xred | 2bd965f29bf25dfa230be112a130a519937c00e02c498dde8d67ae4d3258de99

Analysis

max time kernel
142s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 11:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FreeCheat.exe
Size

809KB
MD5

94d86e51d8f55a38484c0147f5a4639a
SHA1

f3eb5147cca4067c43033280ab7b24b6843c7047
SHA256

2bd965f29bf25dfa230be112a130a519937c00e02c498dde8d67ae4d3258de99
SHA512

e26370075cc154c12388ff1cbdaa74643c020d21ae6e17d7a9ee0e49e8e7365e35c58e1cd8478fe6bf81f2475d9dbcfd1296f69f4e7324f57a6dd5d26ea26c71
SSDEEP

12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VS+OzhJCgws:ynsJ39LyjbJkQFMhmC+6GD9wn

Score

10^/10

xred xworm backdoor discovery macro persistence rat trojan

Malware Config

Extracted

Family

xworm

review-tennis.gl.at.ply.gg:37622

Attributes

Install_directory
%LocalAppData%
install_file
svchost2.exe
telegram
https://api.telegram.org/bot7326491521:AAHlNX1AHs0be6K8nhvysevBir5JQbB6QP0/sendMessage?chat_id=7268548907

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Xworm Payload 8 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\._cache_FreeCheat.exe	family_xworm
C:\ProgramData\Synaptics\Synaptics.exe	family_xworm
behavioral1/memory/2104-25-0x0000000000400000-0x00000000004D0000-memory.dmp	family_xworm
behavioral1/memory/2408-35-0x0000000000DA0000-0x0000000000DB6000-memory.dmp	family_xworm
behavioral1/memory/2224-36-0x0000000000C30000-0x0000000000C46000-memory.dmp	family_xworm
behavioral1/memory/2908-130-0x0000000000400000-0x00000000004D0000-memory.dmp	family_xworm
behavioral1/memory/2908-131-0x0000000000400000-0x00000000004D0000-memory.dmp	family_xworm
behavioral1/memory/2908-165-0x0000000000400000-0x00000000004D0000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Drops startup file 2 IoCs

Processes:

._cache_FreeCheat.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost2.lnk	._cache_FreeCheat.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost2.lnk	._cache_FreeCheat.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_FreeCheat.exeSynaptics.exe._cache_Synaptics.exe

pid process

2408 ._cache_FreeCheat.exe
2908 Synaptics.exe
2224 ._cache_Synaptics.exe
Loads dropped DLL 5 IoCs

Processes:

FreeCheat.exeSynaptics.exe

pid process

2104 FreeCheat.exe
2104 FreeCheat.exe
2104 FreeCheat.exe
2908 Synaptics.exe
2908 Synaptics.exe

pid	process
2408	._cache_FreeCheat.exe
2908	Synaptics.exe
2224	._cache_Synaptics.exe

pid	process
2104	FreeCheat.exe
2104	FreeCheat.exe
2104	FreeCheat.exe
2908	Synaptics.exe
2908	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

FreeCheat.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	FreeCheat.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

FreeCheat.exeSynaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FreeCheat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2716 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2716	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

._cache_FreeCheat.exe._cache_Synaptics.exe

description	pid	process
Token: SeDebugPrivilege	2408	._cache_FreeCheat.exe
Token: SeDebugPrivilege	2224	._cache_Synaptics.exe
Token: SeDebugPrivilege	2408	._cache_FreeCheat.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2716 EXCEL.EXE

pid	process
2716	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

FreeCheat.exeSynaptics.exe

description	pid	process	target process
PID 2104 wrote to memory of 2408	2104	FreeCheat.exe	._cache_FreeCheat.exe
PID 2104 wrote to memory of 2408	2104	FreeCheat.exe	._cache_FreeCheat.exe
PID 2104 wrote to memory of 2408	2104	FreeCheat.exe	._cache_FreeCheat.exe
PID 2104 wrote to memory of 2408	2104	FreeCheat.exe	._cache_FreeCheat.exe
PID 2104 wrote to memory of 2908	2104	FreeCheat.exe	Synaptics.exe
PID 2104 wrote to memory of 2908	2104	FreeCheat.exe	Synaptics.exe
PID 2104 wrote to memory of 2908	2104	FreeCheat.exe	Synaptics.exe
PID 2104 wrote to memory of 2908	2104	FreeCheat.exe	Synaptics.exe
PID 2908 wrote to memory of 2224	2908	Synaptics.exe	._cache_Synaptics.exe
PID 2908 wrote to memory of 2224	2908	Synaptics.exe	._cache_Synaptics.exe
PID 2908 wrote to memory of 2224	2908	Synaptics.exe	._cache_Synaptics.exe
PID 2908 wrote to memory of 2224	2908	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\FreeCheat.exe
"C:\Users\Admin\AppData\Local\Temp\FreeCheat.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\._cache_FreeCheat.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_FreeCheat.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2408
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2224

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
809KB

MD5
94d86e51d8f55a38484c0147f5a4639a

SHA1
f3eb5147cca4067c43033280ab7b24b6843c7047

SHA256
2bd965f29bf25dfa230be112a130a519937c00e02c498dde8d67ae4d3258de99

SHA512
e26370075cc154c12388ff1cbdaa74643c020d21ae6e17d7a9ee0e49e8e7365e35c58e1cd8478fe6bf81f2475d9dbcfd1296f69f4e7324f57a6dd5d26ea26c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_FreeCheat.exe

Filesize
64KB

MD5
975e2c659c3274245afbc696acb31fcf

SHA1
77484f030726f39b570ac4dce668684b01f9404d

SHA256
7fe3a83899c061a8195ee1e6e973019e3ced59762f91ff19998545a6beaa567e

SHA512
948301e8b908371a7a7fd20146004074652af3f35e0e1e9cacdda67ad921788e5571c49abc7a4f1600d7b0f0089404b48cc2b6d758115afaa2afe5d452ad098d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Filesize
25KB

MD5
11e7c0faea3cadc74c8e06c3e25f778c

SHA1
e779eaeb2859ce1610be80aaba2f27bf6313c9dc

SHA256
0e9491c55508e955eb67d50e70d90edd88b39d4e510ce7d25437035df146051d

SHA512
afa5fed7190da2ac974fc31c357ceccadf107e1f69b8e987ea26e14f245da26ac84acf49234b21e05a3f17ccee6eddda818a7712109625b4889860cfe5f853cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Filesize
28KB

MD5
e7372e7417e2379f7823c84c3a393e25

SHA1
f5101102aeda61032789792002f8151cca03311a

SHA256
3f77b6b2a6b763c8267fc647c8b0321f8086414a20bd27e2384d494145dd4576

SHA512
366877ecc600b45e16a418d2b7e225ce184b3f079ba16495ace14ccb760416a467e32cb90aab363b9fdda634c32c7b52103b7ebab8f1e6cf4ce3016d40f058f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Filesize
28KB

MD5
3958f6ff33ae4289af2d4616970575f3

SHA1
13e154c5d6d10678f2d6cd6e9e6c4903d457b99e

SHA256
6938105672cb48bf26d80f2fd4cdf466eb336be1b55c0d613c08c323b9562919

SHA512
7669ee2d53f77bbba91ed387f3a5a4a87b9bb5f3ebb0ea988ef606c6eff379b394c7e42917753aa8e2e2ae60ac299e16da72ac7ddaa88f4b6c01252afd71b703

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Filesize
30KB

MD5
d03ad67f948d654ce812476f1a58f06a

SHA1
94ff8e79cc94a6d35bc72fc46ef0486e29094fef

SHA256
ba0eb5aa976ce1a52e664c133b4a74e9fe47fea10c206d2c90aa7b354cf4b7d6

SHA512
3491a5022ab30fcd8d012aec8b8ef7615adc0d20f063dceb65863b4a62038f0f0713a9025e8610d6bd6862dee27a696f2cfb587c10f4006c1d1ae110f52bf810

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Filesize
27KB

MD5
d91ef0f2b9f1354cbd7d72346bbfeabe

SHA1
6610266f9fa4e4e2ab8d142c8d45f6e5a4385b73

SHA256
e10ded5e03aaaa419aab14fe6b38227983b305e22ee9223b2ecb44fd62db03f8

SHA512
2302822dca47350e57bbf766e50ebfa9c7ba57032faa6067ff2a64c5a399e7895d040e1bc160b9eeea3f863c10b550a9918882b7917fc35e1b271eafc521e01c

Download Submit
C:\Users\Admin\AppData\Local\Temp\MVmumIyW.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Desktop\~$GrantSync.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2104-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2104-25-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2224-36-0x0000000000C30000-0x0000000000C46000-memory.dmp

Filesize
88KB

Download
memory/2408-35-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/2408-132-0x0000000000A30000-0x0000000000A3C000-memory.dmp

Filesize
48KB

Download
memory/2716-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2908-130-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2908-131-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2908-165-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download