Analysis
-
max time kernel
122s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system -
submitted
03-08-2024 04:13
Static task
static1
Behavioral task
behavioral1
Sample
0f674147118b728504faa4e9ee9be1f2.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
0f674147118b728504faa4e9ee9be1f2.exe
Resource
win10v2004-20240802-en
General
-
Target
0f674147118b728504faa4e9ee9be1f2.exe
-
Size
995KB
-
MD5
0f674147118b728504faa4e9ee9be1f2
-
SHA1
d1decfde4071500708161329f9e0c29e85fea315
-
SHA256
f7a08ebdae40fcb8cdc61a569fdf42b9e65d2dd8f88a4cca9cae0e632a3d8f53
-
SHA512
584f4b6caf6e12c692fb8a450c98931910a50f89f424adb10f349db3b7b8f8b485dbe8c7f0731f5d8a2e330973385b6d9692822abc398817db8a2c21aef33250
-
SSDEEP
24576:Cf+6UNxk0J9qt3BGVF+gyToYisepcgq9VB0dEV:CG6U80JAt3BGVF2ksepcnjB0d2
Malware Config
Extracted
xworm
5.0
henzz.ddns.net:7000
vtEVqifwQsIiyHfJ
-
install_file
USB.exe
Extracted
redline
Henz
54.37.93.250:45867
Signatures
-
Detect Xworm Payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2580-22-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2580-21-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2580-20-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2580-17-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm behavioral1/memory/2580-15-0x0000000000400000-0x0000000000410000-memory.dmp family_xworm -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2232-70-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2232-67-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2232-65-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmp family_redline behavioral1/memory/2232-71-0x0000000000400000-0x000000000041E000-memory.dmp family_redline -
SectopRAT payload 5 IoCs
Processes:
resource yara_rule behavioral1/memory/2232-70-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2232-67-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2232-65-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat behavioral1/memory/2232-71-0x0000000000400000-0x000000000041E000-memory.dmp family_sectoprat -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral1/memory/2580-35-0x0000000006720000-0x0000000006840000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Executes dropped EXE 1 IoCs
Processes:
bhjlkv.exepid process 2616 bhjlkv.exe -
Loads dropped DLL 1 IoCs
Processes:
0f674147118b728504faa4e9ee9be1f2.exepid process 2580 0f674147118b728504faa4e9ee9be1f2.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Suspicious use of SetThreadContext 2 IoCs
Processes:
0f674147118b728504faa4e9ee9be1f2.exebhjlkv.exedescription pid process target process PID 2652 set thread context of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2616 set thread context of 2232 2616 bhjlkv.exe RegSvcs.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
0f674147118b728504faa4e9ee9be1f2.exeschtasks.exepowershell.exe0f674147118b728504faa4e9ee9be1f2.exebhjlkv.exeRegSvcs.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f674147118b728504faa4e9ee9be1f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language powershell.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0f674147118b728504faa4e9ee9be1f2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language bhjlkv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RegSvcs.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
0f674147118b728504faa4e9ee9be1f2.exepowershell.exe0f674147118b728504faa4e9ee9be1f2.exeRegSvcs.exepid process 2652 0f674147118b728504faa4e9ee9be1f2.exe 2652 0f674147118b728504faa4e9ee9be1f2.exe 2576 powershell.exe 2580 0f674147118b728504faa4e9ee9be1f2.exe 2232 RegSvcs.exe 2232 RegSvcs.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
0f674147118b728504faa4e9ee9be1f2.exepowershell.exe0f674147118b728504faa4e9ee9be1f2.exeRegSvcs.exedescription pid process Token: SeDebugPrivilege 2652 0f674147118b728504faa4e9ee9be1f2.exe Token: SeDebugPrivilege 2576 powershell.exe Token: SeDebugPrivilege 2580 0f674147118b728504faa4e9ee9be1f2.exe Token: SeDebugPrivilege 2232 RegSvcs.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
0f674147118b728504faa4e9ee9be1f2.exepid process 2580 0f674147118b728504faa4e9ee9be1f2.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
0f674147118b728504faa4e9ee9be1f2.exe0f674147118b728504faa4e9ee9be1f2.exebhjlkv.exedescription pid process target process PID 2652 wrote to memory of 2576 2652 0f674147118b728504faa4e9ee9be1f2.exe powershell.exe PID 2652 wrote to memory of 2576 2652 0f674147118b728504faa4e9ee9be1f2.exe powershell.exe PID 2652 wrote to memory of 2576 2652 0f674147118b728504faa4e9ee9be1f2.exe powershell.exe PID 2652 wrote to memory of 2576 2652 0f674147118b728504faa4e9ee9be1f2.exe powershell.exe PID 2652 wrote to memory of 2728 2652 0f674147118b728504faa4e9ee9be1f2.exe schtasks.exe PID 2652 wrote to memory of 2728 2652 0f674147118b728504faa4e9ee9be1f2.exe schtasks.exe PID 2652 wrote to memory of 2728 2652 0f674147118b728504faa4e9ee9be1f2.exe schtasks.exe PID 2652 wrote to memory of 2728 2652 0f674147118b728504faa4e9ee9be1f2.exe schtasks.exe PID 2652 wrote to memory of 2564 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2564 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2564 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2564 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2652 wrote to memory of 2580 2652 0f674147118b728504faa4e9ee9be1f2.exe 0f674147118b728504faa4e9ee9be1f2.exe PID 2580 wrote to memory of 2616 2580 0f674147118b728504faa4e9ee9be1f2.exe bhjlkv.exe PID 2580 wrote to memory of 2616 2580 0f674147118b728504faa4e9ee9be1f2.exe bhjlkv.exe PID 2580 wrote to memory of 2616 2580 0f674147118b728504faa4e9ee9be1f2.exe bhjlkv.exe PID 2580 wrote to memory of 2616 2580 0f674147118b728504faa4e9ee9be1f2.exe bhjlkv.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe PID 2616 wrote to memory of 2232 2616 bhjlkv.exe RegSvcs.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\swZCJnIb.exe"2⤵
- Command and Scripting Interpreter: PowerShell
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\swZCJnIb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7417.tmp"2⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
-
C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"2⤵
-
C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"C:\Users\Admin\AppData\Local\Temp\0f674147118b728504faa4e9ee9be1f2.exe"2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\bhjlkv.exe"C:\Users\Admin\AppData\Local\Temp\bhjlkv.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp7417.tmpFilesize
1KB
MD5a8a99b6ad8e21834187f156363286159
SHA15cee1b060a82bdb58984e654d41d292508fc6439
SHA256f895b797a4bcf4e5d8c2fce4ba4ed82db207042937cb7e672f14971a2f717475
SHA512b017c6100926bb454e385624125bfbb0267b8c974127fbbd34b462feefb42a480ff280647416c2ab5de89f99a9a7eff69df2fdea15a0dfbc77e25c61c5ffa94e
-
C:\Users\Admin\AppData\Local\Temp\tmpF9B.tmpFilesize
46KB
MD502d2c46697e3714e49f46b680b9a6b83
SHA184f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA51260348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac
-
C:\Users\Admin\AppData\Local\Temp\tmpFC0.tmpFilesize
92KB
MD5c61f0bee83c8a956f2cf4ceba90bebc9
SHA1f4f61f0e65b7669be468cacaf8e00b2f30cb46cc
SHA256601c578f842ad1a4c743f3bf049d691225697819abe9b75bfe156264412e28dc
SHA512e6949a72e8bc26fd2910339ae75f22a36a0ad0bf9579bb2a0ada2ee2b8fb3a1b3891756eec774d4a64263e937c6ae768249e64874c559bb2f1b69d2d38bfceaa
-
C:\Users\Admin\AppData\Local\Temp\tmpFFB.tmpFilesize
96KB
MD5d367ddfda80fdcf578726bc3b0bc3e3c
SHA123fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA2560b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA51240e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77
-
\Users\Admin\AppData\Local\Temp\bhjlkv.exeFilesize
522KB
MD548848dc652fd9227f5383c9abfc5bae1
SHA1c0e7bc68784a9bafe9f0c43d7a3b1f52f724e22e
SHA25697c6fe300a253318d1d0a83a4199786c478ddcafaf6eec44804b8fb6f06902bd
SHA512aba97da36bc65355c9aed66755ebdfec5b274ce490d117ad3cd74173b041264dffac7d80ec411affd424ecb52a7842edb721748edbcae70d1ba65d2c3b49460a
-
memory/2232-69-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2232-71-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2232-61-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2232-67-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2232-65-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2232-70-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2232-63-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2232-72-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/2580-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2580-11-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2580-13-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2580-15-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2580-17-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2580-20-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2580-35-0x0000000006720000-0x0000000006840000-memory.dmpFilesize
1.1MB
-
memory/2580-36-0x0000000004AB0000-0x0000000004ABE000-memory.dmpFilesize
56KB
-
memory/2580-21-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2580-22-0x0000000000400000-0x0000000000410000-memory.dmpFilesize
64KB
-
memory/2616-34-0x00000000005E0000-0x00000000005F6000-memory.dmpFilesize
88KB
-
memory/2616-60-0x0000000001040000-0x00000000010A0000-memory.dmpFilesize
384KB
-
memory/2616-33-0x00000000010F0000-0x0000000001178000-memory.dmpFilesize
544KB
-
memory/2652-3-0x00000000001C0000-0x00000000001D2000-memory.dmpFilesize
72KB
-
memory/2652-5-0x0000000000E10000-0x0000000000E62000-memory.dmpFilesize
328KB
-
memory/2652-4-0x0000000000280000-0x000000000028E000-memory.dmpFilesize
56KB
-
memory/2652-24-0x0000000074890000-0x0000000074F7E000-memory.dmpFilesize
6.9MB
-
memory/2652-0-0x000000007489E000-0x000000007489F000-memory.dmpFilesize
4KB
-
memory/2652-1-0x0000000000E70000-0x0000000000F6E000-memory.dmpFilesize
1016KB
-
memory/2652-2-0x0000000074890000-0x0000000074F7E000-memory.dmpFilesize
6.9MB