Overview

overview

10

Static

static

3

39962cdef1...7a.exe

windows7-x64

10

39962cdef1...7a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    122s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2024 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe

  • Size

    501KB

  • MD5

    6b34408cb796d4e16a6caa577ebce6b9

  • SHA1

    f011ab355ac5a00204c033f3ac73848f6ce4c0ee

  • SHA256

    39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a

  • SHA512

    344defa68966df547a0504ee221a2037f737d469e0c496009209f9334589f0f73ac69226bb74ea60eb116332ccaefa0d5c1f8972a5b9d34628d9bfcc4147ea84

  • SSDEEP

    12288:E2iNErX80k+laBnUISbE0u9QgYZoXONvIGc2:E1ij8v+MKjbE0ul+Nx

Score
10/10
redlinestormkittyvipkeyloggerxwormfozzcredential_accessdiscoveryexecutioninfostealerkeyloggerratspywarestealertrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

91.92.120.13:7099

Mutex

ZCamGCh7lBqmpyCR

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

FOZZ

C2

91.92.120.13:1912

Extracted

Family

vipkeylogger

Credentials

Signatures

  • Detect Xworm Payload 5 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • VIPKeylogger

    VIPKeylogger is a keylogger and infostealer written in C# and it resembles SnakeKeylogger that was found in 2020.

    stealerkeyloggervipkeylogger
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe
    "C:\Users\Admin\AppData\Local\Temp\39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2452
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DTEmeRxUBaLqyA.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2800
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DTEmeRxUBaLqyA" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2812
    • C:\Users\Admin\AppData\Local\Temp\39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe
      "C:\Users\Admin\AppData\Local\Temp\39962cdef1efccb262b01e3bc41e4380ed1f925885f1a22178e505f5c440887a.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2852

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD3E2.tmp
    Filesize

    1KB

    MD5

    48ed0d50211285397e3806a3250f2acb

    SHA1

    9c124e30509474408694e28dbf88a3538d01b7b6

    SHA256

    751926effe8a028016d41afe0fd533533b2f08794fe3bdd2299b1cd4164eba25

    SHA512

    b6b03a5238471329cc830551bf45f304eeec9ec3fb24708a1e3ba7aa49cab64fbc8a17569677961cb48b7b82f49c17508c1b18acde6bf11418ad7788e6dfc762

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DCANN45EUG634W9BH1XA.temp
    Filesize

    7KB

    MD5

    1efddbbc180fcbdc21deea79cd67ade7

    SHA1

    ddc61bdca6c52d32458e50f47936ec5773dddf14

    SHA256

    bf3742f517c8ad27e6a1f719fdfdd78b562762138d7b378873ddd1812fb6e57a

    SHA512

    1294f043ecccae33a9951d449d71180e45d262d8ab0d5d8c8613d0a97a8d4e018bbce1894ca2c3851aa5c51b07e2a4fffb2c3ea7fc2999bdc9897fe057cfecce

    Download Submit

  • memory/1196-33-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1196-4-0x000000007469E000-0x000000007469F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1196-0-0x000000007469E000-0x000000007469F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1196-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1196-6-0x0000000000610000-0x0000000000620000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1196-7-0x0000000001200000-0x0000000001250000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1196-2-0x00000000003A0000-0x00000000003BA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1196-1-0x0000000001270000-0x00000000012F4000-memory.dmp

    Filesize

    528KB

    Download

  • memory/1196-3-0x0000000074690000-0x0000000074D7E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2852-22-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-61-0x00000000051E0000-0x00000000051EE000-memory.dmp

    Filesize

    56KB

    Download

  • memory/2852-26-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-20-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-24-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-30-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-32-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2852-35-0x00000000009A0000-0x00000000009EA000-memory.dmp

    Filesize

    296KB

    Download

  • memory/2852-34-0x0000000000660000-0x00000000006B2000-memory.dmp

    Filesize

    328KB

    Download

  • memory/2852-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2852-36-0x00000000075D0000-0x00000000076F0000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2852-60-0x0000000008F60000-0x00000000092B0000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2852-29-0x0000000000400000-0x0000000000410000-memory.dmp

    Filesize

    64KB

    Download