Overview

overview

10

Static

static

3

500b51771f...30.exe

windows7-x64

10

500b51771f...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    25-04-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe

  • Size

    196KB

  • MD5

    edd7441051bbf509ef1052d9f2a02c8f

  • SHA1

    7338ef9ddb0b59228b31c6b7931fae04ace344e8

  • SHA256

    500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30

  • SHA512

    0aa4f2666213b571114cdd56c859200ab34a615cde57e67d142d4522369c74b8d4c37c9c95c97a76b93abbb0795ce698e4a888e646fdd2b05fe80f81da074f93

  • SSDEEP

    3072:LhAMBSpVNwpB7/LaX6No7INoSXlb2Q4u3lriJYzr9B/erenNecMnq+ECqmIkk6:LaP+fvLW7IVXliQz3l//3Pyq+RqmI

Score
10/10
redlinesectopratxwormidsinfostealerpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

91.92.252.220:7000
Attributes
  • Install_directory

    %Temp%

  • install_file

    mstc.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

IDS

C2

91.92.252.220:9078

Signatures

  • Detect Xworm Payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 3 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 3 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Detects executables using Telegram Chat Bot 5 IoCs
  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe
    "C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1984
    • C:\ProgramData\XClient.exe
      "C:\ProgramData\XClient.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2572
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1064
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:812
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2180
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"
        3⤵
        • Creates scheduled task(s)
        PID:1540
    • C:\ProgramData\build.exe
      "C:\ProgramData\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2956
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {B6958196-F09F-4235-9105-E90729CFDB47} S-1-5-21-2721934792-624042501-2768869379-1000:BISMIZHX\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2480
    • C:\Users\Admin\AppData\Local\Temp\mstc.exe
      C:\Users\Admin\AppData\Local\Temp\mstc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:268
    • C:\Users\Admin\AppData\Local\Temp\mstc.exe
      C:\Users\Admin\AppData\Local\Temp\mstc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3048
    • C:\Users\Admin\AppData\Local\Temp\mstc.exe
      C:\Users\Admin\AppData\Local\Temp\mstc.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2604

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

System Information Discovery

1
T1082

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\XClient.exe
    Filesize

    83KB

    MD5

    5b7ac9829cdca0b5e82604191dcc1d4e

    SHA1

    5e944b6afea5db67b4d272a7b02bdf5501ca213f

    SHA256

    bc8306a6f60583de0b2a2818f1f9d1df8e80ef29dcf46b9471e4697f219e1251

    SHA512

    505491b019e948b14500867e927c9ab48642571733b944afc054922ed46a25eebbfae1615500e4755b0f022e5993cc4bd5124cf27c218a118070812e92bc1b33

    Download Submit
  • C:\ProgramData\build.exe
    Filesize

    95KB

    MD5

    d32bddd3639f42733a78945885002128

    SHA1

    6dcfc09b8c86e79ac70a63132a5162d3616c6479

    SHA256

    34dac9b900a3c810e466f9cac9ba5f0a062ff2be7719fc443cb23d0f8ac0390e

    SHA512

    b28fc39e77245d5a52ae5d25ac363c95db8b20a960caabc7aa4f3339b2a8d27f7f92846e2a4173fd0f776be4034fbfe5e60b375eebb465dbe78017d8479ad511

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
    Filesize

    7KB

    MD5

    e491cf1c50f6e590cb11ef6345cc0ca3

    SHA1

    ae514607266cbf00015ab19d62e1a26e448f2358

    SHA256

    c8a917704079a26ebee31c75d85e4700ff66ecbaeadab799e3b8af3519edc2d8

    SHA512

    c9c44b07eb83139cb2a71c6b0754f1afaf4d1a13b4a134cf69479688bc3e8b03d6f7fc53fdf7d197b2454c1c9561310f0c96c23a7fd408a34ee6c1afcea59928

    Download Submit
  • \??\PIPE\srvsvc
    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

    Download Submit
  • memory/268-83-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/268-82-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/268-81-0x0000000000370000-0x000000000038C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/812-53-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/812-55-0x0000000002DE0000-0x0000000002E60000-memory.dmp
    Filesize

    512KB

    Download
  • memory/812-56-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/812-59-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/812-58-0x0000000002DE0000-0x0000000002E60000-memory.dmp
    Filesize

    512KB

    Download
  • memory/812-57-0x0000000002DE0000-0x0000000002E60000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1064-44-0x0000000002BB0000-0x0000000002C30000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1064-47-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1064-46-0x0000000002BB0000-0x0000000002C30000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1064-42-0x0000000002BB0000-0x0000000002C30000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1064-37-0x000000001B640000-0x000000001B922000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1064-39-0x0000000002790000-0x0000000002798000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1064-40-0x0000000002BB0000-0x0000000002C30000-memory.dmp
    Filesize

    512KB

    Download
  • memory/1064-38-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1064-41-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/1984-0-0x00000000002E0000-0x0000000000318000-memory.dmp
    Filesize

    224KB

    Download
  • memory/1984-15-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1984-1-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2180-66-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2180-68-0x0000000002D00000-0x0000000002D80000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2180-73-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2180-71-0x0000000002D00000-0x0000000002D80000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2180-72-0x0000000002D00000-0x0000000002D80000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2180-70-0x0000000002D00000-0x0000000002D80000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2180-69-0x000007FEEDB30000-0x000007FEEE4CD000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2428-24-0x000000001B720000-0x000000001BA02000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/2428-31-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2428-27-0x0000000001D80000-0x0000000001E00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2428-25-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/2428-30-0x0000000001D80000-0x0000000001E00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2428-29-0x0000000001D80000-0x0000000001E00000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2428-28-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2428-26-0x000007FEEE4D0000-0x000007FEEEE6D000-memory.dmp
    Filesize

    9.6MB

    Download
  • memory/2572-67-0x000000001B270000-0x000000001B2F0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2572-12-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2572-19-0x000000001B270000-0x000000001B2F0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2572-13-0x0000000000BB0000-0x0000000000BCC000-memory.dmp
    Filesize

    112KB

    Download
  • memory/2572-43-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2604-90-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2604-91-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2956-16-0x0000000000E40000-0x0000000000E5E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2956-17-0x0000000074500000-0x0000000074BEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2956-18-0x0000000002390000-0x00000000023D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2956-54-0x0000000002390000-0x00000000023D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2956-45-0x0000000074500000-0x0000000074BEE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3048-87-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3048-86-0x0000000001050000-0x000000000106C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/3048-88-0x000007FEF5800000-0x000007FEF61EC000-memory.dmp
    Filesize

    9.9MB

    Download