Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
08-12-2024 14:06
General
-
Target
spoolsv.exe
-
Size
135KB
-
MD5
fcfae4fdcc273f8a46c51d49fa8a4a03
-
SHA1
3a0e314b7bbdf5467df8b92a348c1b464fd502b0
-
SHA256
49ff687dbb13ed84815f3f57c660a0a4fc5cb21c82b605ce53338538a864586d
-
SHA512
50e6960d98dbc8d63975b0514deb6e9f7266a054e129902ac2ecf7c8500c84e5125d4896c9ec54a4187971832abfe2c575fd4c166baea39712b35f2f35e000f7
-
SSDEEP
3072:pG+KeZW7bSWaWDbkDOrZBRHQbPRyZ2pPYU:pU17buWDbkiBR8AZ2
Malware Config
Extracted
xworm
78.70.235.238:7000
f8terat.ddns.net:7000
-
Install_directory
%Temp%
-
install_file
spoolsv.exe
-
telegram
https://api.telegram.org/bot7742194912:AAGSH51C4BpkbbvEQlO-cv-lDoJZMVxqyN4/sendMessage?chat_id=5456205643
Extracted
redline
l3monlogs
78.70.235.238:1912
Signatures
-
Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.
-
Detect Xworm Payload 1 IoCs
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
-
Redline family
-
Xworm
Xworm is a remote access trojan written in C#.
-
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Drops startup file 2 IoCs
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Sets desktop wallpaper using registry 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 9 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 7 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Sets desktop wallpaper using registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'spoolsv.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "spoolsv" /tr "C:\Users\Admin\AppData\Local\Temp\spoolsv.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\How To Decrypt My Files.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2636 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
C:\Users\Admin\AppData\Local\Temp\nfzuzf.exe"C:\Users\Admin\AppData\Local\Temp\nfzuzf.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {BC2352E4-C512-4561-B5E6-88BCEF976D06} S-1-5-21-2703099537-420551529-3771253338-1000:XECUDNCD\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\spoolsv.exeC:\Users\Admin\AppData\Local\Temp\spoolsv.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\spoolsv.exeC:\Users\Admin\AppData\Local\Temp\spoolsv.exe2⤵
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD513cea9042dd893ae7a1ce0ec219d4782
SHA1f801665d6cd74705096dddc0c801c553269ca951
SHA256049c52702e68893a44a6634ec2bf3b87d00e670f79a5e2ee021f325846140c3a
SHA512022c2b415f6436ae14ec36485289177dc72ca5b031f61de2bfe27b5de7531adf6735b803f539721b3b57f0bd65f12f6c6696562bebaaf1c8cb2e0224eb099dfc
-
Filesize
342B
MD574aa6f546de1bff4d0a4c5882ee437aa
SHA1c25f523e5dd1f0b8dbed855f05a5012d6ac0ab81
SHA256017fe96aeca99d060bff804f04a5a7cce5ee1bb11e5ae167d232039e8d5f0025
SHA5127a9518fc81a84022b6ab9340aee6a322bd0dabaf237539cb689c8004af77df7a078cc1e8215f0fd292fb846a3476252b56d8308f05cb9a9c5dc09a76d13c2865
-
Filesize
342B
MD5a190ac742d6afc76d5e80185a1512383
SHA1df057b056154fe8e969dcf5fcd14610e070eeba2
SHA256550cb73a045d2974e70a0c771575ac5f6c80854476c79526b1a43e7803274281
SHA5120f917645252f5c59e5958a1922592a90721b1ae51e82b5d457fd0f702a50696e327acb3683f65337dd4f8c904a380bb095bca36ba8464da784b4e75aa510d4bc
-
Filesize
342B
MD59221382faaa71b98261826670f0f9f22
SHA1c89b0aa6f5037aaa7a8047cd0c7021389531511d
SHA25629d3c2f74c788a49c4c42cf64a9283c34b8edf394f1edfd7992d6b672d131ebf
SHA512bbf04abf1449f6e7792e7a867e350d96b7ec14bd286d2307f07f0e28506dd8c44b05bef524cfdd26589e044ebb46acae43373a223411cec3155a542a6983c80a
-
Filesize
342B
MD5c06991d44338ce79ee8b822a33bb59cc
SHA1f1695980e926604c18fed0ff1117a0c784e04b82
SHA256132fd471d922aa6f7ec7d309fc7c9c757cf250709d7494a9cc92ff558048564c
SHA512a88d2a24897a0bae26231b191e10cf0161507b66a9eaf4b91a4409c801ad1d736dd7b42111420425ec175e4b96a2e665cc8309b677408e06c88a138218d1e029
-
Filesize
342B
MD54c3596e02870c3d7ed7d017222778a38
SHA14b2bf3a320ccfbfe78fee946a4c861afe382af2e
SHA2564abf4e6dfd86e248a56e1119a3505ff2c5b6952fa8aaef728d66ddc633d684ef
SHA512784fd145235b55fc2c6a9d9de67e9e194e59a5ad3102398be242f21d0b9f23b272f7f6df480ccd4d515cb304086158bc27111964d536b58e31195db1f2374413
-
Filesize
342B
MD51598216cacb075634bfdfdac8356044c
SHA1cd37f68bd5941ac408f9a8f9a0f243831ef420e2
SHA2562973566b7ad8209a93daeb4a873d08432e496c6cbdb5a85238b5a1e27c510644
SHA5128bdb86754c3acc07ef9763939e9499a34868ac6fa3379e581e4014134120a0c4e89249153bc5b23057c523322910e5f008d75670884887d4455306ce5fdcabb0
-
Filesize
342B
MD53176c0da9c4afbbe6abb7bd006d7d110
SHA1e96fe81c7b6e8933ce78be1988fa3c13877aa3f0
SHA256d5460502e5ff44adcf6c018defb29555052713dff0529ba6c26dbb81209948c3
SHA5120a0cf5d72d816c915bd19865658940ab93313faf02b6861585129e93a9716b6e6887ef101ac2b6140b5d5e5263ac4088a3a6fae11101ae93d7ffa696625a8b76
-
Filesize
342B
MD5222d5e0d10f3d10a7c08cfab2fd51a92
SHA1dad6040858a39ca6b45c02d456a7bf56572c514e
SHA25665ba447952c8a8ead5476a740a126d167075232eb73d7e460d68bf6495cd8c9a
SHA512618232df57744879eb92e00809ff6393505029b237fec69b679a0c91ad983ebb1b49bd2034b2c3320e1e3d5be1461911cd56ba9b61cfb77868d511e8f465138f
-
Filesize
342B
MD591cb6c93c66ddb95882f627e083a201a
SHA132e0d661df5a05ba090081098f4ada1eb39c3593
SHA256ae8271e69f00d7e41d73c0f81f09b4826fa9f36b587c2b892207ae2be70b457b
SHA512b617f1fd0adbea76977d9b07b1fed734ec22d1f7da5d52d50325a520200649e59a8a8e063709b1d8f0ea4623d52f119ff55bd912c590fbd7d0aa249276b19978
-
Filesize
342B
MD510af20ecfd17456150d5b6b4b36b7022
SHA15a55e6e10bc751ed36dd5d88668c6b7a8d9b90d1
SHA25606846c0fafc70953bcd264cbec64e9b6279751a068f1c6fb01bbcf48f823056e
SHA51274eebc4bdd62491a2142d5d465c8936df67ddfbd9c9336fb2b7f3b026105f07edae614ca7eda988acddf7000e192e0a8bbb56aabf7ee20d3c77f290f8f1549dd
-
Filesize
342B
MD586b094d7dd40faade7a2cdb37b228fbd
SHA1b4b0b3888a1e81cf98e8250a6b0c7788f39237d3
SHA2561a7123043114ce2c3e761124074ae93b60b6eb8bef2c8b6dd90c3e8cb2132eca
SHA512ef0f110309a87220df9a9fcd0b8c917c9b95d1eb5213475bcdd6858532f55f868f0c41eb11aa0c1b1b76a212da29b9cb7111a4188f2b092a2c351eda895b7185
-
Filesize
342B
MD57d151d1b7a06f0675b630c6f31bd1c8c
SHA1eb087fa3f959ad954166352d711760c07878bd17
SHA256e777b9cabe20a35bc3913d20093cc58873aef6a10094bb50e0bd75f68b5a87dc
SHA5123f5a240e568afe77cae4024495c55096fcae2c2a49295ffc965db39de37b1558e65f3051a8ac6fecd7e092ab54a4e420409d34be5d798ca03a6885b40c67ee08
-
Filesize
342B
MD55be3609b83f73122472961ecde973088
SHA1f71b07f167e557e809d482fc41e5500f937ad6db
SHA25664f4443613af948608f1db3b71e5b50abebcd8374c997d54a87701438b678756
SHA5121367bde81550aabb1641874be199fc1515e38fb2c50de903cdc18f11990a44df557b3b3e5c1e75149d3d591562eeb36bb91edc9450df05591ed4db9114fee1b6
-
Filesize
342B
MD5e5e677bc6e53fcf0c7b51e5df9e148b8
SHA194064c1b247227b824a7734e06bf8667ed237c98
SHA256f5965f4f2d8d9831357e6ad18e5889645a0645300ca38dbe485831170ee8dc63
SHA512a033d89983b3dc52686f2a51132bb0076fb36041b51637092a4733da37abc4c1bda561672630eca439a4dd8afb89973fc2ad315781672034b1fcdc57c8464fa5
-
Filesize
342B
MD517a5376bd4e6ffada5cb60fe57c62d04
SHA149edd83fb62105039d0a0cc3c2bfcbde00582da2
SHA2564378289c68da4ea86e422a6d8ce51cb5b8d67ccc080f3909871cbd93d437424e
SHA5122b1a53939a2d413d29681db2a3c0c627ebebc802a4352e00421566f729486391d5c9a0321f60779ed3d65c4c091481f89589733e77482000005a7585620950ca
-
Filesize
342B
MD54a93c2c88e7f3542d8cb41ad13663959
SHA151a48e8cedf6ca8bc6c0cf95c36570ab560faa56
SHA256b8347e44d1dd22bb03b9017e966e25f98c7fcceb5e413c58a196ad7dbc489186
SHA5121d1e3e649574ca387f70df8fe83e01d57b1faf24536446eafea75753323e3f088f8e71040ccab8705d390e54cec8ccb38d51d971b610ea254f48f4cd8b807dd5
-
Filesize
342B
MD5fd0d44b924ecfc16d469017d8369adc1
SHA19e192fc07b7032750b8d3b9e41ad4cbed889e860
SHA256dd956331fcde39d7f3763e50042b042234813a41945e736687d9e30f89891658
SHA5120e261d0e959262e091a854e29e559dcb557264942515024b34518ad6ec9c70b71a87ff52b4840dc02b5869795e7d40d2f7043f310aac1b2d01fa871f1386672d
-
Filesize
342B
MD577adad315976b1b09667d06eb16c8a63
SHA11ada838db78fd6498541e5123d11ef65297a4543
SHA256a57e9bae3dee7b44db56fb0a0fa8633b9290bc233ef3c85a4d7972775a82a596
SHA512b8c4a843ffa501b0d94667777a440fdeb120e83e60661c37f3e59d5558829ac09ba6ce7644d8b976f6a204e601e54e4275b6017aff7851086bba63c2933b24eb
-
Filesize
342B
MD5b4f604636983a9aa6c1dadac7b134fc8
SHA130278ed007c603861928993b8925a7766e5b40af
SHA25698e5f94a3b254f3e3ecfc2ec990ec6150362b52da75e72c90be567cfe0bd55c9
SHA5120bd157432355f6d9ba26fbf118d0c67d46874ab646b6c90660a3655c3b7ce462b975df5b6a6323b2e3582382109ff02c49ee07df2cfd1a099a8b06cd02b1efc8
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
300KB
MD5dfefdd2e554fd23f3b87f68c3e0f9622
SHA18be107d3c7e0aba6346ccdac289e29e3a8127af2
SHA256f47c2bb84ce619d0d69445b0a1dce760482f2dd508815ba2667bab5c3a3541e9
SHA5128f11525da059c6aa655d5ad2c41f89ce535ebb7a2bd4d7ce197c2ea244f28947e2338b1f97378130179490e49fd73402ee3dcdc507901f48b41ce9acf79ca182
-
Filesize
7KB
MD5c1845894a87fda0b82442081e0f1a401
SHA100da4ae6fbe3d094124404f33e43c89b656a3090
SHA256564944a645bfb011728111e4aca1094f7ca17395c967c45f2f6417bc268bb089
SHA5122bb4eceef1d47075cc119ae192d89a143ce82cf19e41b28cfc93e36173e558200b879c054b3fd090bfc9cf0ef46902924170245e1d888a857e9b0c8f59d0434a
-
Filesize
13KB
MD525666502963e02a5e30e2a8a0398a6df
SHA16af976473e605ef5b5f7a03ab1ba7b55e116bc3a
SHA256ebff1c3056146e7dc2d4e815d4042356020651a6574e9273adc006356d7c3104
SHA512fea801c1740e24ef65be455b6c9318e161ad493182718bb866a0489b5c4a7bb925157a7939371b294eafdc3fa0c33e4e50f877d72c4c60acb875a4832f96013f
-
Filesize
639B
MD5d2dbbc3383add4cbd9ba8e1e35872552
SHA1020abbc821b2fe22c4b2a89d413d382e48770b6f
SHA2565ca82cbc4d582a4a425ae328ad12fd198095e2854f4f87b27a4b09e91173a3be
SHA512bb5e1bbf28c10c077644136b98d8d02bfec3b3e49c0829b4d4570b30e0aea0276eb748f749a491587a5e70141a7653be1d03c463a22e44efecde2e5a6c6e5e66
-
Filesize
253KB
MD59e186daa3d5557c921dfeb16aa856e41
SHA175aaa4d7b2dddb1650751251129d9d2fc5d2ab9e
SHA2562b26354ba770bb7ff3efa121f43fba50183ddcb6a3a07ccbdacd8bb2bca20f5a
SHA51207870fe30545e200b6ea910385452f2dbc8825340bcd726c2b9c0b16255ad43b534be740ba00edbbad3bf56b17cc6bc00c2ab7b0464da60d379ba245fb104702
-
Filesize
17KB
MD54b7e51a31e871456f412ca3a956f4e9e
SHA1adf94355d87ee281f0cbb8dab04493ad6d4a082f
SHA25626d4fc6ab2ce3785d066a3acd0e563db0dffca512e41689e5a39a4b1c17cd4d8
SHA51244ac22522cb56f4ef3b46d0f6bb6adb7f92602b3a34835342bb940482b87e0ce6ceefcbdf243ec48320985a333808bbfab7231812fdb3fb20f3f87d51f92b521
-
Filesize
321KB
MD54ccfa0a3e1e90a7be34ca30aa324c997
SHA17a7c36027e76febb5fa37d7dc1913c4d11519845
SHA2564274bcf0ff320599a480ae9c4ae92d6f5d21aca84c230266fbea67a561f3b7a0
SHA5121a5b50ec2dfa9f052213e3dd64ce9bd0915a9220e3ee979736cc0b7b46c583a10896fdb091a86ca4eaac3aa63b1377a437437e04f7df47a255b9e1f1afec2363
-
Filesize
457KB
MD59ba6c800e7448defaa6e544d0777f03b
SHA100bf76700b14232a04593cef41798e21cc16cb03
SHA256efc380228d5b3f1ecef2dc71e16b4d9fcd699cbbab491f894bd93be7a4cc85fb
SHA512fe2e68cbf62aecb24c1803ec9484395ab0167c5cdaf1f5d26e13aa1fd2fc71e47825a26103b641372909afbe4d26eaa8a7a2513890c8ee9a75f9c1e9af025d76
-
Filesize
16B
MD542ab8eb81ebc2164308608f18f7560ef
SHA181588de100799eebec78d9af8d71f9cb89948799
SHA256abdfbe7d9a59525c979e68d11df044e12fd4746957602306364dd94aa4a27955
SHA51280c76b340ee62e8187681acea809d49afbff98ae2a3038926ca8a62508cc28767e0c5d70b9cf38fe4fd0384f76cea09e34da573f05737da4bcd4d1d4666c2446
-
Filesize
328KB
-
Filesize
88KB
-
Filesize
208KB
-
Filesize
48KB
-
Filesize
56KB
-
Filesize
2.9MB
-
Filesize
112KB
-
Filesize
288KB
-
Filesize
32KB
-
Filesize
664KB
-
Filesize
9.9MB
-
Filesize
296KB
-
Filesize
4KB
-
Filesize
9.9MB
-
Filesize
160KB
-
Filesize
32KB
-
Filesize
2.9MB
-
Filesize
512KB
-
Filesize
2.9MB
-
Filesize
32KB