Overview

overview

10

Static

static

3

80923a0d71...ab.exe

windows7-x64

10

80923a0d71...ab.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-06-2024 01:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab.exe

  • Size

    839KB

  • MD5

    ebc4b354d6ec654829f9de447d0c7b04

  • SHA1

    9e5d3ccae0d22bd27f8ae39b2f35b274dabd7fd1

  • SHA256

    80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab

  • SHA512

    1cb3487cf2f1864d22d3148b30ecf70794567af3a84c9ba5f2d16b5dac38017347c4efb92e4978ebfe57588c5883a2ebe4af33e83eaafad99de202548fd0048e

  • SSDEEP

    24576:3CIQgVHOEqG7111cZRHVzutBSRhmG5ep:yAH1KL1zwBSRhmAI

Score
10/10
redlinesectopratxwormx3.0 foundryexecutioninfostealerrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

79.110.49.209:7000

Mutex

biVc5L0dNUTxuebk

Attributes
  • install_file

    USB.exe

aes.plain

Extracted

Family

redline

Botnet

X3.0 Foundry

C2

79.110.49.209:37552

Signatures

  • Detect Xworm Payload 2 IoCs
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 2 IoCs
  • SectopRAT

    SectopRAT is a remote access trojan first seen in November 2019.

    trojanratsectoprat
  • SectopRAT payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Detect binaries embedding considerable number of cryptocurrency wallet browser extension IDs. 2 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Using powershell.exe command.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab.exe
    "C:\Users\Admin\AppData\Local\Temp\80923a0d7111b0a1fa4326e3a9a0d9ecb7ce66e276f8672aa79e2b5d99473fab.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2336
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGUAZgB5ACMAPgBBAGQAZAAtAE0AcABQAHIAZQBmAGUAcgBlAG4AYwBlACAAPAAjAGIAYgB4ACMAPgAgAC0ARQB4AGMAbAB1AHMAaQBvAG4AUABhAHQAaAAgAEAAKAAkAGUAbgB2ADoAVQBzAGUAcgBQAHIAbwBmAGkAbABlACwAJABlAG4AdgA6AFMAeQBzAHQAZQBtAEQAcgBpAHYAZQApACAAPAAjAHkAYgB6ACMAPgAgAC0ARgBvAHIAYwBlACAAPAAjAGEAcwBsACMAPgA="
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\Users\Admin\AppData\Roaming\X3 Libraries.exe
      "C:\Users\Admin\AppData\Roaming\X3 Libraries.exe"
      2⤵
      • Executes dropped EXE
      PID:3052
    • C:\Users\Admin\AppData\Roaming\X3 Foundry.exe
      "C:\Users\Admin\AppData\Roaming\X3 Foundry.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2236
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\X3 Foundry.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3768
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'X3 Foundry.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3412
    • C:\Users\Admin\AppData\Roaming\X3.exe
      "C:\Users\Admin\AppData\Roaming\X3.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1132
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:2152

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    18KB

    MD5

    af7883c521ff72ed6d065a3b6e1a9afb

    SHA1

    3b42a7c42bafc8f99652486d62dab8841cb66b0e

    SHA256

    734ca40b6f5214f32ef63b15fa5e0713febd47cf66cdac54ad48b18cccab79de

    SHA512

    b195c9fdfb98cf7a02f4b0be9fa04bc24da5248a0b012f3b7a5e6d375a4b08a46062b45f0ce6d60e774d948f483fc4ae26b60232ed8155f011654c1477f6fe48

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    9b80cd7a712469a4c45fec564313d9eb

    SHA1

    6125c01bc10d204ca36ad1110afe714678655f2d

    SHA256

    5a9e4969c6cdb5d522c81ce55799effb7255c1b0a9966a936d1dc3ff8fe2112d

    SHA512

    ac280d2623c470c9dec94726a7af0612938723f3c7d60d727eb3c21f17be2f2049f97bc8303558be8b01f94406781ece0ada9a3bc51e930aff20bebb6ca17584

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jmcthehc.ks5.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • C:\Users\Admin\AppData\Roaming\X3 Foundry.exe
    Filesize

    37KB

    MD5

    481dfe8fc19890a677c7824c60f721e8

    SHA1

    5db87becad1d847643fc853206feb3b33236dcd1

    SHA256

    3fb3f5a0edfedb7b6d05fe45f499df151d0b4b474c86f886ddc497106b6aefe5

    SHA512

    edf8d07242f349bc96d9b583641556019c6b11478794a6243786b814fed99d3778df74ede6d5e745038880a64abfc1a5537cb9fc03f42e835319487aa4f11e74

    Download Submit
  • C:\Users\Admin\AppData\Roaming\X3 Libraries.exe
    Filesize

    701KB

    MD5

    17a4fe963bfec0ddadd74c1f39e8fd8f

    SHA1

    a857e89e506074bfedc937dc62fb1aa9e63e3281

    SHA256

    364492be3bc6462856177bb67acfc98ab80b751e22fd07d441fbcdc89754534e

    SHA512

    5aba4065f5c44163b4b9f479135d2e4c358bdc8ec273ac7acab0b40743633d0711d19999c019ddf991d428bb337b7840c29bc5ed093439758456d0272b9b7c9d

    Download Submit
  • C:\Users\Admin\AppData\Roaming\X3.exe
    Filesize

    95KB

    MD5

    7875166307500da488a1618d9790e14c

    SHA1

    94219d3929064c36a1a60dd0a0b82c67f1038f4a

    SHA256

    1a328c71452450974247cf6126bbde1b1ab459bb1c6f56cc6f4c5626b8c9d386

    SHA512

    2ffacea5b936fe99d17c46c3a24450a1b95d0cb84c355a7deec6080b8f4fb6ec442280ea953621a20bac379d0b7f11e9ff18a489a0eee0cb1bb3366ea3ba9d4f

    Download Submit
  • memory/1132-64-0x0000000005120000-0x000000000522A000-memory.dmp
    Filesize

    1.0MB

    Download
  • memory/1132-45-0x0000000005590000-0x0000000005BA8000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/1132-53-0x0000000004EB0000-0x0000000004EFC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1132-48-0x0000000004E70000-0x0000000004EAC000-memory.dmp
    Filesize

    240KB

    Download
  • memory/1132-46-0x0000000004E10000-0x0000000004E22000-memory.dmp
    Filesize

    72KB

    Download
  • memory/1132-43-0x0000000000590000-0x00000000005AE000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1368-41-0x0000000073560000-0x0000000073D10000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1368-85-0x0000000007AD0000-0x0000000007ADE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1368-47-0x0000000073560000-0x0000000073D10000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1368-51-0x0000000005F70000-0x0000000005FD6000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1368-32-0x000000007356E000-0x000000007356F000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1368-49-0x0000000005800000-0x0000000005822000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1368-50-0x0000000005F00000-0x0000000005F66000-memory.dmp
    Filesize

    408KB

    Download
  • memory/1368-38-0x00000000058D0000-0x0000000005EF8000-memory.dmp
    Filesize

    6.2MB

    Download
  • memory/1368-91-0x0000000073560000-0x0000000073D10000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/1368-88-0x0000000007BB0000-0x0000000007BB8000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1368-54-0x0000000005FE0000-0x0000000006334000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/1368-87-0x0000000007BD0000-0x0000000007BEA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1368-86-0x0000000007AE0000-0x0000000007AF4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1368-35-0x0000000002C20000-0x0000000002C56000-memory.dmp
    Filesize

    216KB

    Download
  • memory/1368-65-0x0000000006560000-0x000000000657E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1368-66-0x0000000006B70000-0x0000000006BA2000-memory.dmp
    Filesize

    200KB

    Download
  • memory/1368-67-0x0000000074AA0000-0x0000000074AEC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1368-77-0x0000000006B30000-0x0000000006B4E000-memory.dmp
    Filesize

    120KB

    Download
  • memory/1368-78-0x0000000006BB0000-0x0000000006C53000-memory.dmp
    Filesize

    652KB

    Download
  • memory/1368-80-0x0000000007890000-0x00000000078AA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1368-79-0x0000000007EE0000-0x000000000855A000-memory.dmp
    Filesize

    6.5MB

    Download
  • memory/1368-84-0x0000000007A90000-0x0000000007AA1000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1368-82-0x0000000007910000-0x000000000791A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1368-83-0x0000000007B10000-0x0000000007BA6000-memory.dmp
    Filesize

    600KB

    Download
  • memory/2236-81-0x000000001B050000-0x000000001B060000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2236-34-0x00000000002D0000-0x00000000002E0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2236-30-0x00007FFCCB8F3000-0x00007FFCCB8F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2236-118-0x000000001B050000-0x000000001B060000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3052-40-0x00000000052D0000-0x0000000005362000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3052-44-0x00000000053D0000-0x00000000053DA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3052-36-0x00000000008C0000-0x0000000000976000-memory.dmp
    Filesize

    728KB

    Download
  • memory/3052-37-0x0000000073560000-0x0000000073D10000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3052-39-0x0000000005880000-0x0000000005E24000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3052-52-0x0000000073560000-0x0000000073D10000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3052-117-0x0000000073560000-0x0000000073D10000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3768-92-0x000001A03F180000-0x000001A03F1A2000-memory.dmp
    Filesize

    136KB

    Download