Overview

overview

10

Static

static

3

VC_Redist64.exe

windows7-x64

10

VC_Redist64.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    169s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-12-2024 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VC_Redist64.exe

  • Size

    24.5MB

  • MD5

    f38e121d7029527a7becac8a54e1e5c6

  • SHA1

    edd4ec14a08324d6cc74f24670a0bffa98872496

  • SHA256

    547f08253c97d96ab2fe80b49b6de98d577305078cd6c6efe71fbac431799ceb

  • SHA512

    a007ce71b5664cfa40dfb469df28977101100f0a48eda9feef5f6f24a6594511dac8ca40afdc0d365e8982bad2bedd31b898bb69d3e962484fccab648eff8481

  • SSDEEP

    393216:I+TzxoRXwQSqd/jVKsg9PtWzUXil6OAoZzbMMTv70FkqQUl086iWG0wL5B0fxZVw:I++lSWJKh6civoETQ7bl9WGuxU+mb1

Score
10/10
stormkittyxwormdiscoverypersistenceratspywarestealertrojan

Malware Config

Extracted

Family

xworm

C2

tranny.racoongang.com:3389

174.89.155.190:3389
Attributes
  • Install_directory

    %AppData%

  • install_file

    svchost.exe

Signatures

  • Detect Xworm Payload 2 IoCs
  • StormKitty

    StormKitty is an open source info stealer written in C#.

    stealerstormkitty
  • StormKitty payload 1 IoCs
  • Stormkitty family
    stormkitty
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\VC_Redist64.exe
    "C:\Users\Admin\AppData\Local\Temp\VC_Redist64.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2848
    • C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe
      "C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3440
      • C:\Windows\Temp\{34557819-2AEB-4D85-86B9-A5977A721A52}\.cr\VC_redist.x64.exe
        "C:\Windows\Temp\{34557819-2AEB-4D85-86B9-A5977A721A52}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe" -burn.filehandle.attached=660 -burn.filehandle.self=692
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Windows\Temp\{C6D08C18-D935-4BE9-9119-0590D579A9A8}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{C6D08C18-D935-4BE9-9119-0590D579A9A8}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{B0F2AE8F-66B3-4688-8532-7A4595A5F1D8} {4B7EDFBE-2A8C-4D38-A3CB-EA792AD1272D} 1136
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • System Location Discovery: System Language Discovery
          PID:4716
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      "C:\Users\Admin\AppData\Roaming\svchost.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4704
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\AppData\Roaming\svchost.exe"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:336
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /delete /f /tn "svchost"
        3⤵
          PID:4572
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp66C0.tmp.bat""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1444
          • C:\Windows\system32\timeout.exe
            timeout 3
            4⤵
            • Delays execution with timeout.exe
            PID:3140
    • C:\Users\Admin\AppData\Roaming\svchost.exe
      C:\Users\Admin\AppData\Roaming\svchost.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:5048
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:216
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3788
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:3
      1⤵
        PID:3080

      Network

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Registry Run Keys / Startup Folder

      1
      T1547.001

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Credentials from Password Stores

      1
      T1555

      Credentials from Web Browsers

      1
      T1555.003

      Unsecured Credentials

      1
      T1552

      Credentials In Files

      1
      T1552.001

      Discovery

      Browser Information Discovery

      1
      T1217

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      4
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\svchost.exe.log
        Filesize

        654B

        MD5

        2ff39f6c7249774be85fd60a8f9a245e

        SHA1

        684ff36b31aedc1e587c8496c02722c6698c1c4e

        SHA256

        e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

        SHA512

        1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp66C0.tmp.bat
        Filesize

        156B

        MD5

        031cbf4a77d647affa7e06034baf4e7d

        SHA1

        cc22bb694c9c97aa45c81381d2ac0613edfda3a6

        SHA256

        50cdca957469c7cc3429785f9f7eea110ded2e53820a6a0493c0bbfac577b707

        SHA512

        9c0f39f6b36ee67ebb75dd38f31eb041f891eb56e51143746d52af69ddf9be4e4a6abc7cdbee4a5483bce2f73686f34c04414ad15c92f02a6bb6458532a7830d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\VC_redist.x64.exe
        Filesize

        24.5MB

        MD5

        223a76cd5ab9e42a5c55731154b85627

        SHA1

        38b647d37b42378222856972a1e22fbd8cf4b404

        SHA256

        1821577409c35b2b9505ac833e246376cc68a8262972100444010b57226f0940

        SHA512

        20e2d7437367cb262ce45184eb4d809249fe654aa450d226e376d4057c00b58ecfd8834a8b5153eb148960ffc845bed1f0943d5ff9a6fc1355b1503138562d8d

        Download Submit

      • C:\Users\Admin\AppData\Roaming\svchost.exe
        Filesize

        77KB

        MD5

        9b06381f19f780f5df2229f672733783

        SHA1

        5f6163c1b0d4f9efb8e286194edbe4b07128b62d

        SHA256

        2678cd38a5aa24d85380baf37745ef144fff318463cad17cb6fd93b4e445a826

        SHA512

        716c30d427f903c5e76dfc1c0b00ffb9ac9604e43df768c77d55a3c1537078381634f210ab183a9f3a3157a570257a0025896e4232ea5272ca4d934647a66220

        Download Submit

      • C:\Windows\Temp\{34557819-2AEB-4D85-86B9-A5977A721A52}\.cr\VC_redist.x64.exe
        Filesize

        670KB

        MD5

        3f32f1a9bd60ae065b89c2223676592e

        SHA1

        9d386d394db87f1ee41252cac863c80f1c8d6b8b

        SHA256

        270fa05033b8b9455bd0d38924b1f1f3e4d3e32565da263209d1f9698effbc05

        SHA512

        bddfeab33a03b0f37cff9008815e2900cc96bddaf763007e5f7fdffd80e56719b81341029431bd9d25c8e74123c1d9cda0f2aefafdc4937095d595093db823df

        Download Submit

      • C:\Windows\Temp\{C6D08C18-D935-4BE9-9119-0590D579A9A8}\.ba\logo.png
        Filesize

        1KB

        MD5

        d6bd210f227442b3362493d046cea233

        SHA1

        ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

        SHA256

        335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

        SHA512

        464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

        Download Submit

      • C:\Windows\Temp\{C6D08C18-D935-4BE9-9119-0590D579A9A8}\.ba\wixstdba.dll
        Filesize

        215KB

        MD5

        f68f43f809840328f4e993a54b0d5e62

        SHA1

        01da48ce6c81df4835b4c2eca7e1d447be893d39

        SHA256

        e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e

        SHA512

        a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1

        Download Submit

      • memory/2848-0-0x00007FFF17D33000-0x00007FFF17D35000-memory.dmp

        Filesize

        8KB

        Download

      • memory/2848-1-0x0000000000AF0000-0x0000000002380000-memory.dmp

        Filesize

        24.6MB

        Download

      • memory/4704-26-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4704-75-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

        Filesize

        10.8MB

        Download

      • memory/4704-78-0x0000000020100000-0x0000000020450000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/4704-79-0x00000000208F0000-0x0000000020A10000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/4704-118-0x000000001FDD0000-0x000000001FDF2000-memory.dmp

        Filesize

        136KB

        Download

      • memory/4704-119-0x000000001BD40000-0x000000001BD4C000-memory.dmp

        Filesize

        48KB

        Download

      • memory/4704-24-0x00000000009F0000-0x0000000000A0A000-memory.dmp

        Filesize

        104KB

        Download

      • memory/4704-136-0x00007FFF17D30000-0x00007FFF187F1000-memory.dmp

        Filesize

        10.8MB

        Download