Analysis

  • max time kernel
    30s
  • max time network
    34s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241211-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    14-12-2024 10:37

General

  • Target

    XWormBeta_Dos.exe

  • Size

    23.1MB

  • MD5

    d389f84f0da8a7a89e0b0acbf24757bb

  • SHA1

    176d944f9e510988786ec1952a81c950b2ebebbc

  • SHA256

    ef3f2437199b8f0ab6729ea14728e9be3741da5fe951871aee082bec21a56d7b

  • SHA512

    6a600340dbe194b2739e7e55233bca0cdfe51d5eb2d1d5886a79d7320b7b53ce5bb6a282f182e4073e87ce14741d947592f40e75ae04b2e11b1c73181b24e52b

  • SSDEEP

    393216:umJClI5MjYCuwuVfH9RpaRZL1e6RxZzczo0ZaF5E2pya4xJPAuRqOvR:qI5MQNf9aRZL06RxZzcz6F5rya4xJPdD

Malware Config

Extracted

Family

redline

Botnet

DARKWEB

C2

89.22.234.180:40608

Attributes
  • auth_value

    cf407bc0c9a8384bb62aa110b7844cfe

Signatures

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • RedLine payload 2 IoCs
  • Redline family
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • AutoIT Executable 2 IoCs

    AutoIT scripts compiled to PE executables.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Delays execution with timeout.exe 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe
    "C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt
      C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1292
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5044
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:2608
    • C:\Users\Admin\AppData\Local\Temp\11.exe
      C:\Users\Admin\AppData\Local\Temp\11.exe
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe
        "C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4180
      • C:\Users\Admin\AppData\Local\Temp\dark.exe
        "C:\Users\Admin\AppData\Local\Temp\dark.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\XWORMB~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\XWORMB~1.EXE" exit)
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2920
      • C:\Windows\SysWOW64\timeout.exe
        timeout /t 0
        3⤵
        • System Location Discovery: System Language Discovery
        • Delays execution with timeout.exe
        PID:4928

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\11.exe

    Filesize

    7.2MB

    MD5

    c0897e921672c2619acc5d9ff1329860

    SHA1

    683d5c1b0858cd5089e4a60ba344872531584d35

    SHA256

    607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52

    SHA512

    696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff

  • C:\Users\Admin\AppData\Local\Temp\32.exe

    Filesize

    7.4MB

    MD5

    89d74230dc148bf72e52600ac7884ee5

    SHA1

    547e4374c7621feab0643f361b1a0ccebfa22418

    SHA256

    ed71a6abed51fd20f8cc053ec648bfcf0584f56663e01a2fa97cc07932072d88

    SHA512

    cde4195f7aee54c2fd0178359adb11e1795992251251b74dfc4f01cb79f1432753d315099028cc26579d50bac767efff71cb202970461d2aa867a85243181370

  • C:\Users\Admin\AppData\Local\Temp\64.exe

    Filesize

    8.4MB

    MD5

    e7b0828258ba8a324add6db2f67033fb

    SHA1

    08f023bafae0b682a6ea803f7d150fbe654847e8

    SHA256

    c516ddfd376c218c9aa4732f0a2cd88ad423fceed8c0b32d21cbf2a21dc35b01

    SHA512

    b0d46c7885d543ca7f398bf4525c73a7b65eb70eb7b1751d865f582315b620aa144853bae95551aaaeb52e2bf969d59652d5476bef1efd934dcde3de3f312698

  • C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt

    Filesize

    722KB

    MD5

    43141e85e7c36e31b52b22ab94d5e574

    SHA1

    cfd7079a9b268d84b856dc668edbb9ab9ef35312

    SHA256

    ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d

    SHA512

    9119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc

  • C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt

    Filesize

    14.6MB

    MD5

    67d306e60d848179cf885c67dc966b12

    SHA1

    4de17c0171f76cba15263e894a5c1634d6b491db

    SHA256

    40bd272bc05857a4b838bbe142f7a0cb39705169cfbc8eae280ecd9203d8ccc7

    SHA512

    a6116175f02d052cfc2378987831030262d0a2b8812bd0cbe5aa17af8e475df281bac5c8ce2ee0eca6781f4983bf60aa3de273d5f035bcf2d68b012ff7cbb6a4

  • C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe

    Filesize

    6.9MB

    MD5

    37a9fdc56e605d2342da88a6e6182b4b

    SHA1

    20bc3df33bbbb676d2a3c572cff4c1d58c79055d

    SHA256

    422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58

    SHA512

    f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3

  • C:\Users\Admin\AppData\Local\Temp\dark.exe

    Filesize

    159KB

    MD5

    0d1b1c61a083b253810ede683435e6bc

    SHA1

    3a1c3f7a2d18d614a76d938d94b3af6f75580d9f

    SHA256

    fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb

    SHA512

    dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3

  • C:\Users\Admin\AppData\Local\Temp\svchost.xml

    Filesize

    2KB

    MD5

    49b27c5a8ac75d3c6ac1fa33c8ad7d53

    SHA1

    fe2f96324f889c43f93e99158462436376b84002

    SHA256

    8c6216f6fbf299637774d509f2da2c69c03fe90df0c8e9d87ed78c70a0e20655

    SHA512

    a65e51a85de48b9c8c16d4939fa495e913744ca2d031f8b93a3e1b12b08a371c31f5e51584468ea810c2487fd22bb5b1c8cd19bb2f1b6978c685a9e69a0761e0

  • memory/968-65-0x0000000005260000-0x000000000529C000-memory.dmp

    Filesize

    240KB

  • memory/968-63-0x0000000005200000-0x0000000005212000-memory.dmp

    Filesize

    72KB

  • memory/968-64-0x0000000005330000-0x000000000543A000-memory.dmp

    Filesize

    1.0MB

  • memory/968-61-0x0000000000980000-0x00000000009AE000-memory.dmp

    Filesize

    184KB

  • memory/968-66-0x00000000052B0000-0x00000000052FC000-memory.dmp

    Filesize

    304KB

  • memory/968-62-0x0000000005760000-0x0000000005D78000-memory.dmp

    Filesize

    6.1MB

  • memory/3944-59-0x0000000000400000-0x0000000000B3D000-memory.dmp

    Filesize

    7.2MB

  • memory/4180-60-0x0000000000830000-0x0000000000F26000-memory.dmp

    Filesize

    7.0MB

  • memory/4180-67-0x000000001E080000-0x000000001EBEA000-memory.dmp

    Filesize

    11.4MB

  • memory/4180-73-0x000000001BA50000-0x000000001BBF7000-memory.dmp

    Filesize

    1.7MB

  • memory/4180-74-0x000000001BA50000-0x000000001BBF7000-memory.dmp

    Filesize

    1.7MB

  • memory/4584-25-0x0000000000D20000-0x0000000000D21000-memory.dmp

    Filesize

    4KB

  • memory/4584-26-0x0000000000D30000-0x0000000000D31000-memory.dmp

    Filesize

    4KB

  • memory/4584-24-0x0000000000D10000-0x0000000000D11000-memory.dmp

    Filesize

    4KB

  • memory/4584-23-0x0000000000D00000-0x0000000000D01000-memory.dmp

    Filesize

    4KB

  • memory/4584-71-0x0000000000D10000-0x0000000000D11000-memory.dmp

    Filesize

    4KB

  • memory/4584-70-0x0000000000D00000-0x0000000000D01000-memory.dmp

    Filesize

    4KB

  • memory/4584-72-0x0000000000D20000-0x0000000000D21000-memory.dmp

    Filesize

    4KB