Overview

overview

10

Static

static

10

0d8cc0a752...70.exe

windows7-x64

10

0d8cc0a752...70.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/01/2025, 02:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe

  • Size

    828KB

  • MD5

    f2dba5b93fa78fe0357cae18d68bc13f

  • SHA1

    686e5e1ae65116c4d22315b15992163ad4d34f7c

  • SHA256

    0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570

  • SHA512

    cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970

  • SSDEEP

    12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9rR0uvsj:pnsJ39LyjbJkQFMhmC+6GD9Fl0

Score
10/10
xredxwormbackdoordiscoveryexecutionpersistencerattrojan

Malware Config

Extracted

Family

xworm

C2

simply-exotic.gl.at.ply.gg:27183

Attributes
  • Install_directory

    %Temp%

  • install_file

    Windows.exe

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Detect Xworm Payload 6 IoCs
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Xworm family
    xworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe
    "C:\Users\Admin\AppData\Local\Temp\0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1488
    • C:\Users\Admin\AppData\Local\Temp\._cache_0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1644
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\._cache_0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4864
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess '._cache_0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3520
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2080
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'User'
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:832
      • C:\Windows\System32\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "User" /tr "C:\Users\Admin\AppData\Local\Temp\User"
        3⤵
        • Scheduled Task/Job: Scheduled Task
        PID:1632
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:4540
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1380
  • C:\Users\Admin\AppData\Local\Temp\User
    C:\Users\Admin\AppData\Local\Temp\User
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1172
  • C:\Users\Admin\AppData\Local\Temp\User
    C:\Users\Admin\AppData\Local\Temp\User
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    828KB

    MD5

    f2dba5b93fa78fe0357cae18d68bc13f

    SHA1

    686e5e1ae65116c4d22315b15992163ad4d34f7c

    SHA256

    0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570

    SHA512

    cc9714c48fc9c36f98ec2230e96efd5016c254059cf23ea7ccf318e3e44337559e6f5f48d5b9367a10c5b87bd05df6345c58c64eb728769f649b2411f4dc3970

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\User.log
    Filesize

    654B

    MD5

    2ff39f6c7249774be85fd60a8f9a245e

    SHA1

    684ff36b31aedc1e587c8496c02722c6698c1c4e

    SHA256

    e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

    SHA512

    1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    d85ba6ff808d9e5444a4b369f5bc2730

    SHA1

    31aa9d96590fff6981b315e0b391b575e4c0804a

    SHA256

    84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

    SHA512

    8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    6d42b6da621e8df5674e26b799c8e2aa

    SHA1

    ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

    SHA256

    5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

    SHA512

    53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    15dde0683cd1ca19785d7262f554ba93

    SHA1

    d039c577e438546d10ac64837b05da480d06bf69

    SHA256

    d6fa39eab7ee36f44dc3f9f2839d098433db95c1eba924e4bcf4e5c0d268d961

    SHA512

    57c0e1b87bc1c136f0d39f3ce64bb8f8274a0491e4ca6e45e5c7f9070aa9d9370c6f590ce37cd600b252df2638d870205249a514c43245ca7ed49017024a4672

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    b1a1d8b05525b7b0c5babfd80488c1f2

    SHA1

    c85bbd6b7d0143676916c20fd52720499c2bb5c6

    SHA256

    adad192fc86c2f939fd3f70cb9ad323139a4e100f7c90b4454e2c53bdbc9b705

    SHA512

    346c6513c1373bab58439e37d3f75de1c5c587d7eb27076cf696e885a027b3b38d70b585839d1a2e7f2270cdcf0dac8c1fdff799f3b1158242ae9e3364c2a06e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_0d8cc0a75238c05e1b072683ee43d7e0bf827dde7a652df1467333a2b1f6a570.exe
    Filesize

    75KB

    MD5

    f63d6c11422e7e0ca83981e8dae62f96

    SHA1

    c9c6088a764b07e7d438ad603a8bfcd9972f2b06

    SHA256

    7ed1b4c14c9dfc97094ac40c5fb6c1fe109e4bfcbc953f2ba4331686388be531

    SHA512

    b4dc1037a4fa38482e355aa3f4ac8288aa926dd7c24ee5cd260b5418ebd9ba6a53ef41f3e862eaa71795a2d0b7407fc9d700ec9a224d45f4b7af1e2063f991d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\58A75E00
    Filesize

    21KB

    MD5

    3cb85cff27e4d9750d397ddead2498db

    SHA1

    f44593c2c75a930952f675599f4b3c729cf04c94

    SHA256

    5049f24c11db047bcbfd05e23eadf6337cef43bdd20cd2ae860f2146d85c1e70

    SHA512

    2d92041cbc1be6d11227dcd92c9b24c3905614b5008b1ace47dc03b50bc36258c8202e1fed47f79e824efc8cfaab2c0043ffb3c2a9289b5c481d6be7f50e76af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QkbDBWTG.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5olhfe3m.t0f.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit

  • memory/736-332-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/736-299-0x0000000002130000-0x0000000002131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/736-298-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/736-131-0x0000000002130000-0x0000000002131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1380-198-0x00007FFE35620000-0x00007FFE35630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-193-0x00007FFE37D50000-0x00007FFE37D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-196-0x00007FFE37D50000-0x00007FFE37D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-195-0x00007FFE37D50000-0x00007FFE37D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-197-0x00007FFE35620000-0x00007FFE35630000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-194-0x00007FFE37D50000-0x00007FFE37D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1380-192-0x00007FFE37D50000-0x00007FFE37D60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1488-130-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/1488-0-0x0000000002380000-0x0000000002381000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1644-71-0x00000000009D0000-0x00000000009EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/1644-300-0x000000001B560000-0x000000001B570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1644-247-0x000000001B560000-0x000000001B570000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1644-70-0x00007FFE597E3000-0x00007FFE597E5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4864-254-0x000002A5FE110000-0x000002A5FE132000-memory.dmp

    Filesize

    136KB

    Download