Analysis
-
max time kernel
30s -
max time network
31s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
14-12-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
XWormBeta_Dos.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
XWormBeta_Dos.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
XWormBeta_Dos.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
XWormBeta_Dos.exe
Resource
win11-20241023-en
General
-
Target
XWormBeta_Dos.exe
-
Size
23.1MB
-
MD5
d389f84f0da8a7a89e0b0acbf24757bb
-
SHA1
176d944f9e510988786ec1952a81c950b2ebebbc
-
SHA256
ef3f2437199b8f0ab6729ea14728e9be3741da5fe951871aee082bec21a56d7b
-
SHA512
6a600340dbe194b2739e7e55233bca0cdfe51d5eb2d1d5886a79d7320b7b53ce5bb6a282f182e4073e87ce14741d947592f40e75ae04b2e11b1c73181b24e52b
-
SSDEEP
393216:umJClI5MjYCuwuVfH9RpaRZL1e6RxZzczo0ZaF5E2pya4xJPAuRqOvR:qI5MQNf9aRZL06RxZzcz6F5rya4xJPdD
Malware Config
Extracted
redline
DARKWEB
89.22.234.180:40608
-
auth_value
cf407bc0c9a8384bb62aa110b7844cfe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral1/files/0x00360000000194e9-55.dat family_redline behavioral1/memory/2952-62-0x0000000000150000-0x000000000017E000-memory.dmp family_redline -
Redline family
-
Executes dropped EXE 4 IoCs
pid Process 2160 CL_Debug_Log.txt 2616 11.exe 1488 XWorm V3.1.exe 2952 dark.exe -
Loads dropped DLL 6 IoCs
pid Process 2704 XWormBeta_Dos.exe 2704 XWormBeta_Dos.exe 2704 XWormBeta_Dos.exe 2616 11.exe 2616 11.exe 2616 11.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral1/files/0x0006000000019604-31.dat autoit_exe behavioral1/files/0x00350000000194e9-34.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormBeta_Dos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CL_Debug_Log.txt Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2840 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe 1488 XWorm V3.1.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 2160 CL_Debug_Log.txt Token: 35 2160 CL_Debug_Log.txt Token: SeSecurityPrivilege 2160 CL_Debug_Log.txt Token: SeSecurityPrivilege 2160 CL_Debug_Log.txt Token: SeDebugPrivilege 1488 XWorm V3.1.exe -
Suspicious use of FindShellTrayWindow 4 IoCs
pid Process 2704 XWormBeta_Dos.exe 2704 XWormBeta_Dos.exe 2704 XWormBeta_Dos.exe 1488 XWorm V3.1.exe -
Suspicious use of SendNotifyMessage 4 IoCs
pid Process 2704 XWormBeta_Dos.exe 2704 XWormBeta_Dos.exe 2704 XWormBeta_Dos.exe 1488 XWorm V3.1.exe -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2704 wrote to memory of 2160 2704 XWormBeta_Dos.exe 30 PID 2704 wrote to memory of 2160 2704 XWormBeta_Dos.exe 30 PID 2704 wrote to memory of 2160 2704 XWormBeta_Dos.exe 30 PID 2704 wrote to memory of 2160 2704 XWormBeta_Dos.exe 30 PID 2704 wrote to memory of 2748 2704 XWormBeta_Dos.exe 32 PID 2704 wrote to memory of 2748 2704 XWormBeta_Dos.exe 32 PID 2704 wrote to memory of 2748 2704 XWormBeta_Dos.exe 32 PID 2704 wrote to memory of 2748 2704 XWormBeta_Dos.exe 32 PID 2748 wrote to memory of 2840 2748 cmd.exe 34 PID 2748 wrote to memory of 2840 2748 cmd.exe 34 PID 2748 wrote to memory of 2840 2748 cmd.exe 34 PID 2748 wrote to memory of 2840 2748 cmd.exe 34 PID 2704 wrote to memory of 2616 2704 XWormBeta_Dos.exe 35 PID 2704 wrote to memory of 2616 2704 XWormBeta_Dos.exe 35 PID 2704 wrote to memory of 2616 2704 XWormBeta_Dos.exe 35 PID 2704 wrote to memory of 2616 2704 XWormBeta_Dos.exe 35 PID 2616 wrote to memory of 1488 2616 11.exe 36 PID 2616 wrote to memory of 1488 2616 11.exe 36 PID 2616 wrote to memory of 1488 2616 11.exe 36 PID 2616 wrote to memory of 1488 2616 11.exe 36 PID 2616 wrote to memory of 2952 2616 11.exe 37 PID 2616 wrote to memory of 2952 2616 11.exe 37 PID 2616 wrote to memory of 2952 2616 11.exe 37 PID 2616 wrote to memory of 2952 2616 11.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe"C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2160
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2840
-
-
-
C:\Users\Admin\AppData\Local\Temp\11.exeC:\Users\Admin\AppData\Local\Temp\11.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1488
-
-
C:\Users\Admin\AppData\Local\Temp\dark.exe"C:\Users\Admin\AppData\Local\Temp\dark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2952
-
-
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:2380
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.4MB
MD589d74230dc148bf72e52600ac7884ee5
SHA1547e4374c7621feab0643f361b1a0ccebfa22418
SHA256ed71a6abed51fd20f8cc053ec648bfcf0584f56663e01a2fa97cc07932072d88
SHA512cde4195f7aee54c2fd0178359adb11e1795992251251b74dfc4f01cb79f1432753d315099028cc26579d50bac767efff71cb202970461d2aa867a85243181370
-
Filesize
8.4MB
MD5e7b0828258ba8a324add6db2f67033fb
SHA108f023bafae0b682a6ea803f7d150fbe654847e8
SHA256c516ddfd376c218c9aa4732f0a2cd88ad423fceed8c0b32d21cbf2a21dc35b01
SHA512b0d46c7885d543ca7f398bf4525c73a7b65eb70eb7b1751d865f582315b620aa144853bae95551aaaeb52e2bf969d59652d5476bef1efd934dcde3de3f312698
-
Filesize
14.6MB
MD567d306e60d848179cf885c67dc966b12
SHA14de17c0171f76cba15263e894a5c1634d6b491db
SHA25640bd272bc05857a4b838bbe142f7a0cb39705169cfbc8eae280ecd9203d8ccc7
SHA512a6116175f02d052cfc2378987831030262d0a2b8812bd0cbe5aa17af8e475df281bac5c8ce2ee0eca6781f4983bf60aa3de273d5f035bcf2d68b012ff7cbb6a4
-
Filesize
14.6MB
MD5062ac67697c0207b9c7ca480f756f0a0
SHA1d7f2eebce4a2e5a386b348a353991f6f59a13154
SHA25645c17461cb505afc9f712d57286327bf2815cb02a3973d113eb698354aa6a294
SHA51239076fe8acbecfadef74ea738fb5a2737c54898c3a424f0b4ea848855d6c369a6dc0f38c1cdcaba06403c64f5b6f3e5184c6a7fe019cb605a00f8ae0fd2baaca
-
Filesize
2KB
MD549b27c5a8ac75d3c6ac1fa33c8ad7d53
SHA1fe2f96324f889c43f93e99158462436376b84002
SHA2568c6216f6fbf299637774d509f2da2c69c03fe90df0c8e9d87ed78c70a0e20655
SHA512a65e51a85de48b9c8c16d4939fa495e913744ca2d031f8b93a3e1b12b08a371c31f5e51584468ea810c2487fd22bb5b1c8cd19bb2f1b6978c685a9e69a0761e0
-
Filesize
7.2MB
MD5c0897e921672c2619acc5d9ff1329860
SHA1683d5c1b0858cd5089e4a60ba344872531584d35
SHA256607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52
SHA512696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff
-
Filesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
Filesize
6.9MB
MD537a9fdc56e605d2342da88a6e6182b4b
SHA120bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3
-
Filesize
159KB
MD50d1b1c61a083b253810ede683435e6bc
SHA13a1c3f7a2d18d614a76d938d94b3af6f75580d9f
SHA256fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb
SHA512dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3