Overview

overview

10

Static

static

1

boot_fps_v2.rar

windows7-x64

1

boot_fps_v2.rar

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    boot_fps_v2.rar

  • Size

    20.1MB

  • Sample

    241219-r3514atrd1

  • MD5

    2be5d8faf40ced85b24204da86425cfd

  • SHA1

    649e935ea6e27357558dc8c079cf3cb28a724ee5

  • SHA256

    04cf383bf7d4e2f3e23c162f56c46b8f1728a57e53b28f47c9eb2280a45fdec4

  • SHA512

    56fda3890457cafd6773c549472610e21f9803284d9d2f1e9dfd2cd043b124675680e47526b80526c77583b3d86cc0d7e6c37f4f92dd2b7a1bba0983650da802

  • SSDEEP

    393216:P2WD2NrtrFEm3bqn4fXuqvxKiHFkzadFewtRG6a6LQbZJ5a:VDmZlCrqJU2fHpLeZJo

Score
10/10
xredxwormbackdoordiscoveryevasionexecutionpersistencepyinstallerransomwarerattrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Extracted

Family

xworm

Version

5.0

C2

89.213.177.171:7000

Mutex

QSt8Afyc7zR2PwtO

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    VLC_Medai.exe

aes.plain

Targets

    • Target

      boot_fps_v2.rar

    • Size

      20.1MB

    • MD5

      2be5d8faf40ced85b24204da86425cfd

    • SHA1

      649e935ea6e27357558dc8c079cf3cb28a724ee5

    • SHA256

      04cf383bf7d4e2f3e23c162f56c46b8f1728a57e53b28f47c9eb2280a45fdec4

    • SHA512

      56fda3890457cafd6773c549472610e21f9803284d9d2f1e9dfd2cd043b124675680e47526b80526c77583b3d86cc0d7e6c37f4f92dd2b7a1bba0983650da802

    • SSDEEP

      393216:P2WD2NrtrFEm3bqn4fXuqvxKiHFkzadFewtRG6a6LQbZJ5a:VDmZlCrqJU2fHpLeZJo

    Score
    10/10
    xredxwormbackdoordiscoveryevasionexecutionpersistencepyinstallerransomwarerattrojan

    • Detect Xworm Payload

    • Xred

      Xred is backdoor written in Delphi.

      backdoorxred

    • Xred family

      xred

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Modifies boot configuration data using bcdedit

      ransomwareevasion

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

      execution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Drops startup file

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks