496c02722c6698c1c4e

      SHA256

      e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

      SHA512

      1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      d85ba6ff808d9e5444a4b369f5bc2730

      SHA1

      31aa9d96590fff6981b315e0b391b575e4c0804a

      SHA256

      84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

      SHA512

      8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\UG0DPB4T\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      6d42b6da621e8df5674e26b799c8e2aa

      SHA1

      ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

      SHA256

      5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

      SHA512

      53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      e3161f4edbc9b963debe22e29658050b

      SHA1

      45dbf88dadafe5dd1cfee1e987c8a219d3208cdb

      SHA256

      1359d6daeaed2f254b162914203c891b23139cc236a3bf75c2dfcbe26265c84a

      SHA512

      006ffb8f37d1f77f8ee79b22ffa413819f565d62773c632b70985759572121c6ab4743139d16d885f8c0ff9d0e0b136686741728b3e142ee54aea3bb733dffb2

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      944B

      MD5

      ba169f4dcbbf147fe78ef0061a95e83b

      SHA1

      92a571a6eef49fff666e0f62a3545bcd1cdcda67

      SHA256

      5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

      SHA512

      8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kzzcxhps.yio.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Dredded'sMT.bat
      Filesize

      5KB

      MD5

      ab56972290ddce5aac7fa4bc3436efab

      SHA1

      3e0a65413a467ac4c4925366766701f016db173c

      SHA256

      fdb6f0c1731c5ba1ee0598b85620ab83a9e1f6ffe708c1d8ed0055b6eb7d67c1

      SHA512

      75ade9804e223bc37837513aaaa0a80d8e4ddab25363261b597d4a8bf33ed6def3736a99c0519b1cd20e04cb2761a8c3956ff3b4bff5a87b48d94c47a6c45754

      Download Submit

    • C:\Users\Admin\AppData\Roaming\discord.exe
      Filesize

      41KB

      MD5

      72ef95ae3368f3e40bb087ddaa1fa5c2

      SHA1

      20d810b3e8623916c7eb09ab3a4d1df45fb1cf62

      SHA256

      dd0eaf0b079081d4e1b37f79c28ea5503e84517a67200b8f2b20a9b9683f5154

      SHA512

      5a7d657c375a4d83c56903e3d0f327939a27c032d24fc309c11dfe2d2deddafab6c56eea33a9ca4e9293e208ced9ef20d4312f3f827c00316f9d8d8490540ae9

      Download Submit

    • C:\Users\Admin\AppData\Roaming\microsoft.py
      Filesize

      78KB

      MD5

      56858a6f2411a10b07e553dafc76f2cc

      SHA1

      51fde952fd7ac4a4ad5afe00ee77116120c1f60b

      SHA256

      ad2c20dc31883ca97884043544fe004cc370270be97ba1bf447b9358c4bd5f92

      SHA512

      62e529809f42460bd13752fa97c0fc6a19b33e82d8350be10d187e336638d1abf12325ebba79535d22d6666d97698a234d0dcc86c542f97bcf80d34b403676cb

      Download Submit

    • memory/224-29-0x000001D168900000-0x000001D168922000-memory.dmp

      Filesize

      136KB

      Download

    • memory/224-39-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/224-36-0x000001D1687C0000-0x000001D1687D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/224-35-0x000001D1687C0000-0x000001D1687D0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/224-34-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/556-68-0x000001D87D3E0000-0x000001D87D3F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-61-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/556-67-0x000001D87D3E0000-0x000001D87D3F0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/556-70-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1572-41-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1572-55-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1572-51-0x000001E7BC840000-0x000001E7BC850000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1572-52-0x000001E7BC840000-0x000001E7BC850000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1804-100-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/1804-99-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2824-95-0x000000001B490000-0x000000001B49C000-memory.dmp

      Filesize

      48KB

      Download

    • memory/2824-16-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2824-89-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2824-15-0x00000000007D0000-0x00000000007E0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2824-23-0x000000001B410000-0x000000001B420000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2972-139-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/2972-140-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3244-107-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3244-108-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3300-2-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3300-21-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3300-0-0x0000000000B40000-0x0000000000B96000-memory.dmp

      Filesize

      344KB

      Download

    • memory/3660-137-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3660-136-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3920-94-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3920-92-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4352-85-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4352-80-0x00007FFF92DA0000-0x00007FFF93861000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/4352-82-0x0000019466180000-0x0000019466190000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4352-83-0x0000019466180000-0x0000019466190000-memory.dmp

      Filesize

      64KB

      Download