Overview

overview

10

Static

static

10

2024-03-27...id.exe

windows7-x64

10

2024-03-27...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • submitted
    27/03/2024, 17:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-03-27_c6a040b09d26b27b4b2e042765009868_icedid.exe

  • Size

    2.0MB

  • MD5

    c6a040b09d26b27b4b2e042765009868

  • SHA1

    69e0aa95fdf46a52726fd0e35af5f2eca3dd7867

  • SHA256

    655fa8e045bafdd00e4e00193be6fefbd62a44e09c11b729e34497feb6e274ea

  • SHA512

    479572d5f5016d66a644f817225a98f501284ba3b39d185532c67d025fe03e2cd432573ca980133f232d5cba10a503d5df33c5afbb92b31af5b7f8e913674204

  • SSDEEP

    49152:KnsHyjtk2MYC5GD8Tq24GjdGS9hWb2J3Y2pzEBOgpjoVuQr:Knsmtk2aAEjdGSGb2Jo2Dxr

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Detects Windows executables referencing non-Windows User-Agents 7 IoCs
  • Detects executables Discord URL observed in first stage droppers 7 IoCs
  • Detects executables manipulated with Fody 7 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-03-27_c6a040b09d26b27b4b2e042765009868_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-03-27_c6a040b09d26b27b4b2e042765009868_icedid.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2924
    • C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_c6a040b09d26b27b4b2e042765009868_icedid.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2024-03-27_c6a040b09d26b27b4b2e042765009868_icedid.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3048
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 1160
        3⤵
        • Loads dropped DLL
        • Program crash
        PID:1728
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1936
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2416
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.0MB

    MD5

    c6a040b09d26b27b4b2e042765009868

    SHA1

    69e0aa95fdf46a52726fd0e35af5f2eca3dd7867

    SHA256

    655fa8e045bafdd00e4e00193be6fefbd62a44e09c11b729e34497feb6e274ea

    SHA512

    479572d5f5016d66a644f817225a98f501284ba3b39d185532c67d025fe03e2cd432573ca980133f232d5cba10a503d5df33c5afbb92b31af5b7f8e913674204

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CheckerCFG.ini
    Filesize

    147B

    MD5

    0c5c630d82429207a27cc70c98725b2a

    SHA1

    dde1d56d95a1f25c4cfff14911052dbabf05a75f

    SHA256

    8d40bd18739221aec0d84255963d901d68a0b1db71ea659efbc99f17b53f1d29

    SHA512

    952eba8551893b34ca91f38120de7ba1bac897951bbc294b0679b14e43855e38f5e6d6b5b6105f92bb5bece8a69080969e4dd50d95966c07936ad5f6a6608c57

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VDJSBJWv.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_2024-03-27_c6a040b09d26b27b4b2e042765009868_icedid.exe
    Filesize

    1.3MB

    MD5

    5088084e636ea82de6d987fa72d20af1

    SHA1

    176524105d7ebc2b3920741a8f8fa07f7e0e375b

    SHA256

    0179b5c868d968441099b3d5ac50fad5075a1409e2840d5727b064d5182b4d5e

    SHA512

    0d3e3ab5c32c76344f6ef4eb5b434b38b7a97448086fb3120127ece8ac4d5e1308db024105f5f7d1cb4f5bb8e712342022b831dc49e6f462c4714bc997c1072e

    Download Submit

  • memory/1936-31-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1936-121-0x0000000000400000-0x0000000000609000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1936-84-0x0000000000400000-0x0000000000609000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1936-79-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2416-47-0x00000000048C0000-0x0000000004900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2416-83-0x00000000737A0000-0x0000000073E8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2416-82-0x00000000048C0000-0x0000000004900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2416-44-0x0000000000A10000-0x0000000000B5E000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/2416-46-0x00000000737A0000-0x0000000073E8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2416-48-0x00000000048C0000-0x0000000004900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2416-80-0x00000000048C0000-0x0000000004900000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2752-87-0x000000006F1ED000-0x000000006F1F8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2752-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2752-53-0x000000006F1ED000-0x000000006F1F8000-memory.dmp

    Filesize

    44KB

    Download

  • memory/2924-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2924-26-0x0000000000400000-0x0000000000609000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3048-33-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3048-74-0x00000000737A0000-0x0000000073E8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-73-0x00000000009D0000-0x00000000009EA000-memory.dmp

    Filesize

    104KB

    Download

  • memory/3048-45-0x00000000005A0000-0x00000000005BC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/3048-34-0x0000000004F40000-0x0000000004FEA000-memory.dmp

    Filesize

    680KB

    Download

  • memory/3048-38-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3048-32-0x00000000003E0000-0x0000000000406000-memory.dmp

    Filesize

    152KB

    Download

  • memory/3048-85-0x0000000004C20000-0x0000000004C60000-memory.dmp

    Filesize

    256KB

    Download

  • memory/3048-30-0x00000000737A0000-0x0000000073E8E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3048-29-0x0000000000C30000-0x0000000000D7E000-memory.dmp

    Filesize

    1.3MB

    Download