Overview

overview

10

Static

static

3

TDMenu_x64.exe

windows10-2004-x64

10

TDMenu_x64.exe

windows10-ltsc 2021-x64

10

TDMenu_x64.exe

windows11-21h2-x64

10

Resubmissions

22-01-2025 15:50

250122-s99tasvlcp 10

22-01-2025 15:46

250122-s7peksvkbr 10

22-01-2025 15:45

250122-s7aanatkgx 10

22-01-2025 14:49

250122-r7c6wa1ncx 10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    TDMenu_x64.exe

  • Size

    6.4MB

  • Sample

    250122-r7c6wa1ncx

  • MD5

    3f9d8993daa6e07221f9a12eaa011ca6

  • SHA1

    a33290d94fb3bba06337b7b847d971b1a8fd6110

  • SHA256

    109bf7761442498abd03f972c2b315b6ea8727a79ed35e7e75a90e6d1e4b7f79

  • SHA512

    ffb917e3a01e72b5cec0c8ff41328bac3840c6be0dcb05a58513a3f77a32c2280fc6881109725ba931b31809fbb0abb83bdacd9ec8022ea8a49d6476ca2177c0

  • SSDEEP

    98304:S/STPMYacPcyyc7Ht40MV+9eN+jCxf8/kbqEVgUmSr7CqnfMwd+mJbKc1rm7cNAH:S9xcPj9Hy0MWGxk/kWEu72t+mKlPDT

Score
10/10
redlinesectopratxmrigxwormgodseye3-01-25defense_evasionexecutioninfostealerminerpersistencerattrojanupx

Malware Config

Extracted

Family

xworm

C2

23.27.201.57:7000

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    DirectX End-User Runtime.exe

Extracted

Family

redline

Botnet

godseye3-01-25

C2

23.27.201.57:62529

Targets

    • Target

      TDMenu_x64.exe

    • Size

      6.4MB

    • MD5

      3f9d8993daa6e07221f9a12eaa011ca6

    • SHA1

      a33290d94fb3bba06337b7b847d971b1a8fd6110

    • SHA256

      109bf7761442498abd03f972c2b315b6ea8727a79ed35e7e75a90e6d1e4b7f79

    • SHA512

      ffb917e3a01e72b5cec0c8ff41328bac3840c6be0dcb05a58513a3f77a32c2280fc6881109725ba931b31809fbb0abb83bdacd9ec8022ea8a49d6476ca2177c0

    • SSDEEP

      98304:S/STPMYacPcyyc7Ht40MV+9eN+jCxf8/kbqEVgUmSr7CqnfMwd+mJbKc1rm7cNAH:S9xcPj9Hy0MWGxk/kWEu72t+mKlPDT

    Score
    10/10
    redlinesectopratxmrigxwormgodseye3-01-25defense_evasionexecutioninfostealerminerpersistencerattrojanupx

    • Detect Xworm Payload

    • RedLine

      RedLine Stealer is a malware family written in C#, first appearing in early 2020.

      infostealerredline

    • RedLine payload

    • Redline family

      redline

    • SectopRAT

      SectopRAT is a remote access trojan first seen in November 2019.

      trojanratsectoprat

    • SectopRAT payload

    • Sectoprat family

      sectoprat

    • Xmrig family

      xmrig

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

      minerxmrig

    • XMRig Miner payload

      miner

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Creates new service(s)

      persistenceexecution

    • Drops file in Drivers directory

    • Stops running service(s)

      defense_evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2behavioral3

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

System Services

2
T1569

Service Execution

2
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Create or Modify System Process

2
T1543

Windows Service

2
T1543.003

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

2
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Tasks