xred | 0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570

Analysis

max time kernel
142s
max time network
137s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xworm.exe
Size

828KB
MD5

f2dba5b93fa78fe0357cae18d68bc13f
SHA1

686e5e1ae65116c4d22315b15992163ad4d34f7c
SHA256

0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570
SHA512

cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970
SSDEEP

12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9rR0uvsj:pnsJ39LyjbJkQFMhmC+6GD9Fl0

Score

10^/10

xred xworm backdoor discovery execution persistence rat trojan

Malware Config

Extracted

Family

xworm

simply-exotic.gl.at.ply.gg:27183

Attributes

Install_directory
%Temp%
install_file
Windows.exe

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Detect Xworm Payload 8 IoCs

resource	yara_rule
behavioral1/files/0x000c00000001202c-4.dat	family_xworm
behavioral1/files/0x000800000001628b-13.dat	family_xworm
behavioral1/memory/2784-17-0x00000000013B0000-0x00000000013CA000-memory.dmp	family_xworm
behavioral1/memory/2764-26-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/2712-36-0x00000000000F0000-0x000000000010A000-memory.dmp	family_xworm
behavioral1/memory/1752-80-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/1752-85-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm
behavioral1/memory/1752-130-0x0000000000400000-0x00000000004D5000-memory.dmp	family_xworm

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
716	powershell.exe
572	powershell.exe
1736	powershell.exe
3004	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk	._cache_Xworm.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\User.lnk	._cache_Xworm.exe

Executes dropped EXE 3 IoCs

pid	Process
2784	._cache_Xworm.exe
1752	Synaptics.exe
2712	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2764	Xworm.exe
2764	Xworm.exe
2764	Xworm.exe
1752	Synaptics.exe
1752	Synaptics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Xworm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\User = "C:\\Users\\Admin\\AppData\\Local\\Temp\\User"	._cache_Xworm.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Xworm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
1668	timeout.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1708	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2484	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
572	powershell.exe
1736	powershell.exe
3004	powershell.exe
716	powershell.exe
2784	._cache_Xworm.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	._cache_Xworm.exe
Token: SeDebugPrivilege	2712	._cache_Synaptics.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2784	._cache_Xworm.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2484	EXCEL.EXE
2784	._cache_Xworm.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2784	2764	Xworm.exe	30
PID 2764 wrote to memory of 2784	2764	Xworm.exe	30
PID 2764 wrote to memory of 2784	2764	Xworm.exe	30
PID 2764 wrote to memory of 2784	2764	Xworm.exe	30
PID 2764 wrote to memory of 1752	2764	Xworm.exe	31
PID 2764 wrote to memory of 1752	2764	Xworm.exe	31
PID 2764 wrote to memory of 1752	2764	Xworm.exe	31
PID 2764 wrote to memory of 1752	2764	Xworm.exe	31
PID 1752 wrote to memory of 2712	1752	Synaptics.exe	32
PID 1752 wrote to memory of 2712	1752	Synaptics.exe	32
PID 1752 wrote to memory of 2712	1752	Synaptics.exe	32
PID 1752 wrote to memory of 2712	1752	Synaptics.exe	32
PID 2784 wrote to memory of 572	2784	._cache_Xworm.exe	35
PID 2784 wrote to memory of 572	2784	._cache_Xworm.exe	35
PID 2784 wrote to memory of 572	2784	._cache_Xworm.exe	35
PID 2784 wrote to memory of 1736	2784	._cache_Xworm.exe	37
PID 2784 wrote to memory of 1736	2784	._cache_Xworm.exe	37
PID 2784 wrote to memory of 1736	2784	._cache_Xworm.exe	37
PID 2784 wrote to memory of 3004	2784	._cache_Xworm.exe	39
PID 2784 wrote to memory of 3004	2784	._cache_Xworm.exe	39
PID 2784 wrote to memory of 3004	2784	._cache_Xworm.exe	39
PID 2784 wrote to memory of 716	2784	._cache_Xworm.exe	42
PID 2784 wrote to memory of 716	2784	._cache_Xworm.exe	42
PID 2784 wrote to memory of 716	2784	._cache_Xworm.exe	42
PID 2784 wrote to memory of 1708	2784	._cache_Xworm.exe	44
PID 2784 wrote to memory of 1708	2784	._cache_Xworm.exe	44
PID 2784 wrote to memory of 1708	2784	._cache_Xworm.exe	44
PID 2784 wrote to memory of 1004	2784	._cache_Xworm.exe	46
PID 2784 wrote to memory of 1004	2784	._cache_Xworm.exe	46
PID 2784 wrote to memory of 1004	2784	._cache_Xworm.exe	46
PID 2784 wrote to memory of 1192	2784	._cache_Xworm.exe	48
PID 2784 wrote to memory of 1192	2784	._cache_Xworm.exe	48
PID 2784 wrote to memory of 1192	2784	._cache_Xworm.exe	48
PID 1192 wrote to memory of 1668	1192	cmd.exe	50
PID 1192 wrote to memory of 1668	1192	cmd.exe	50
PID 1192 wrote to memory of 1668	1192	cmd.exe	50

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Xworm.exe
"C:\Users\Admin\AppData\Local\Temp\Xworm.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_Xworm.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:716
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1708
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /delete /f /tn "User"
    3⤵
    PID:1004
- - C:\Windows\system32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp98C6.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:1668
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2712

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
828KB

MD5
f2dba5b93fa78fe0357cae18d68bc13f

SHA1
686e5e1ae65116c4d22315b15992163ad4d34f7c

SHA256
0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570

SHA512
cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNgmlY1I.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp98C6.tmp.bat

Filesize
165B

MD5
e762d54577d6c9ed43232d10ff6a422c

SHA1
5b833ad9ab4038c0e6f41926c9b3e438ece56c7f

SHA256
97e8f9b4d24af75724c0ce37a1f1ddf268a4a54e33514b3755cd805f82d07b8d

SHA512
dcebeffa2efb4649cc092cc51a66543115701890998931f61a88c5c7b061373214990f8af4a258e898fe8b355c5b248b2861935268d3c911a048618b7845b06d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fbd3e2d9478db25d30b8859d5c7f75b4

SHA1
ff78e0c09e8178af9230b82abde729b788ceb5d5

SHA256
e9c7d022fdafe4fe45090ce67407a6ca174f87567a648cb83fee9be69ab68bac

SHA512
7c9c5155400ff85d9fba31f71e4cfc8192c77c824f0e3248bd7a8990fedc96593ae65788672e7a1398bd8fd8656c584a0d9986888beb8a53085a0a9b05301903

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Xworm.exe

Filesize
75KB

MD5
f63d6c11422e7e0ca83981e8dae62f96

SHA1
c9c6088a764b07e7d438ad603a8bfcd9972f2b06

SHA256
7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531

SHA512
b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9

Download Submit
memory/572-61-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/572-62-0x0000000001F90000-0x0000000001F98000-memory.dmp

Filesize
32KB

Download
memory/1736-69-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1736-68-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1752-80-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1752-85-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/1752-130-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2484-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2712-36-0x00000000000F0000-0x000000000010A000-memory.dmp

Filesize
104KB

Download
memory/2764-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2764-26-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2784-17-0x00000000013B0000-0x00000000013CA000-memory.dmp

Filesize
104KB

Download