Malware Analysis Report

2024-11-16 13:07

Sample ID 241106-cfkpbatcnk
Target c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe
SHA256 c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3
Tags
xworm redline sectoprat cheat discovery infostealer rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d76f37afa87bcbf02ab3

Threat Level: Known bad

The file c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe was found to be: Known bad.

Malicious Activity Summary

xworm redline sectoprat cheat discovery infostealer rat spyware stealer trojan

RedLine payload

Xworm family

Detect Xworm Payload

Redline family

RedLine

Xworm

Sectoprat family

SectopRAT

SectopRAT payload

Checks computer location settings

Reads user/profile data of web browsers

Executes dropped EXE

Accesses cryptocurrency files/wallets, possible credential harvesting

Checks installed software on the system

System Location Discovery: System Language Discovery

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-06 02:01

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

Xworm family

xworm

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-06 02:01

Reported

2024-11-06 02:03

Platform

win7-20240903-en

Max time kernel

120s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Xworm

trojan rat xworm

Xworm family

xworm

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toliaw.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\toliaw.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\toliaw.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\toliaw.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\toliaw.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe"

C:\Users\Admin\AppData\Local\Temp\toliaw.exe

"C:\Users\Admin\AppData\Local\Temp\toliaw.exe"

Network

Country Destination Domain Proto
RU 89.110.95.189:7000 tcp
RU 89.110.95.189:45697 89.110.95.189 tcp
US 8.8.8.8:53 api.ip.sb udp
US 172.67.75.172:443 api.ip.sb tcp

Files

memory/2616-0-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

memory/2616-1-0x0000000000320000-0x000000000032E000-memory.dmp

memory/2616-2-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

memory/2616-3-0x000007FEF56A3000-0x000007FEF56A4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\toliaw.exe

MD5 6f353cb5e463f29f80df872026d5108f
SHA1 bfbe71a527294b26e0925c79b4d322cdc10b7a19
SHA256 553a5bda03fddd51b2c0c8182d0e5386ee8317df91c72d937162b85283023fc2
SHA512 fc353bc120cf814fc1ca5b0afa22ed6180a15143e34a21a8b7a4a3903a5d9335fa05c50acfd00989c10afce878ed3f60ff0445a2c8139d6aa5c901a0a7b79135

memory/2684-10-0x00000000745CE000-0x00000000745CF000-memory.dmp

memory/2684-11-0x0000000000AD0000-0x0000000000AEE000-memory.dmp

memory/2616-12-0x000007FEF56A0000-0x000007FEF608C000-memory.dmp

memory/2684-13-0x00000000745C0000-0x0000000074CAE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2E72.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmp2E88.tmp

MD5 ae2cd96016ba8a9d0c675d9d9badbee7
SHA1 fd9df8750aacb0e75b2463c285c09f3bbd518a69
SHA256 dd0ea2f02d850df691183602f62284445e4871e26a61d9ea72ff1c23c0b0ba04
SHA512 7e0e86980b7f928ea847a097545fa07b0c554617768760d4db9afe448568b97d1536a824b7a1b6c1f3fb1bf14153be07ef32676f878fb63a167d47e3136b5d1d

memory/2684-74-0x00000000745CE000-0x00000000745CF000-memory.dmp

memory/2684-87-0x00000000745C0000-0x0000000074CAE000-memory.dmp

memory/2684-88-0x00000000745C0000-0x0000000074CAE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-06 02:01

Reported

2024-11-06 02:03

Platform

win10v2004-20241007-en

Max time kernel

133s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe"

Signatures

Detect Xworm Payload

Description Indicator Process Target
N/A N/A N/A N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Redline family

redline

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Sectoprat family

sectoprat

Xworm

trojan rat xworm

Xworm family

xworm

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hxmprf.exe N/A

Reads user/profile data of web browsers

spyware stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Checks installed software on the system

discovery

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\hxmprf.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\hxmprf.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\hxmprf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\hxmprf.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe

"C:\Users\Admin\AppData\Local\Temp\c3bbb675ebfb5dc5d747551529c7feea42f8eeef6675d.exe"

C:\Users\Admin\AppData\Local\Temp\hxmprf.exe

"C:\Users\Admin\AppData\Local\Temp\hxmprf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
RU 89.110.95.189:7000 tcp
US 8.8.8.8:53 189.95.110.89.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
RU 89.110.95.189:45697 89.110.95.189 tcp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.13.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.13.26.104.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/3996-0-0x00007FFC9E883000-0x00007FFC9E885000-memory.dmp

memory/3996-1-0x0000000000D60000-0x0000000000D6E000-memory.dmp

memory/3996-2-0x00007FFC9E880000-0x00007FFC9F341000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\hxmprf.exe

MD5 6f353cb5e463f29f80df872026d5108f
SHA1 bfbe71a527294b26e0925c79b4d322cdc10b7a19
SHA256 553a5bda03fddd51b2c0c8182d0e5386ee8317df91c72d937162b85283023fc2
SHA512 fc353bc120cf814fc1ca5b0afa22ed6180a15143e34a21a8b7a4a3903a5d9335fa05c50acfd00989c10afce878ed3f60ff0445a2c8139d6aa5c901a0a7b79135

memory/1724-14-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/1724-15-0x0000000000160000-0x000000000017E000-memory.dmp

memory/1724-16-0x0000000005000000-0x0000000005618000-memory.dmp

memory/1724-17-0x0000000004A00000-0x0000000004A12000-memory.dmp

memory/1724-18-0x0000000004A60000-0x0000000004A9C000-memory.dmp

memory/1724-19-0x0000000004BA0000-0x0000000004BEC000-memory.dmp

memory/3996-20-0x00007FFC9E880000-0x00007FFC9F341000-memory.dmp

memory/1724-21-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/1724-22-0x0000000004E30000-0x0000000004F3A000-memory.dmp

memory/1724-23-0x0000000006110000-0x00000000062D2000-memory.dmp

memory/1724-24-0x0000000006810000-0x0000000006D3C000-memory.dmp

memory/1724-52-0x00000000060A0000-0x0000000006106000-memory.dmp

memory/1724-53-0x00000000064A0000-0x0000000006516000-memory.dmp

memory/1724-54-0x00000000065C0000-0x0000000006652000-memory.dmp

memory/1724-55-0x00000000072F0000-0x0000000007894000-memory.dmp

memory/1724-56-0x00000000066C0000-0x00000000066DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Local\Temp\tmp1D86.tmp

MD5 a1eeb9d95adbb08fa316226b55e4f278
SHA1 b36e8529ac3f2907750b4fea7037b147fe1061a6
SHA256 2281f98b872ab5ad2d83a055f3802cbac4839f96584d27ea1fc3060428760ba7
SHA512 f26de5333cf4eaa19deb836db18a4303a8897bf88bf98bb78c6a6800badbaa7ab6aeb6444bbbe0e972a5332670bdbb474565da351f3b912449917be21af0afb8

C:\Users\Admin\AppData\Local\Temp\tmp1DB1.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmp1DC7.tmp

MD5 49693267e0adbcd119f9f5e02adf3a80
SHA1 3ba3d7f89b8ad195ca82c92737e960e1f2b349df
SHA256 d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f
SHA512 b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

C:\Users\Admin\AppData\Local\Temp\tmp1DCD.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmp1DF8.tmp

MD5 40f3eb83cc9d4cdb0ad82bd5ff2fb824
SHA1 d6582ba879235049134fa9a351ca8f0f785d8835
SHA256 cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0
SHA512 cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

memory/1724-211-0x00000000749DE000-0x00000000749DF000-memory.dmp

memory/1724-212-0x00000000749D0000-0x0000000075180000-memory.dmp

memory/1724-214-0x00000000749D0000-0x0000000075180000-memory.dmp