Analysis
-
max time kernel
30s -
max time network
34s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
14-12-2024 10:37
Static task
static1
Behavioral task
behavioral1
Sample
XWormBeta_Dos.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
XWormBeta_Dos.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
XWormBeta_Dos.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
XWormBeta_Dos.exe
Resource
win11-20241023-en
General
-
Target
XWormBeta_Dos.exe
-
Size
23.1MB
-
MD5
d389f84f0da8a7a89e0b0acbf24757bb
-
SHA1
176d944f9e510988786ec1952a81c950b2ebebbc
-
SHA256
ef3f2437199b8f0ab6729ea14728e9be3741da5fe951871aee082bec21a56d7b
-
SHA512
6a600340dbe194b2739e7e55233bca0cdfe51d5eb2d1d5886a79d7320b7b53ce5bb6a282f182e4073e87ce14741d947592f40e75ae04b2e11b1c73181b24e52b
-
SSDEEP
393216:umJClI5MjYCuwuVfH9RpaRZL1e6RxZzczo0ZaF5E2pya4xJPAuRqOvR:qI5MQNf9aRZL06RxZzcz6F5rya4xJPdD
Malware Config
Extracted
redline
DARKWEB
89.22.234.180:40608
-
auth_value
cf407bc0c9a8384bb62aa110b7844cfe
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
resource yara_rule behavioral3/files/0x00290000000461f0-49.dat family_redline behavioral3/memory/968-61-0x0000000000980000-0x00000000009AE000-memory.dmp family_redline -
Redline family
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2366345620-3342093254-3461191856-1000\Control Panel\International\Geo\Nation 11.exe -
Executes dropped EXE 4 IoCs
pid Process 1292 CL_Debug_Log.txt 3944 11.exe 4180 XWorm V3.1.exe 968 dark.exe -
AutoIT Executable 2 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral3/files/0x00280000000461f9-27.dat autoit_exe behavioral3/files/0x002b0000000461bd-29.dat autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 11.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dark.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language XWormBeta_Dos.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language CL_Debug_Log.txt -
Delays execution with timeout.exe 1 IoCs
pid Process 4928 timeout.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2608 schtasks.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 1292 CL_Debug_Log.txt Token: 35 1292 CL_Debug_Log.txt Token: SeSecurityPrivilege 1292 CL_Debug_Log.txt Token: SeSecurityPrivilege 1292 CL_Debug_Log.txt Token: SeDebugPrivilege 4180 XWorm V3.1.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 4584 XWormBeta_Dos.exe 4584 XWormBeta_Dos.exe 4584 XWormBeta_Dos.exe -
Suspicious use of SendNotifyMessage 3 IoCs
pid Process 4584 XWormBeta_Dos.exe 4584 XWormBeta_Dos.exe 4584 XWormBeta_Dos.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 4584 wrote to memory of 1292 4584 XWormBeta_Dos.exe 83 PID 4584 wrote to memory of 1292 4584 XWormBeta_Dos.exe 83 PID 4584 wrote to memory of 1292 4584 XWormBeta_Dos.exe 83 PID 4584 wrote to memory of 5044 4584 XWormBeta_Dos.exe 85 PID 4584 wrote to memory of 5044 4584 XWormBeta_Dos.exe 85 PID 4584 wrote to memory of 5044 4584 XWormBeta_Dos.exe 85 PID 5044 wrote to memory of 2608 5044 cmd.exe 87 PID 5044 wrote to memory of 2608 5044 cmd.exe 87 PID 5044 wrote to memory of 2608 5044 cmd.exe 87 PID 4584 wrote to memory of 3944 4584 XWormBeta_Dos.exe 88 PID 4584 wrote to memory of 3944 4584 XWormBeta_Dos.exe 88 PID 4584 wrote to memory of 3944 4584 XWormBeta_Dos.exe 88 PID 3944 wrote to memory of 4180 3944 11.exe 89 PID 3944 wrote to memory of 4180 3944 11.exe 89 PID 3944 wrote to memory of 968 3944 11.exe 90 PID 3944 wrote to memory of 968 3944 11.exe 90 PID 3944 wrote to memory of 968 3944 11.exe 90 PID 4584 wrote to memory of 2920 4584 XWormBeta_Dos.exe 92 PID 4584 wrote to memory of 2920 4584 XWormBeta_Dos.exe 92 PID 4584 wrote to memory of 2920 4584 XWormBeta_Dos.exe 92 PID 2920 wrote to memory of 4928 2920 cmd.exe 94 PID 2920 wrote to memory of 4928 2920 cmd.exe 94 PID 2920 wrote to memory of 4928 2920 cmd.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe"C:\Users\Admin\AppData\Local\Temp\XWormBeta_Dos.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txtC:\Users\Admin\AppData\Local\Temp\CL_Debug_Log.txt e -p"JDQJndnqwdnqw2139dn21n3b312idDQDB" "C:\Users\Admin\AppData\Local\Temp\CR_Debug_Log.txt" -o"C:\Users\Admin\AppData\Local\Temp\"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1292
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c schtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\SysWOW64\schtasks.exeschtasks.exe /Create /XML "C:\Users\Admin\AppData\Local\Temp\svchost.xml" /TN "System\svchost"3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:2608
-
-
-
C:\Users\Admin\AppData\Local\Temp\11.exeC:\Users\Admin\AppData\Local\Temp\11.exe2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3944 -
C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"C:\Users\Admin\AppData\Local\Temp\XWorm V3.1.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4180
-
-
C:\Users\Admin\AppData\Local\Temp\dark.exe"C:\Users\Admin\AppData\Local\Temp\dark.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c For /L %i In (0,0,0) Do (del "C:\Users\Admin\AppData\Local\Temp\XWORMB~1.EXE"&&timeout /t 0&&if not exist "C:\Users\Admin\AppData\Local\Temp\XWORMB~1.EXE" exit)2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\timeout.exetimeout /t 03⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:4928
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.2MB
MD5c0897e921672c2619acc5d9ff1329860
SHA1683d5c1b0858cd5089e4a60ba344872531584d35
SHA256607c8e5c6b50f2e6ddc15bac7d48c57a81db1b893fd5ecd8d112c73cd1dc5a52
SHA512696ce43462167d474491fc8dee8cd29ef8d12a1795d6b4e5262332fa58b102a503f5565799f960237b8fa58796391f445856206d70b4b8087f9918399063d4ff
-
Filesize
7.4MB
MD589d74230dc148bf72e52600ac7884ee5
SHA1547e4374c7621feab0643f361b1a0ccebfa22418
SHA256ed71a6abed51fd20f8cc053ec648bfcf0584f56663e01a2fa97cc07932072d88
SHA512cde4195f7aee54c2fd0178359adb11e1795992251251b74dfc4f01cb79f1432753d315099028cc26579d50bac767efff71cb202970461d2aa867a85243181370
-
Filesize
8.4MB
MD5e7b0828258ba8a324add6db2f67033fb
SHA108f023bafae0b682a6ea803f7d150fbe654847e8
SHA256c516ddfd376c218c9aa4732f0a2cd88ad423fceed8c0b32d21cbf2a21dc35b01
SHA512b0d46c7885d543ca7f398bf4525c73a7b65eb70eb7b1751d865f582315b620aa144853bae95551aaaeb52e2bf969d59652d5476bef1efd934dcde3de3f312698
-
Filesize
722KB
MD543141e85e7c36e31b52b22ab94d5e574
SHA1cfd7079a9b268d84b856dc668edbb9ab9ef35312
SHA256ea308c76a2f927b160a143d94072b0dce232e04b751f0c6432a94e05164e716d
SHA5129119ae7500aa5cccf26a0f18fd8454245347e3c01dabba56a93dbaaab86535e62b1357170758f3b3445b8359e7dd5d37737318a5d8a6047c499d32d5b64126fc
-
Filesize
14.6MB
MD567d306e60d848179cf885c67dc966b12
SHA14de17c0171f76cba15263e894a5c1634d6b491db
SHA25640bd272bc05857a4b838bbe142f7a0cb39705169cfbc8eae280ecd9203d8ccc7
SHA512a6116175f02d052cfc2378987831030262d0a2b8812bd0cbe5aa17af8e475df281bac5c8ce2ee0eca6781f4983bf60aa3de273d5f035bcf2d68b012ff7cbb6a4
-
Filesize
6.9MB
MD537a9fdc56e605d2342da88a6e6182b4b
SHA120bc3df33bbbb676d2a3c572cff4c1d58c79055d
SHA256422ba689937e3748a4b6bd3c5af2dce0211e8a48eb25767e6d1d2192d27f1f58
SHA512f556805142b77b549845c0fa2206a4cb29d54752dc5650d9db58c1bbe1f7d0fc15ce04551853fb6454873877dbb88bebd15d81b875b405cdcc2fd21a515820d3
-
Filesize
159KB
MD50d1b1c61a083b253810ede683435e6bc
SHA13a1c3f7a2d18d614a76d938d94b3af6f75580d9f
SHA256fb486189117a81dcce0e772311fd220162e02214d37e6bdde408790e18d10bdb
SHA512dc30d2428e2c1e14ca3a4243c8dd58f44068580a08d53480205086f43790b533579757a158118c9b45d8f15899437b9e305caa4a5a24e299a83fc51a057151e3
-
Filesize
2KB
MD549b27c5a8ac75d3c6ac1fa33c8ad7d53
SHA1fe2f96324f889c43f93e99158462436376b84002
SHA2568c6216f6fbf299637774d509f2da2c69c03fe90df0c8e9d87ed78c70a0e20655
SHA512a65e51a85de48b9c8c16d4939fa495e913744ca2d031f8b93a3e1b12b08a371c31f5e51584468ea810c2487fd22bb5b1c8cd19bb2f1b6978c685a9e69a0761e0