Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
25-04-2024 01:26
Static task
static1
Behavioral task
behavioral1
Sample
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe
Resource
win7-20240220-en
Behavioral task
behavioral2
Sample
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe
Resource
win10v2004-20240412-en
General
-
Target
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe
-
Size
196KB
-
MD5
edd7441051bbf509ef1052d9f2a02c8f
-
SHA1
7338ef9ddb0b59228b31c6b7931fae04ace344e8
-
SHA256
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30
-
SHA512
0aa4f2666213b571114cdd56c859200ab34a615cde57e67d142d4522369c74b8d4c37c9c95c97a76b93abbb0795ce698e4a888e646fdd2b05fe80f81da074f93
-
SSDEEP
3072:LhAMBSpVNwpB7/LaX6No7INoSXlb2Q4u3lriJYzr9B/erenNecMnq+ECqmIkk6:LaP+fvLW7IVXliQz3l//3Pyq+RqmI
Malware Config
Extracted
xworm
127.0.0.1:7000
91.92.252.220:7000
-
Install_directory
%Temp%
-
install_file
mstc.exe
-
telegram
https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672
Extracted
redline
IDS
91.92.252.220:9078
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\XClient.exe family_xworm behavioral2/memory/3716-24-0x0000000000C00000-0x0000000000C1C000-memory.dmp family_xworm -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\build.exe family_redline behavioral2/memory/2152-29-0x0000000000070000-0x000000000008E000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule C:\ProgramData\build.exe family_sectoprat behavioral2/memory/2152-29-0x0000000000070000-0x000000000008E000-memory.dmp family_sectoprat -
Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
Processes:
resource yara_rule C:\ProgramData\build.exe INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs behavioral2/memory/2152-29-0x0000000000070000-0x000000000008E000-memory.dmp INDICATOR_SUSPICIOUS_Binary_Embedded_Crypto_Wallet_Browser_Extension_IDs -
Detects Windows executables referencing non-Windows User-Agents 2 IoCs
Processes:
resource yara_rule C:\ProgramData\XClient.exe INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA behavioral2/memory/3716-24-0x0000000000C00000-0x0000000000C1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA -
Detects executables using Telegram Chat Bot 2 IoCs
Processes:
resource yara_rule C:\ProgramData\XClient.exe INDICATOR_SUSPICIOUS_EXE_TelegramChatBot behavioral2/memory/3716-24-0x0000000000C00000-0x0000000000C1C000-memory.dmp INDICATOR_SUSPICIOUS_EXE_TelegramChatBot -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exeXClient.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe Key value queried \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation XClient.exe -
Drops startup file 2 IoCs
Processes:
XClient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk XClient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\mstc.lnk XClient.exe -
Executes dropped EXE 5 IoCs
Processes:
XClient.exebuild.exemstc.exemstc.exemstc.exepid process 3716 XClient.exe 2152 build.exe 3408 mstc.exe 4976 mstc.exe 2512 mstc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
XClient.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\mstc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mstc.exe" XClient.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 34 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
XClient.exepid process 3716 XClient.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeXClient.exepid process 3600 powershell.exe 3600 powershell.exe 3600 powershell.exe 2452 powershell.exe 2452 powershell.exe 2452 powershell.exe 4248 powershell.exe 4248 powershell.exe 4248 powershell.exe 4160 powershell.exe 4160 powershell.exe 4160 powershell.exe 3716 XClient.exe 3716 XClient.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
XClient.exebuild.exepowershell.exepowershell.exepowershell.exepowershell.exemstc.exemstc.exemstc.exedescription pid process Token: SeDebugPrivilege 3716 XClient.exe Token: SeDebugPrivilege 2152 build.exe Token: SeDebugPrivilege 3600 powershell.exe Token: SeDebugPrivilege 2452 powershell.exe Token: SeDebugPrivilege 4248 powershell.exe Token: SeDebugPrivilege 4160 powershell.exe Token: SeDebugPrivilege 3716 XClient.exe Token: SeDebugPrivilege 3408 mstc.exe Token: SeDebugPrivilege 4976 mstc.exe Token: SeDebugPrivilege 2512 mstc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
XClient.exepid process 3716 XClient.exe -
Suspicious use of WriteProcessMemory 15 IoCs
Processes:
500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exeXClient.exedescription pid process target process PID 1464 wrote to memory of 3716 1464 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe XClient.exe PID 1464 wrote to memory of 3716 1464 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe XClient.exe PID 1464 wrote to memory of 2152 1464 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe build.exe PID 1464 wrote to memory of 2152 1464 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe build.exe PID 1464 wrote to memory of 2152 1464 500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe build.exe PID 3716 wrote to memory of 3600 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 3600 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 2452 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 2452 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 4248 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 4248 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 4160 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 4160 3716 XClient.exe powershell.exe PID 3716 wrote to memory of 2740 3716 XClient.exe schtasks.exe PID 3716 wrote to memory of 2740 3716 XClient.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\XClient.exe"C:\ProgramData\XClient.exe"2⤵
- Checks computer location settings
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"3⤵
- Creates scheduled task(s)
-
C:\ProgramData\build.exe"C:\ProgramData\build.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mstc.exeC:\Users\Admin\AppData\Local\Temp\mstc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mstc.exeC:\Users\Admin\AppData\Local\Temp\mstc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\mstc.exeC:\Users\Admin\AppData\Local\Temp\mstc.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\XClient.exeFilesize
83KB
MD55b7ac9829cdca0b5e82604191dcc1d4e
SHA15e944b6afea5db67b4d272a7b02bdf5501ca213f
SHA256bc8306a6f60583de0b2a2818f1f9d1df8e80ef29dcf46b9471e4697f219e1251
SHA512505491b019e948b14500867e927c9ab48642571733b944afc054922ed46a25eebbfae1615500e4755b0f022e5993cc4bd5124cf27c218a118070812e92bc1b33
-
C:\ProgramData\build.exeFilesize
95KB
MD5d32bddd3639f42733a78945885002128
SHA16dcfc09b8c86e79ac70a63132a5162d3616c6479
SHA25634dac9b900a3c810e466f9cac9ba5f0a062ff2be7719fc443cb23d0f8ac0390e
SHA512b28fc39e77245d5a52ae5d25ac363c95db8b20a960caabc7aa4f3339b2a8d27f7f92846e2a4173fd0f776be4034fbfe5e60b375eebb465dbe78017d8479ad511
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mstc.exe.logFilesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5440cb38dbee06645cc8b74d51f6e5f71
SHA1d7e61da91dc4502e9ae83281b88c1e48584edb7c
SHA2568ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe
SHA5123aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD505d5387354459e9ab7d9bb0c57aea3d3
SHA15f61fb290af9904307aec8e6119515a445e5b3d2
SHA25649e8f6b53eb2e390392af544d56f70c4834ba34151acc93fe1b63daf4b3421d9
SHA512945b3f6e05b95f78afc333feb96a0472945d4aac8430711545335bb67d77112761a72a9b5a7f95757af0c6c3590f8aac8a19988a8b9acac0e644f27176e5e68f
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5b577f5e5ce7f7d4a220c6bde8041e5bb
SHA16745d982e8abde881dcb97a58dd78f010170a0be
SHA256c232b84813368c796d25dc0b24f9c2a0a2818d60c09407396d7ec17fb82b592e
SHA512e09696425f049926b75f35544d4db00065f8dd408f2504a105a6339fc9a85ba5ddea0f06131b3a6c0e87943964c53082180112050e5f121b38e45e8f16a43c2d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5e58749a7a1826f6ea62df1e2ef63a32b
SHA1c0bca21658b8be4f37b71eec9578bfefa44f862d
SHA2560e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93
SHA5124cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkckzbbc.1nn.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/1464-2-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/1464-26-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/1464-0-0x0000000000550000-0x0000000000588000-memory.dmpFilesize
224KB
-
memory/2152-98-0x0000000074E70000-0x0000000075620000-memory.dmpFilesize
7.7MB
-
memory/2152-33-0x0000000000BB0000-0x0000000000BC0000-memory.dmpFilesize
64KB
-
memory/2152-34-0x0000000004AE0000-0x0000000004B2C000-memory.dmpFilesize
304KB
-
memory/2152-35-0x0000000004D40000-0x0000000004E4A000-memory.dmpFilesize
1.0MB
-
memory/2152-32-0x0000000004AA0000-0x0000000004ADC000-memory.dmpFilesize
240KB
-
memory/2152-31-0x0000000004A40000-0x0000000004A52000-memory.dmpFilesize
72KB
-
memory/2152-30-0x0000000004FB0000-0x00000000055C8000-memory.dmpFilesize
6.1MB
-
memory/2152-29-0x0000000000070000-0x000000000008E000-memory.dmpFilesize
120KB
-
memory/2152-28-0x0000000074E70000-0x0000000075620000-memory.dmpFilesize
7.7MB
-
memory/2452-55-0x000002BF25780000-0x000002BF25790000-memory.dmpFilesize
64KB
-
memory/2452-66-0x000002BF25780000-0x000002BF25790000-memory.dmpFilesize
64KB
-
memory/2452-54-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/2452-68-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/2512-131-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/2512-132-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3408-110-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3408-112-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3600-39-0x000002AE23360000-0x000002AE23370000-memory.dmpFilesize
64KB
-
memory/3600-38-0x000002AE23360000-0x000002AE23370000-memory.dmpFilesize
64KB
-
memory/3600-49-0x000002AE0AE10000-0x000002AE0AE32000-memory.dmpFilesize
136KB
-
memory/3600-37-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3600-52-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3716-22-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3716-105-0x000000001BEB0000-0x000000001BFB2000-memory.dmpFilesize
1.0MB
-
memory/3716-106-0x000000001BAA0000-0x000000001BAB0000-memory.dmpFilesize
64KB
-
memory/3716-86-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/3716-36-0x000000001BAA0000-0x000000001BAB0000-memory.dmpFilesize
64KB
-
memory/3716-24-0x0000000000C00000-0x0000000000C1C000-memory.dmpFilesize
112KB
-
memory/4160-87-0x000001FB7BB50000-0x000001FB7BB60000-memory.dmpFilesize
64KB
-
memory/4160-100-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/4160-85-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/4160-84-0x00007FFB90910000-0x00007FFB90A1B000-memory.dmpFilesize
1.0MB
-
memory/4248-83-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/4248-80-0x00000257F9170000-0x00000257F9180000-memory.dmpFilesize
64KB
-
memory/4248-76-0x00000257F9170000-0x00000257F9180000-memory.dmpFilesize
64KB
-
memory/4248-74-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/4976-122-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB
-
memory/4976-123-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmpFilesize
10.8MB