Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09-08-2024 08:13
Behavioral task
behavioral1
Sample
screensaver.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
screensaver.exe
Resource
win10v2004-20240802-en
General
-
Target
screensaver.exe
-
Size
40KB
-
MD5
532f554a589dcb3b7adbfb1f2792ff35
-
SHA1
0bc817dc4f4f7350afc7b66e87d72f8376e3af58
-
SHA256
1c8cc063b64f9c4f5beb55f64cf19efb96e2e9d592c221366ec9ceafc4f9c545
-
SHA512
d513e4d630cd81e0bc22f8131d4cbe521847845e2f129ba961b1f83e97216af5a21a0e8a77c27fdfe115104901a06b7b56294f7fe52f1f6854e8e1dc3c57c5b1
-
SSDEEP
768:v9aG+ZAGcowW/A1rAmhNdATtF5PG9IhoOwhk3IEJ:vwAL0A1MEApFo9IGOwahJ
Malware Config
Extracted
xworm
5.0
memorialwords.xyz:4444
0FDfqtSCPc6omfwK
-
Install_directory
%AppData%
-
install_file
Adobe\Reader\updater.exe
Extracted
redline
xclient
memorialwords.xyz:6666
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3432-1-0x0000000000A50000-0x0000000000A60000-memory.dmp family_xworm C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe family_xworm -
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ejzkxl.exe family_redline behavioral2/memory/3472-17-0x0000000000AB0000-0x0000000000ACE000-memory.dmp family_redline -
SectopRAT payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\ejzkxl.exe family_sectoprat behavioral2/memory/3472-17-0x0000000000AB0000-0x0000000000ACE000-memory.dmp family_sectoprat -
StormKitty
StormKitty is an open source info stealer written in C#.
-
StormKitty payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3432-228-0x000000001E2D0000-0x000000001E3EE000-memory.dmp family_stormkitty -
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
screensaver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation screensaver.exe -
Executes dropped EXE 4 IoCs
Processes:
ejzkxl.exeupdater.exeupdater.exeupdater.exepid process 3472 ejzkxl.exe 1108 updater.exe 980 updater.exe 1992 updater.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 19 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ejzkxl.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ejzkxl.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
Processes:
screensaver.exeejzkxl.exepid process 3432 screensaver.exe 3472 ejzkxl.exe 3472 ejzkxl.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
screensaver.exeejzkxl.exeupdater.exeupdater.exeupdater.exedescription pid process Token: SeDebugPrivilege 3432 screensaver.exe Token: SeDebugPrivilege 3432 screensaver.exe Token: SeDebugPrivilege 3472 ejzkxl.exe Token: SeDebugPrivilege 1108 updater.exe Token: SeDebugPrivilege 980 updater.exe Token: SeDebugPrivilege 1992 updater.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
screensaver.exepid process 3432 screensaver.exe -
Suspicious use of WriteProcessMemory 5 IoCs
Processes:
screensaver.exedescription pid process target process PID 3432 wrote to memory of 1820 3432 screensaver.exe schtasks.exe PID 3432 wrote to memory of 1820 3432 screensaver.exe schtasks.exe PID 3432 wrote to memory of 3472 3432 screensaver.exe ejzkxl.exe PID 3432 wrote to memory of 3472 3432 screensaver.exe ejzkxl.exe PID 3432 wrote to memory of 3472 3432 screensaver.exe ejzkxl.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\screensaver.exe"C:\Users\Admin\AppData\Local\Temp\screensaver.exe"1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "updater" /tr "C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:1820 -
C:\Users\Admin\AppData\Local\Temp\ejzkxl.exe"C:\Users\Admin\AppData\Local\Temp\ejzkxl.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3472
-
C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exeC:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1108
-
C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exeC:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:980
-
C:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exeC:\Users\Admin\AppData\Roaming\Adobe\Reader\updater.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1992
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
654B
MD52ff39f6c7249774be85fd60a8f9a245e
SHA1684ff36b31aedc1e587c8496c02722c6698c1c4e
SHA256e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced
SHA5121d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1
-
Filesize
95KB
MD5efbdc64139ab0861a5714b87bec21240
SHA1e68e6811f863e493c2a7104f50513fb0665737ea
SHA25647198e417630b385a84105464bc155cc8596318a4f4c6c169347f1f28098a8e7
SHA5126c1229324b3aca049d5167490348bdb83d59759ceee8678ef88735829e0d861bb552addcada1ddf1368f325d06d6db91dd13e61d05531cc4e09a292068ad066c
-
Filesize
40KB
MD5a182561a527f929489bf4b8f74f65cd7
SHA18cd6866594759711ea1836e86a5b7ca64ee8911f
SHA25642aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA5129bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558
-
Filesize
114KB
MD535fb57f056b0f47185c5dfb9a0939dba
SHA17c1b0bbbb77dbe46286078bca427202d494a5d36
SHA2561dc436687ed65d9f2fcda9a68a812346f56f566f7671cbe1be0beaa157045294
SHA512531351adffddc5a9c8c9d1fcba531d85747be0927156bae79106114b4bdc3f2fd2570c97bbfcec09265dcc87ed286655f2ab15fb3c7af0ad638a67a738f504c7
-
Filesize
48KB
MD5349e6eb110e34a08924d92f6b334801d
SHA1bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA5122a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574
-
Filesize
20KB
MD549693267e0adbcd119f9f5e02adf3a80
SHA13ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2
-
Filesize
116KB
MD5f70aa3fa04f0536280f872ad17973c3d
SHA150a7b889329a92de1b272d0ecf5fce87395d3123
SHA2568d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA51230675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84
-
Filesize
96KB
MD540f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1d6582ba879235049134fa9a351ca8f0f785d8835
SHA256cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2
-
Filesize
40KB
MD5532f554a589dcb3b7adbfb1f2792ff35
SHA10bc817dc4f4f7350afc7b66e87d72f8376e3af58
SHA2561c8cc063b64f9c4f5beb55f64cf19efb96e2e9d592c221366ec9ceafc4f9c545
SHA512d513e4d630cd81e0bc22f8131d4cbe521847845e2f129ba961b1f83e97216af5a21a0e8a77c27fdfe115104901a06b7b56294f7fe52f1f6854e8e1dc3c57c5b1