Analysis
-
max time kernel
142s -
max time network
155s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 11:48
Behavioral task
behavioral1
Sample
FreeCheat.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
FreeCheat.exe
Resource
win10v2004-20241007-en
General
-
Target
FreeCheat.exe
-
Size
809KB
-
MD5
94d86e51d8f55a38484c0147f5a4639a
-
SHA1
f3eb5147cca4067c43033280ab7b24b6843c7047
-
SHA256
2bd965f29bf25dfa230be112a130a519937c00e02c498dde8d67ae4d3258de99
-
SHA512
e26370075cc154c12388ff1cbdaa74643c020d21ae6e17d7a9ee0e49e8e7365e35c58e1cd8478fe6bf81f2475d9dbcfd1296f69f4e7324f57a6dd5d26ea26c71
-
SSDEEP
12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VS+OzhJCgws:ynsJ39LyjbJkQFMhmC+6GD9wn
Malware Config
Extracted
xworm
review-tennis.gl.at.ply.gg:37622
-
Install_directory
%LocalAppData%
-
install_file
svchost2.exe
-
telegram
https://api.telegram.org/bot7326491521:AAHlNX1AHs0be6K8nhvysevBir5JQbB6QP0/sendMessage?chat_id=7268548907
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Detect Xworm Payload 8 IoCs
resource yara_rule behavioral1/files/0x000900000001227e-15.dat family_xworm behavioral1/files/0x0007000000016d1c-11.dat family_xworm behavioral1/memory/2104-25-0x0000000000400000-0x00000000004D0000-memory.dmp family_xworm behavioral1/memory/2408-35-0x0000000000DA0000-0x0000000000DB6000-memory.dmp family_xworm behavioral1/memory/2224-36-0x0000000000C30000-0x0000000000C46000-memory.dmp family_xworm behavioral1/memory/2908-130-0x0000000000400000-0x00000000004D0000-memory.dmp family_xworm behavioral1/memory/2908-131-0x0000000000400000-0x00000000004D0000-memory.dmp family_xworm behavioral1/memory/2908-165-0x0000000000400000-0x00000000004D0000-memory.dmp family_xworm -
Xred family
-
Xworm family
-
resource behavioral1/files/0x0008000000019515-107.dat -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost2.lnk ._cache_FreeCheat.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\svchost2.lnk ._cache_FreeCheat.exe -
Executes dropped EXE 3 IoCs
pid Process 2408 ._cache_FreeCheat.exe 2908 Synaptics.exe 2224 ._cache_Synaptics.exe -
Loads dropped DLL 5 IoCs
pid Process 2104 FreeCheat.exe 2104 FreeCheat.exe 2104 FreeCheat.exe 2908 Synaptics.exe 2908 Synaptics.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\????? = "C:\\ProgramData\\Synaptics\\Synaptics.exe" FreeCheat.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language FreeCheat.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Synaptics.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language EXCEL.EXE -
Enumerates system info in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2716 EXCEL.EXE -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2408 ._cache_FreeCheat.exe Token: SeDebugPrivilege 2224 ._cache_Synaptics.exe Token: SeDebugPrivilege 2408 ._cache_FreeCheat.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2716 EXCEL.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2104 wrote to memory of 2408 2104 FreeCheat.exe 29 PID 2104 wrote to memory of 2408 2104 FreeCheat.exe 29 PID 2104 wrote to memory of 2408 2104 FreeCheat.exe 29 PID 2104 wrote to memory of 2408 2104 FreeCheat.exe 29 PID 2104 wrote to memory of 2908 2104 FreeCheat.exe 30 PID 2104 wrote to memory of 2908 2104 FreeCheat.exe 30 PID 2104 wrote to memory of 2908 2104 FreeCheat.exe 30 PID 2104 wrote to memory of 2908 2104 FreeCheat.exe 30 PID 2908 wrote to memory of 2224 2908 Synaptics.exe 31 PID 2908 wrote to memory of 2224 2908 Synaptics.exe 31 PID 2908 wrote to memory of 2224 2908 Synaptics.exe 31 PID 2908 wrote to memory of 2224 2908 Synaptics.exe 31
Processes
-
C:\Users\Admin\AppData\Local\Temp\FreeCheat.exe"C:\Users\Admin\AppData\Local\Temp\FreeCheat.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104 -
C:\Users\Admin\AppData\Local\Temp\._cache_FreeCheat.exe"C:\Users\Admin\AppData\Local\Temp\._cache_FreeCheat.exe"2⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2408
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2908 -
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2224
-
-
-
C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2716
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
809KB
MD594d86e51d8f55a38484c0147f5a4639a
SHA1f3eb5147cca4067c43033280ab7b24b6843c7047
SHA2562bd965f29bf25dfa230be112a130a519937c00e02c498dde8d67ae4d3258de99
SHA512e26370075cc154c12388ff1cbdaa74643c020d21ae6e17d7a9ee0e49e8e7365e35c58e1cd8478fe6bf81f2475d9dbcfd1296f69f4e7324f57a6dd5d26ea26c71
-
Filesize
64KB
MD5975e2c659c3274245afbc696acb31fcf
SHA177484f030726f39b570ac4dce668684b01f9404d
SHA2567fe3a83899c061a8195ee1e6e973019e3ced59762f91ff19998545a6beaa567e
SHA512948301e8b908371a7a7fd20146004074652af3f35e0e1e9cacdda67ad921788e5571c49abc7a4f1600d7b0f0089404b48cc2b6d758115afaa2afe5d452ad098d
-
Filesize
25KB
MD511e7c0faea3cadc74c8e06c3e25f778c
SHA1e779eaeb2859ce1610be80aaba2f27bf6313c9dc
SHA2560e9491c55508e955eb67d50e70d90edd88b39d4e510ce7d25437035df146051d
SHA512afa5fed7190da2ac974fc31c357ceccadf107e1f69b8e987ea26e14f245da26ac84acf49234b21e05a3f17ccee6eddda818a7712109625b4889860cfe5f853cf
-
Filesize
28KB
MD5e7372e7417e2379f7823c84c3a393e25
SHA1f5101102aeda61032789792002f8151cca03311a
SHA2563f77b6b2a6b763c8267fc647c8b0321f8086414a20bd27e2384d494145dd4576
SHA512366877ecc600b45e16a418d2b7e225ce184b3f079ba16495ace14ccb760416a467e32cb90aab363b9fdda634c32c7b52103b7ebab8f1e6cf4ce3016d40f058f2
-
Filesize
28KB
MD53958f6ff33ae4289af2d4616970575f3
SHA113e154c5d6d10678f2d6cd6e9e6c4903d457b99e
SHA2566938105672cb48bf26d80f2fd4cdf466eb336be1b55c0d613c08c323b9562919
SHA5127669ee2d53f77bbba91ed387f3a5a4a87b9bb5f3ebb0ea988ef606c6eff379b394c7e42917753aa8e2e2ae60ac299e16da72ac7ddaa88f4b6c01252afd71b703
-
Filesize
30KB
MD5d03ad67f948d654ce812476f1a58f06a
SHA194ff8e79cc94a6d35bc72fc46ef0486e29094fef
SHA256ba0eb5aa976ce1a52e664c133b4a74e9fe47fea10c206d2c90aa7b354cf4b7d6
SHA5123491a5022ab30fcd8d012aec8b8ef7615adc0d20f063dceb65863b4a62038f0f0713a9025e8610d6bd6862dee27a696f2cfb587c10f4006c1d1ae110f52bf810
-
Filesize
27KB
MD5d91ef0f2b9f1354cbd7d72346bbfeabe
SHA16610266f9fa4e4e2ab8d142c8d45f6e5a4385b73
SHA256e10ded5e03aaaa419aab14fe6b38227983b305e22ee9223b2ecb44fd62db03f8
SHA5122302822dca47350e57bbf766e50ebfa9c7ba57032faa6067ff2a64c5a399e7895d040e1bc160b9eeea3f863c10b550a9918882b7917fc35e1b271eafc521e01c
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
165B
MD5ff09371174f7c701e75f357a187c06e8
SHA157f9a638fd652922d7eb23236c80055a91724503
SHA256e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8
SHA512e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882