Overview

overview

10

Static

static

3

f5faa2b827...19.exe

windows7-x64

10

f5faa2b827...19.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    18-05-2024 01:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe

  • Size

    596KB

  • MD5

    1d3535cc01b2cc54b808a55e945707a0

  • SHA1

    a9a563b8ee37f17c847248bb207b28086d9f4628

  • SHA256

    f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19

  • SHA512

    4c344a2abc7ace17a3fced1e3fcf09ac959b47d8bc1a5bf4280d46c3dccd015254a42ce722f93bbbe28f9866696db685df6209b4e863fa9e02772753eeb2ebbc

  • SSDEEP

    12288:15/Sm4/r42toIX4IaZo2BOtdMKX8MbICwAvV6LwfAnxMlpxxWmBNIg9SWvAK:70/rX8IJ2BwNQcfAnxgDzBx

Score
10/10
redlinesectopratxwormvicdiscoveryexecutioninfostealerpersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

127.0.0.1:7000

beshomandotestbesnd.run.place:7000
Attributes
  • Install_directory

    %ProgramData%

  • install_file

    taskmgr.exe

  • telegram

    https://api.telegram.org/bot2128988424:AAEkYnwvOQA95riqRZwlqBxg4GV-odRNOyo/sendMessage?chat_id=966649672

Extracted

Family

redline

Botnet

Vic

C2

beshomandotestbesnd.run.place:1111

Signatures

  • Detect Xworm Payload 4 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 3 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • .NET Reactor proctector 35 IoCs

    Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies system certificate store 2 TTPs 6 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe
    "C:\Users\Admin\AppData\Local\Temp\f5faa2b827aaae846580fe313cfc3562fcf04dbf26320c7190247621c7e10f19.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2320
    • C:\ProgramData\system.exe
      "C:\ProgramData\system.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2836
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\system.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:772
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1596
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\ProgramData\taskmgr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1396
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'taskmgr.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1344
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "taskmgr" /tr "C:\ProgramData\taskmgr.exe"
        3⤵
        • Creates scheduled task(s)
        PID:2256
    • C:\ProgramData\build.exe
      "C:\ProgramData\build.exe"
      2⤵
      • Executes dropped EXE
      • Modifies system certificate store
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1960
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {AFD61021-DB39-46A2-B623-AF382B6D7B01} S-1-5-21-2297530677-1229052932-2803917579-1000:HKULBIBU\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1444
    • C:\ProgramData\taskmgr.exe
      C:\ProgramData\taskmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2220
    • C:\ProgramData\taskmgr.exe
      C:\ProgramData\taskmgr.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\build.exe
    Filesize

    95KB

    MD5

    16280875fdcf55ab4c8f1dff6dabc72e

    SHA1

    39880e6fbb258f4f4fa5c79337ec893acae55fb7

    SHA256

    91455ac8837ff1fdba7067cd3e7f790c1649ae70164ccbdf0483eae831a7253a

    SHA512

    53ba4e5e88a8f19ba3faa2f1244501c2d62827a9178ec0fdc995582e03e7d8e39f2dfd7bde11285781a65a021d4f4aab48b94be66a8a1cebbd47ab0cb819202e

    Download Submit
  • C:\ProgramData\system.exe
    Filesize

    75KB

    MD5

    70b9f8ef4c4ce24fe372b292aebcd138

    SHA1

    5fd7ce9318727b27db0dd50effbb632686d53f8c

    SHA256

    15af516d88e83cfc8d3deebe7aeb9ccaebc558fc93544ef31b612113fcce907b

    SHA512

    b4658ccb665aa9f43cc049a51c477a0b314c5c13d254d648e34f9feca9feb06021bbf271857f73998e31cc7f877fa5457fbe7420beb58f3563fbfbe121a4cbad

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

    Download Submit
  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
    Filesize

    344B

    MD5

    9151d79df763e0e58d4bc62b2537611e

    SHA1

    c50dda83722a156d5ba2c0678f639b2cb39d405a

    SHA256

    ac77ab75f3d0fb4af0504abf04c6df6e4d184034ecbba0d77633fdc7941f14fb

    SHA512

    54cb8ab2083bee8a2cbfc1b39fcbf4f9f7157caf24757feec9ba5a39b7d200dd43d2690738f92fa7000df52c193a13b46eae03196ebde1e15de73b1458e21ae0

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Cab43D6.tmp
    Filesize

    65KB

    MD5

    ac05d27423a85adc1622c714f2cb6184

    SHA1

    b0fe2b1abddb97837ea0195be70ab2ff14d43198

    SHA256

    c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

    SHA512

    6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Tar4505.tmp
    Filesize

    177KB

    MD5

    435a9ac180383f9fa094131b173a2f7b

    SHA1

    76944ea657a9db94f9a4bef38f88c46ed4166983

    SHA256

    67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

    SHA512

    1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp4BED.tmp
    Filesize

    46KB

    MD5

    02d2c46697e3714e49f46b680b9a6b83

    SHA1

    84f98b56d49f01e9b6b76a4e21accf64fd319140

    SHA256

    522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

    SHA512

    60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmp4C03.tmp
    Filesize

    92KB

    MD5

    bbe71b58e84c50336ee2d3bad3609c39

    SHA1

    bdd3227b48977e583127425cbc2f86ff4077ba10

    SHA256

    b25b7e57924b2382d3178696782b51fa62b68fa7e763081d7a53471cccc1ff3c

    SHA512

    07fcac6778f114fb372dac7ed489624b8e0aed347bc14af77ec36b5201df8b3d99e2a69a384756606030bb146f5c0780f39a274dc5a4b4f6863746ec7fa2ca2a

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MLX02C9X8LCOWV4ZESFJ.temp
    Filesize

    7KB

    MD5

    0c2847a8ff4cf4dd0f6d4306e9d4bb6e

    SHA1

    7ce73b8db0aed857f0a92a2a8b1b415bb7f0524c

    SHA256

    fb26ae6d60520e46da11e94030f9ff1c310c03a63e776334d0fad60d6621a33e

    SHA512

    130f418c89e581aa745e4c339159f728bd01ce24a2d2e5cefd36445a4ec3f7df544a1b710f607fae51b45c6d179ab4d4e2ae8846d00d54d89d02199655a7fd72

    Download Submit
  • \Users\Admin\AppData\Local\Temp\tmpDAB5.tmp
    Filesize

    100KB

    MD5

    1b942faa8e8b1008a8c3c1004ba57349

    SHA1

    cd99977f6c1819b12b33240b784ca816dfe2cb91

    SHA256

    555ccb7ecd9ae52a75135fdd81ab443a49d5785b0621ed6468d28c4234e46ccc

    SHA512

    5aee3d59478d41ddd5885c99b394c9c4983064e2b3528db1a3f7fc289662bced4f57d072517bbe7573c6d1789435e987ef1aa9cc91f372bcfd30bc016675fa43

    Download Submit
  • memory/772-144-0x000000001B580000-0x000000001B862000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/772-145-0x00000000027F0000-0x00000000027F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1596-152-0x00000000027F0000-0x00000000027F8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1596-151-0x000000001B6B0000-0x000000001B992000-memory.dmp
    Filesize

    2.9MB

    Download
  • memory/1960-335-0x0000000073F8E000-0x0000000073F8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-337-0x0000000004290000-0x00000000042D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/1960-134-0x00000000009C0000-0x00000000009DE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1960-135-0x0000000073F8E000-0x0000000073F8F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1960-138-0x0000000004290000-0x00000000042D0000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2220-342-0x0000000001070000-0x000000000108A000-memory.dmp
    Filesize

    104KB

    Download
  • memory/2320-56-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-6-0x0000000002160000-0x00000000021C4000-memory.dmp
    Filesize

    400KB

    Download
  • memory/2320-46-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-44-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-42-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-40-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-38-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-36-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-34-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-32-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-30-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-28-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-26-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-24-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-22-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-20-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-18-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-16-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-12-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-10-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-8-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-7-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-14-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-48-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-5-0x00000000020F0000-0x0000000002156000-memory.dmp
    Filesize

    408KB

    Download
  • memory/2320-4-0x0000000000400000-0x00000000004DF000-memory.dmp
    Filesize

    892KB

    Download
  • memory/2320-3-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

    Download
  • memory/2320-2-0x0000000000220000-0x00000000002A8000-memory.dmp
    Filesize

    544KB

    Download
  • memory/2320-1-0x00000000006B0000-0x00000000007B0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2320-133-0x0000000000400000-0x00000000004DF000-memory.dmp
    Filesize

    892KB

    Download
  • memory/2320-50-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-52-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-54-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-58-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-60-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-62-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-64-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-66-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-68-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-70-0x0000000002160000-0x00000000021BF000-memory.dmp
    Filesize

    380KB

    Download
  • memory/2320-130-0x00000000006B0000-0x00000000007B0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/2320-131-0x0000000000400000-0x000000000048B000-memory.dmp
    Filesize

    556KB

    Download
  • memory/2836-336-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-139-0x000000001B320000-0x000000001B3A0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2836-338-0x000000001B320000-0x000000001B3A0000-memory.dmp
    Filesize

    512KB

    Download
  • memory/2836-136-0x000007FEF52B3000-0x000007FEF52B4000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2836-343-0x00000000010A0000-0x00000000010DA000-memory.dmp
    Filesize

    232KB

    Download
  • memory/2836-137-0x0000000001130000-0x000000000114A000-memory.dmp
    Filesize

    104KB

    Download