Overview

overview

10

Static

static

3

New_Order_...93.exe

windows7-x64

1

New_Order_...93.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    94s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 08:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New_Order_PO_GM5637H93.exe

  • Size

    2.7MB

  • MD5

    181d1f4b2a81a394496d18ac24a00bfe

  • SHA1

    2ded294c88299de16004433359748c0422bae330

  • SHA256

    06150e8a137191d9513d89883efb3e0d3abe5839682c8340f4c4288e13b3b8bf

  • SHA512

    397d78813a53949364440dedf1a9f3551ca5700b0ded182bb009a9cd5b824614884905e706c959f92feaa8738cca81fd115cafedd18056eb0469368f497730e7

  • SSDEEP

    12288:VpoDtmdTXqQ0hS8dRwyD+zWC0hj3BoIO/R7n4fN/ylZMs+Ury8y:Vyx2l0h9zx+aC0p3SlZ74wZp+18y

Score
10/10
redlinexwormfozdiscoveryevasionexecutioninfostealerpersistenceratspywaretrojan

Malware Config

Extracted

Family

redline

Botnet

FOZ

C2

212.162.149.53:36014

Signatures

  • Detect Xworm Payload 33 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 1 IoCs
  • Redline family
    redline
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe
    "C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:1424
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\New_Order_PO_GM5637H93.exe" -Force
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4864
    • C:\Windows\System32\svchost.exe
      "C:\Windows\System32\svchost.exe"
      2⤵
        PID:4988
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
        2⤵
        • Drops startup file
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:4188
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
        2⤵
          PID:3016

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      PowerShell

      1
      T1059.001

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      3
      T1562

      Disable or Modify Tools

      3
      T1562.001

      Modify Registry

      5
      T1112

      Credential Access

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Query Registry

      1
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ke3vo1wn.fv0.ps1
        Filesize

        60B

        MD5

        d17fe0a3f47be24a6453e9ef58c94641

        SHA1

        6ab83620379fc69f80c0242105ddffd7d98d5d9d

        SHA256

        96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

        SHA512

        5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        Download Submit

      • memory/1424-236-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/1424-0-0x00007FFA1ADC3000-0x00007FFA1ADC5000-memory.dmp

        Filesize

        8KB

        Download

      • memory/1424-1-0x000001D796C30000-0x000001D796C38000-memory.dmp

        Filesize

        32KB

        Download

      • memory/1424-2-0x000001D7B1010000-0x000001D7B109A000-memory.dmp

        Filesize

        552KB

        Download

      • memory/1424-3-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4188-64-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-76-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-20-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4188-253-0x0000000009AC0000-0x0000000009FEC000-memory.dmp

        Filesize

        5.2MB

        Download

      • memory/4188-252-0x0000000008E70000-0x0000000009032000-memory.dmp

        Filesize

        1.8MB

        Download

      • memory/4188-251-0x00000000080A0000-0x00000000080F0000-memory.dmp

        Filesize

        320KB

        Download

      • memory/4188-54-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-250-0x0000000007F20000-0x0000000007F6C000-memory.dmp

        Filesize

        304KB

        Download

      • memory/4188-24-0x0000000002E10000-0x0000000002E36000-memory.dmp

        Filesize

        152KB

        Download

      • memory/4188-25-0x0000000005910000-0x0000000005EB4000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4188-26-0x0000000005360000-0x0000000005384000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4188-66-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-87-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-235-0x0000000005440000-0x00000000054DC000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4188-84-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-82-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-18-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4188-80-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-78-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-52-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-74-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-72-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-70-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-68-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-17-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4188-62-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-60-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-58-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-56-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-249-0x0000000007DB0000-0x0000000007DEC000-memory.dmp

        Filesize

        240KB

        Download

      • memory/4188-19-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4188-50-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-48-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-46-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-44-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-42-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-40-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-38-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-36-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-34-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-32-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-30-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-28-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-27-0x0000000005360000-0x000000000537E000-memory.dmp

        Filesize

        120KB

        Download

      • memory/4188-241-0x0000000006660000-0x00000000066F2000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4188-242-0x0000000006650000-0x000000000665A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4188-243-0x0000000000400000-0x0000000000436000-memory.dmp

        Filesize

        216KB

        Download

      • memory/4188-244-0x0000000007270000-0x00000000072D6000-memory.dmp

        Filesize

        408KB

        Download

      • memory/4188-245-0x0000000007C20000-0x0000000007C72000-memory.dmp

        Filesize

        328KB

        Download

      • memory/4188-246-0x0000000008850000-0x0000000008E68000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/4188-247-0x0000000007E10000-0x0000000007F1A000-memory.dmp

        Filesize

        1.0MB

        Download

      • memory/4188-248-0x0000000007D50000-0x0000000007D62000-memory.dmp

        Filesize

        72KB

        Download

      • memory/4864-16-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4864-23-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4864-15-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4864-14-0x00007FFA1ADC0000-0x00007FFA1B881000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4864-13-0x000001F8C8200000-0x000001F8C8222000-memory.dmp

        Filesize

        136KB

        Download