Overview

overview

10

Static

static

3

500b51771f...30.exe

windows7-x64

10

500b51771f...30.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240412-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-04-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe

  • Size

    196KB

  • MD5

    edd7441051bbf509ef1052d9f2a02c8f

  • SHA1

    7338ef9ddb0b59228b31c6b7931fae04ace344e8

  • SHA256

    500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30

  • SHA512

    0aa4f2666213b571114cdd56c859200ab34a615cde57e67d142d4522369c74b8d4c37c9c95c97a76b93abbb0795ce698e4a888e646fdd2b05fe80f81da074f93

  • SSDEEP

    3072:LhAMBSpVNwpB7/LaX6No7INoSXlb2Q4u3lriJYzr9B/erenNecMnq+ECqmIkk6:LaP+fvLW7IVXliQz3l//3Pyq+RqmI

Score
10/10
redlinesectopratxwormidsinfostealerpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

91.92.252.220:7000
Attributes
  • Install_directory

    %Temp%

  • install_file

    mstc.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

IDS

C2

91.92.252.220:9078

Signatures

  • Detect Xworm Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Detects executables using Telegram Chat Bot 2 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe
    "C:\Users\Admin\AppData\Local\Temp\500b51771f03e61f1c46fc29c2a786201c123ae5f0369bd1664992bd7c434a30.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1464
    • C:\ProgramData\XClient.exe
      "C:\ProgramData\XClient.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3716
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\XClient.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3600
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2452
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\mstc.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4248
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'mstc.exe'
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4160
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "mstc" /tr "C:\Users\Admin\AppData\Local\Temp\mstc.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2740
    • C:\ProgramData\build.exe
      "C:\ProgramData\build.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2152
  • C:\Users\Admin\AppData\Local\Temp\mstc.exe
    C:\Users\Admin\AppData\Local\Temp\mstc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3408
  • C:\Users\Admin\AppData\Local\Temp\mstc.exe
    C:\Users\Admin\AppData\Local\Temp\mstc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4976
  • C:\Users\Admin\AppData\Local\Temp\mstc.exe
    C:\Users\Admin\AppData\Local\Temp\mstc.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2512

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1
T1053

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\XClient.exe
    Filesize

    83KB

    MD5

    5b7ac9829cdca0b5e82604191dcc1d4e

    SHA1

    5e944b6afea5db67b4d272a7b02bdf5501ca213f

    SHA256

    bc8306a6f60583de0b2a2818f1f9d1df8e80ef29dcf46b9471e4697f219e1251

    SHA512

    505491b019e948b14500867e927c9ab48642571733b944afc054922ed46a25eebbfae1615500e4755b0f022e5993cc4bd5124cf27c218a118070812e92bc1b33

    Download Submit
  • C:\ProgramData\build.exe
    Filesize

    95KB

    MD5

    d32bddd3639f42733a78945885002128

    SHA1

    6dcfc09b8c86e79ac70a63132a5162d3616c6479

    SHA256

    34dac9b900a3c810e466f9cac9ba5f0a062ff2be7719fc443cb23d0f8ac0390e

    SHA512

    b28fc39e77245d5a52ae5d25ac363c95db8b20a960caabc7aa4f3339b2a8d27f7f92846e2a4173fd0f776be4034fbfe5e60b375eebb465dbe78017d8479ad511

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\mstc.exe.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    440cb38dbee06645cc8b74d51f6e5f71

    SHA1

    d7e61da91dc4502e9ae83281b88c1e48584edb7c

    SHA256

    8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

    SHA512

    3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    05d5387354459e9ab7d9bb0c57aea3d3

    SHA1

    5f61fb290af9904307aec8e6119515a445e5b3d2

    SHA256

    49e8f6b53eb2e390392af544d56f70c4834ba34151acc93fe1b63daf4b3421d9

    SHA512

    945b3f6e05b95f78afc333feb96a0472945d4aac8430711545335bb67d77112761a72a9b5a7f95757af0c6c3590f8aac8a19988a8b9acac0e644f27176e5e68f

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    b577f5e5ce7f7d4a220c6bde8041e5bb

    SHA1

    6745d982e8abde881dcb97a58dd78f010170a0be

    SHA256

    c232b84813368c796d25dc0b24f9c2a0a2818d60c09407396d7ec17fb82b592e

    SHA512

    e09696425f049926b75f35544d4db00065f8dd408f2504a105a6339fc9a85ba5ddea0f06131b3a6c0e87943964c53082180112050e5f121b38e45e8f16a43c2d

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    e58749a7a1826f6ea62df1e2ef63a32b

    SHA1

    c0bca21658b8be4f37b71eec9578bfefa44f862d

    SHA256

    0e1f0e684adb40a5d0668df5fed007c9046137d7ae16a1f2f343b139d5f9bc93

    SHA512

    4cf45b2b11ab31e7f67fff286b29d50ed28cd6043091144c5c0f1348b5f5916ed7479cf985595e6f096b586ab93b4b5dce612f688049b8366a2dd91863e98b70

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gkckzbbc.1nn.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/1464-2-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1464-26-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/1464-0-0x0000000000550000-0x0000000000588000-memory.dmp
    Filesize

    224KB

    Download
  • memory/2152-98-0x0000000074E70000-0x0000000075620000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2152-33-0x0000000000BB0000-0x0000000000BC0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2152-34-0x0000000004AE0000-0x0000000004B2C000-memory.dmp
    Filesize

    304KB

    Download
  • memory/2152-35-0x0000000004D40000-0x0000000004E4A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/2152-32-0x0000000004AA0000-0x0000000004ADC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/2152-31-0x0000000004A40000-0x0000000004A52000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2152-30-0x0000000004FB0000-0x00000000055C8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/2152-29-0x0000000000070000-0x000000000008E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/2152-28-0x0000000074E70000-0x0000000075620000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/2452-55-0x000002BF25780000-0x000002BF25790000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2452-66-0x000002BF25780000-0x000002BF25790000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2452-54-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2452-68-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2512-131-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/2512-132-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3408-110-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3408-112-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3600-39-0x000002AE23360000-0x000002AE23370000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3600-38-0x000002AE23360000-0x000002AE23370000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3600-49-0x000002AE0AE10000-0x000002AE0AE32000-memory.dmp
    Filesize

    136KB

    Download
  • memory/3600-37-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3600-52-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3716-22-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3716-105-0x000000001BEB0000-0x000000001BFB2000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/3716-106-0x000000001BAA0000-0x000000001BAB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3716-86-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/3716-36-0x000000001BAA0000-0x000000001BAB0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3716-24-0x0000000000C00000-0x0000000000C1C000-memory.dmp
    Filesize

    112KB

    Download
  • memory/4160-87-0x000001FB7BB50000-0x000001FB7BB60000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4160-100-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4160-85-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4160-84-0x00007FFB90910000-0x00007FFB90A1B000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/4248-83-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4248-80-0x00000257F9170000-0x00000257F9180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-76-0x00000257F9170000-0x00000257F9180000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4248-74-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4976-122-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download
  • memory/4976-123-0x00007FFB74CA0000-0x00007FFB75761000-memory.dmp
    Filesize

    10.8MB

    Download