Analysis

  • max time kernel
    30s
  • max time network
    31s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    14-12-2024 10:37

General

  • Target

    XWormBeta_Dos.exe

  • Size

    23.1MB

  • MD5

    d389f84f0da8a7a89e0b0acbf24757bb

  • SHA1

    176d944f9e510988786ec1952a81c950b2ebebbc

  • SHA256

    ef3f2437199b8f0ab6729ea14728e9be3741da5fe951871aee082bec21a56d7b

  • SHA512

    6a600340dbe194b2739e7e55233bca0cdfe51d5eb2d1d5886a79d7320b7b53ce5bb6a282f182e4073e87ce14741d947592f40e75ae04b2e11b1c73181b24e52b

  • SSDEEP

    393216:umJClI5MjYCuwuVfH9RpaRZL1e6RxZzczo0ZaF5E2pya4xJPAuRqOvR:qI5MQNf9aRZL06RxZzcz6F5rya4xJPdD

Malware Config

Extracted

Family

redline

Botnet

DARKWEB

C2

89.22.234.180:40608

Attributes
  • auth_value

    cf407bc0c9a8384bb62aa110b7844cfe

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 6 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe
    "C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2704
    • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2160
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2748
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2840
    • C:\Users\Admin\AppData\Local\Temp\11.exe
      C:\Users\Admin\AppData\Local\Temp\11.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2616
      • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:1488
      • C:\Users\Admin\AppData\Local\Temp\dark.exe
        "C:\Users\Admin\AppData\Local\Temp\dark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2952
  • C:\Windows\system32\wbem\WmiApSrv.exe
    C:\Windows\system32\wbem\WmiApSrv.exe
    1⤵
      PID:2380

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\32.exe

      Filesize

      7.4MB

      MD5

      89d74230dc148bf72e52600ac7884ee5

      SHA1

      547e4374c7621feab0643f361b1a0ccebfa22418

      SHA256

      ed71a6abed51fd20f8cc053ec648bfcf0584f56663e01a2fa97cc07932072d88

      SHA512

      cde4195f7aee54c2fd0178359adb11e1795992251251b74dfc4f01cb79f1432753d315099028cc26579d50bac767efff71cb202970461d2aa867a85243181370

    • C:\Users\Admin\AppData\Local\Temp\64.exe

      Filesize

      8.4MB

      MD5

      e7b0828258ba8a324add6db2f67033fb

      SHA1

      08f023bafae0b682a6ea803f7d150fbe654847e8

      SHA256

      c516ddfd376c218c9aa4732f0a2cd88ad423fceed8c0b32d21cbf2a21dc35b01

      SHA512

      b0d46c7885d543ca7f398bf4525c73a7b65eb70eb7b1751d865f582315b620aa144853bae95551aaaeb52e2bf969d59652d5476bef1efd934dcde3de3f312698

    • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

      Filesize

      14.6MB

      MD5

      67d306e60d848179cf885c67dc966b12

      SHA1

      4de17c0171f76cba15263e894a5c1634d6b491db

      SHA256

      40bd272bc05857a4b838bbe142f7a0cb39705169cfbc8eae280ecd9203d8ccc7

      SHA512

      a6116175f02d052cfc2378987831030262d0a2b8812bd0cbe5aa17af8e475df281bac5c8ce2ee0eca6781f4983bf60aa3de273d5f035bcf2d68b012ff7cbb6a4

    • C:\Users\Admin\AppData\Local\Temp\asacpiex.dll

      Filesize

      14.6MB

      MD5

      062ac67697c0207b9c7ca480f756f0a0

      SHA1

      d7f2eebce4a2e5a386b348a353991f6f59a13154

      SHA256

      45c17461cb505afc9f712d57286327bf2815cb02a3973d113eb698354aa6a294

      SHA512

      39076fe8acbecfadef74ea738fb5a2737c54898c3a424f0b4ea848855d6c369a6dc0f38c1cdcaba06403c64f5b6f3e5184c6a7fe019cb605a00f8ae0fd2baaca

    • C:\Users\Admin\AppData\Local\Temp\svchost.xml

      Filesize

      2KB

      MD5

      49b27c5a8ac75d3c6ac1fa33c8ad7d53

      SHA1

      fe2f96324f889c43f93e99158462436376b84002

      SHA256

      8c6216f6fbf299637774d509f2da2c69c03fe90df0c8e9d87ed78c70a0e20655

      SHA512

      a65e51a85de48b9c8c16d4939fa495e913744ca2d031f8b93a3e1b12b08a371c31f5e51584468ea810c2487fd22bb5b1c8cd19bb2f1b6978c685a9e69a0761e0

    • \Users\Admin\AppData\Local\Temp\11.exe

      Filesize

      7.2MB

      MD5

      c0897e921672c2619acc5d9ff1329860

      SHA1

      683d5c1b0858cd5089e4a60ba344872531584d35

      SHA256

      607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52

      SHA512

      696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff

    • \Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

      Filesize

      722KB

      MD5

      43141e85e7c36e31b52b22ab94d5e574

      SHA1

      cfd7079a9b268d84b856dc668edbb9ab9ef35312

      SHA256

      ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

      SHA512

      9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

    • \Users\Admin\AppData\Local\Temp\XWorm V3.1.exe

      Filesize

      6.9MB

      MD5

      37a9fdc56e605d2342da88a6e6182b4b

      SHA1

      20bc3df33bbbb676d2a3c572cff4c1d58c79055d

      SHA256

      422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

      SHA512

      f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

    • \Users\Admin\AppData\Local\Temp\dark.exe

      Filesize

      159KB

      MD5

      0d1b1c61a083b253810ede683435e6bc

      SHA1

      3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

      SHA256

      fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

      SHA512

      dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

    • memory/1488-63-0x000000001EAB0000-0x000000001F61A000-memory.dmp

      Filesize

      11.4MB

    • memory/1488-61-0x0000000000820000-0x0000000000F16000-memory.dmp

      Filesize

      7.0MB

    • memory/2616-59-0x0000000000400000-0x0000000000B3D000-memory.dmp

      Filesize

      7.2MB

    • memory/2704-30-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

      Filesize

      4KB

    • memory/2704-28-0x0000000000670000-0x0000000000671000-memory.dmp

      Filesize

      4KB

    • memory/2704-29-0x0000000000680000-0x0000000000681000-memory.dmp

      Filesize

      4KB

    • memory/2704-66-0x0000000000670000-0x0000000000671000-memory.dmp

      Filesize

      4KB

    • memory/2704-67-0x0000000000680000-0x0000000000681000-memory.dmp

      Filesize

      4KB

    • memory/2704-68-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

      Filesize

      4KB

    • memory/2952-62-0x0000000000150000-0x000000000017E000-memory.dmp

      Filesize

      184KB