Overview

overview

10

Static

static

10

2024-03-27...er.exe

windows7-x64

10

2024-03-27...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • submitted
    27-03-2024 17:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-27_0a4019c22a8e3880da019a58d94ab817_magniber.exe

  • Size

    13.0MB

  • MD5

    0a4019c22a8e3880da019a58d94ab817

  • SHA1

    239ec755994179261c60041bb7b0a8fbf17d002a

  • SHA256

    68cf6689300e6cf3c0a6414d6cd87fa417a20a58506c57b1c3bc7ea39b2b3d8d

  • SHA512

    73dd3e72aa56e6de1d17cf4700d375118db3a6ab2984e78008ebbe0ba2c95b356f79817c4f24c93ba6e8cda8cd4029ccc96937b41843596837051e66dd9d2a20

  • SSDEEP

    393216:nCbJFfy5xNyrIaJ5n+IjEUnHZd/yCZdGAca9wBrisVL+kGrxBcM/mgVJ9Y++txtN:C3IoEUnzqCFOtxtOi

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Detects Windows executables referencing non-Windows User-Agents 5 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-27_0a4019c22a8e3880da019a58d94ab817_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-27_0a4019c22a8e3880da019a58d94ab817_magniber.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1964
    • C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_0a4019c22a8e3880da019a58d94ab817_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_0a4019c22a8e3880da019a58d94ab817_magniber.exe"
      2⤵
      • Executes dropped EXE
      PID:2620
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2284
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1888

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    13.0MB

    MD5

    0a4019c22a8e3880da019a58d94ab817

    SHA1

    239ec755994179261c60041bb7b0a8fbf17d002a

    SHA256

    68cf6689300e6cf3c0a6414d6cd87fa417a20a58506c57b1c3bc7ea39b2b3d8d

    SHA512

    73dd3e72aa56e6de1d17cf4700d375118db3a6ab2984e78008ebbe0ba2c95b356f79817c4f24c93ba6e8cda8cd4029ccc96937b41843596837051e66dd9d2a20

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_0a4019c22a8e3880da019a58d94ab817_magniber.exe
    Filesize

    12.2MB

    MD5

    c46e773716b85cddb011fee736570f6d

    SHA1

    577c0ba88ece78f76c38c3c3fdc3b7719bbf12cb

    SHA256

    77ebb93fd2a1772fc0d92e0c1391f8cd6fff151c9446297a000d39e26c41ad21

    SHA512

    ba9a1d4d52af702e0eb49f8bcc00e6f24de290c0e96d8e72802dd8addcdb43e8819f349281218654c1a593e4b91f3742ee8a9275333dbb8e35301c4539b07ce4

    Download Submit

  • memory/1964-0-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1964-100-0x0000000000400000-0x00000000010FF000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/2284-101-0x0000000002C50000-0x0000000002C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2284-134-0x0000000000400000-0x00000000010FF000-memory.dmp

    Filesize

    13.0MB

    Download

  • memory/2284-136-0x0000000002C50000-0x0000000002C51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2284-160-0x0000000000400000-0x00000000010FF000-memory.dmp

    Filesize

    13.0MB

    Download