Analysis

  • max time kernel
    15s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2024, 06:18

General

  • Target

    SAMXPrivateAIMBOTAIESPLINE.exe

  • Size

    2.8MB

  • MD5

    5237179905c59d4110036f8b250466e2

  • SHA1

    18f8eb69c0645b4bcc315d658f6328697b989890

  • SHA256

    411d03fc0033d10d8b0f59e6838828246033c94860831f51088798cd6ad56eec

  • SHA512

    81367da947778e34257ba93d0137a0b8194d45c8d961163595cc8797b8a4ef03e80ec11494c76a8c298b575da6a236888c3cc59fbd668927a96a0bfba7204b5a

  • SSDEEP

    49152:RnsHyjtk2MYC5GD/dT0ynE9sua+PfPBnFJghdfwqOAaR8fHYW9:Rnsmtk2aUF0yn01hWwqOPRm9

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

5.0

C2

147.185.221.24:4236

Mutex

sMqfq2Kriwy3pLvt

Attributes
  • Install_directory

    %Userprofile%

  • install_file

    svchost.exe

aes.plain

Signatures

  • Detect Xworm Payload 8 IoCs
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Xworm

    Xworm is a remote access trojan written in C#.

  • Xworm family
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 23 IoCs
  • Adds Run key to start application 2 TTPs 3 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\SAMXPrivateAIMBOTAIESPLINE.exe
    "C:\Users\Admin\AppData\Local\Temp\SAMXPrivateAIMBOTAIESPLINE.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1868
    • C:\Users\Admin\AppData\Local\Temp\._cache_SAMXPrivateAIMBOTAIESPLINE.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_SAMXPrivateAIMBOTAIESPLINE.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\SAM X HUTTA.exe
        "C:\Users\Admin\SAM X HUTTA.exe"
        3⤵
        • Executes dropped EXE
        PID:2744
      • C:\Users\Admin\svchost.exe
        "C:\Users\Admin\svchost.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
          4⤵
          • Drops startup file
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2552
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:1604
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2788
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2652
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'svchost.exe'
            5⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2588
          • C:\Windows\System32\schtasks.exe
            "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "svchost" /tr "C:\Users\Admin\svchost.exe"
            5⤵
            • Scheduled Task/Job: Scheduled Task
            PID:1964
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2996
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2164
            • C:\Users\Admin\SAM X HUTTA.exe
              "C:\Users\Admin\SAM X HUTTA.exe"
              6⤵
              • Executes dropped EXE
              PID:2332
            • C:\Users\Admin\svchost.exe
              "C:\Users\Admin\svchost.exe"
              6⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:1548
              • C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
                "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of AdjustPrivilegeToken
                PID:668
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2696
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1484
        • C:\Users\Admin\SAM X HUTTA.exe
          "C:\Users\Admin\SAM X HUTTA.exe"
          4⤵
          • Executes dropped EXE
          PID:1720
        • C:\Users\Admin\svchost.exe
          "C:\Users\Admin\svchost.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1932
          • C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_svchost.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1508
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {429BCEA9-B3AE-4492-B7DE-62BD6820D918} S-1-5-21-1846800975-3917212583-2893086201-1000:ZQABOPWE\Admin:Interactive:[1]
    1⤵
      PID:808
      • C:\Users\Admin\svchost.exe
        C:\Users\Admin\svchost.exe
        2⤵
          PID:2524
        • C:\Users\Admin\svchost.exe
          C:\Users\Admin\svchost.exe
          2⤵
            PID:2712

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Synaptics\Synaptics.exe

          Filesize

          2.8MB

          MD5

          5237179905c59d4110036f8b250466e2

          SHA1

          18f8eb69c0645b4bcc315d658f6328697b989890

          SHA256

          411d03fc0033d10d8b0f59e6838828246033c94860831f51088798cd6ad56eec

          SHA512

          81367da947778e34257ba93d0137a0b8194d45c8d961163595cc8797b8a4ef03e80ec11494c76a8c298b575da6a236888c3cc59fbd668927a96a0bfba7204b5a

        • C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

          Filesize

          26KB

          MD5

          a9e6b26e6a4232bc4176097b0d4cba2d

          SHA1

          0bbcdf08686b01d43c2b4a3c85cbc605ace0273c

          SHA256

          2e2ff6f31a1397b6bce90af5d4074e84ec7f4fde79ab88fc8b9c198b948418bd

          SHA512

          cfaafe0b9b3180eb01669da08d529ec0ec8a9df5a48d2427b9fc5bb52c79f570d49e6b88c0c75b07951df93c55c4e8f3157699f07bd7065d58fe9f308758885d

        • C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

          Filesize

          29KB

          MD5

          79269501de62896f5c07b335e245a9f5

          SHA1

          ed276b18a7e8b2a2204b534dad6c91c2393c3dd7

          SHA256

          c1ad48451a16833ea84612f6893106cdb80303d9c8a4ffcd181a0b94d9b455be

          SHA512

          3a7319138e1b606e40a9033db8eab846b9b6a3799d615fecadcb2ff122f265ab18d524350967186a8bcb6af541c799aa12e8c87bf14c5cd0df0bfaf9ab6e57ad

        • C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

          Filesize

          29KB

          MD5

          44e8aee69258d741c163b3afb6d2ba5b

          SHA1

          0f8d4f45252a34e7a46eedb72444ed7865ed6909

          SHA256

          afba74a4974967c79eafc274b1b30d5eb0bb870bd63b32caed498b57f702db98

          SHA512

          b3699a7e974fb0ce0302713b32e2edd5c5775dda9160ac091120941a70854c4db6eebcdc4c8460ee470f10654caf176dd4c113b232bc5733b239f2b94540d7bb

        • C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        • C:\Users\Admin\AppData\Local\Temp\jtyFgrIf.xlsm

          Filesize

          30KB

          MD5

          cb833ee868b6d3173e06ee4639d828e1

          SHA1

          eb492308f18d60f3615db5c9b8e900be3bf79842

          SHA256

          a755d75257b24c8f0467238e4601ccaa9d5545da660de8d33416ffc6780e8559

          SHA512

          728d322b8cd40928ab1ad0bab190cf261f8ba751f87e8e2967aee781b4d3c4fa9f5d86ce2dfb6de8e36bcfe2ede170d45845a3f34f4e7a3ea472b9982a2388eb

        • C:\Users\Admin\AppData\Local\Temp\~$jtyFgrIf.xlsm

          Filesize

          165B

          MD5

          ff09371174f7c701e75f357a187c06e8

          SHA1

          57f9a638fd652922d7eb23236c80055a91724503

          SHA256

          e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

          SHA512

          e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

          Filesize

          7KB

          MD5

          9f4391b50281f204fb970b273ab59528

          SHA1

          ff84d7925a65ee9ead60d69d1d5bb177b22b4f3f

          SHA256

          b33038ddf0a873be92afa0da68e2ac05180a4f0eba4ca6e9f8a0a736548b265e

          SHA512

          645c3ae04a06ff8e46395140c51a7851e5073cdef99b7daa1707ad0955342b2abf9c985160fdae054c8c5feb82494d95ed1771bdf3e3e3a717c1677b3c00587c

        • C:\Users\Admin\svchost.exe

          Filesize

          797KB

          MD5

          63d88f269efd7ed3a5b44b285dd30bab

          SHA1

          b54410712a60d6004e09c96893b3ab2bc991e814

          SHA256

          ff4f9974e9e49e68fe433940289a7e38de533d8089532a82c33d69786e12bbc6

          SHA512

          da0ec300fb8c3fe3bdb29814dedd6926cf6f49538f3e92d5ef93c42235b3ad5bdb8e270cdf801a5e6d6f36bcc24dc8b42442892194113cd6e85de36eec55e1ab

        • \Users\Admin\AppData\Local\Temp\._cache_SAMXPrivateAIMBOTAIESPLINE.exe

          Filesize

          2.1MB

          MD5

          aaff00706d8ec73235fb063fd5f6f504

          SHA1

          2e0146da29b32f015d213751c4c95b2921aff9f9

          SHA256

          c6ecdeaebb0346bfbd8f591376e9fe7bee47c64b794b75fbbbdf185373b18adb

          SHA512

          ce763c2bc79ba3616930757531b2fef88139391c3bc2d9299453aabb88470644a824f0d413af0511ab9d531b36b935b8258c8643fce098af824e6cc2b3d445f8

        • \Users\Admin\AppData\Local\Temp\._cache_svchost.exe

          Filesize

          44KB

          MD5

          915a239651c9fb559bcec11cb0acf752

          SHA1

          f1a737defacaff35f711fde979678cb9aafba0ca

          SHA256

          ee7cbbb0f54b585b2efbbeb218a5d166df028b8d1d035a1463f284ad32465e86

          SHA512

          6d7be5cfadb068bbb644f101dc312436b38fb42d94381c946ac477431eec55b3e77abb3912c00c4f7199f03406531713e77fd7342867fff67be98e4aa19d9cac

        • \Users\Admin\SAM X HUTTA.exe

          Filesize

          1.3MB

          MD5

          7d57b6456ec3fdfd1ecfcb8cd7016185

          SHA1

          bc2a446083332b5ede87c634c7ae53bf65ca917d

          SHA256

          8834db4e7a3abc24aa49582bc3b680f27c22f2d68053223bf6f5c1d545bef77a

          SHA512

          0845991ea72baf1705e4424bd5100bf4d19ab636b827297eda21420f5561db5a00d63d27c479e8b12c72ca8dba21b442d43c57d79484111414f11bfbd4aeab13

        • memory/1508-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1508-169-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

        • memory/1548-90-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

        • memory/1604-174-0x000000001B540000-0x000000001B822000-memory.dmp

          Filesize

          2.9MB

        • memory/1604-175-0x00000000029A0000-0x00000000029A8000-memory.dmp

          Filesize

          32KB

        • memory/1868-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

          Filesize

          4KB

        • memory/1868-41-0x0000000000400000-0x00000000006DD000-memory.dmp

          Filesize

          2.9MB

        • memory/1932-107-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

        • memory/2524-204-0x0000000000980000-0x0000000000992000-memory.dmp

          Filesize

          72KB

        • memory/2552-63-0x0000000000DC0000-0x0000000000DD2000-memory.dmp

          Filesize

          72KB

        • memory/2588-196-0x000000001B740000-0x000000001BA22000-memory.dmp

          Filesize

          2.9MB

        • memory/2664-56-0x0000000000400000-0x00000000004CD000-memory.dmp

          Filesize

          820KB

        • memory/2696-183-0x0000000000400000-0x00000000006DD000-memory.dmp

          Filesize

          2.9MB

        • memory/2696-205-0x0000000000400000-0x00000000006DD000-memory.dmp

          Filesize

          2.9MB

        • memory/2696-244-0x0000000000400000-0x00000000006DD000-memory.dmp

          Filesize

          2.9MB

        • memory/2712-247-0x0000000000AA0000-0x0000000000AB2000-memory.dmp

          Filesize

          72KB

        • memory/2788-182-0x0000000001C80000-0x0000000001C88000-memory.dmp

          Filesize

          32KB

        • memory/2788-181-0x000000001B560000-0x000000001B842000-memory.dmp

          Filesize

          2.9MB

        • memory/2996-184-0x0000000000400000-0x00000000006DD000-memory.dmp

          Filesize

          2.9MB