Analysis

  • max time kernel
    119s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • submitted
    13-09-2024 21:23

General

  • Target

    cb9dc4606ac85050ceec95e649100000N.exe

  • Size

    829KB

  • MD5

    cb9dc4606ac85050ceec95e649100000

  • SHA1

    9398495b08379335b9166ed0a941b0cff6ca429f

  • SHA256

    b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d

  • SHA512

    4f2d7905205a0fafc09f5f9b8f072baa07d2f3c91d4e176dd785db2089e80d225fe58fb548c58bf01d144cf410b392fa14b50bc4890fab287a3d07e8b65709b2

  • SSDEEP

    12288:DMSApJVYG5lhULyjsb0eOzkv4R7QnvUUilQ35+6G75V9IWhBjvrEH7uc:DnsJ30LyjbJkQFMhmC+6Gb9BrEH79

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Floxif family
  • Floxif, Floodfix

    Floxif aka FloodFix is a file-changing trojan and backdoor written in C++.

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Detects Floxif payload 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe
    "C:\Users\Admin\AppData\Local\Temp\cb9dc4606ac85050ceec95e649100000N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2380
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Enumerates connected drives
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Common Files\System\symsrv.dll.000

    Filesize

    175B

    MD5

    1130c911bf5db4b8f7cf9b6f4b457623

    SHA1

    48e734c4bc1a8b5399bff4954e54b268bde9d54c

    SHA256

    eba08cc8182f379392a97f542b350ea0dbbe5e4009472f35af20e3d857eafdf1

    SHA512

    94e2511ef2c53494c2aff0960266491ffc0e54e75185427d1ccedae27c286992c754ca94cbb0c9ea36e3f04cd4eb7f032c551cf2d4b309f292906303f1a75fa0

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    829KB

    MD5

    cb9dc4606ac85050ceec95e649100000

    SHA1

    9398495b08379335b9166ed0a941b0cff6ca429f

    SHA256

    b1492690bba76715a0b60aacfe75bfb7876f3b7d8f03a5a32172b084be81ba7d

    SHA512

    4f2d7905205a0fafc09f5f9b8f072baa07d2f3c91d4e176dd785db2089e80d225fe58fb548c58bf01d144cf410b392fa14b50bc4890fab287a3d07e8b65709b2

  • C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

    Filesize

    24KB

    MD5

    8851c4a9f95491db21856be6adeae1a0

    SHA1

    f649482cff91a044b40ec09f9569c26b4bbeba2b

    SHA256

    548d9266f0c70ef1df63742f4c32316ac7e544ef8cd67b818f269449dbca3d52

    SHA512

    7d77760962f803128b5fdbf25615d6f5436201cc22ec4c6fc11368ec40164d00f2994b62cf2eef4b3dafd6f213eaf28b28dcaf62fd9151d53561644e5ebde429

  • C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

    Filesize

    20KB

    MD5

    99a18dfb742a40016fdc37fbc599e0cf

    SHA1

    f5502769f8e9f694404aaf5a9b9d830dced2dd5e

    SHA256

    0820f783a2899d73a48fb5b5daa5470e19d4bd3252ebfb34b65ec661ca525a3e

    SHA512

    79ecb9878fc403d5156aa04e254680311bfc54d15ad872b7c8ee918fde1245236e877f7078a068b9ff2b02fda411504acd34960f3067d247d767f45bc3db0b91

  • C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

    Filesize

    28KB

    MD5

    73f10c5c93825ba78bb8dd5e3844ebc3

    SHA1

    ed8eda737eeb28e54e861e12e9280d7adc832a28

    SHA256

    525db427b076f8bbc1bf82ccd37a75b3ffafe6ff25c0cc450f853be9d21e7198

    SHA512

    039aabb025faf6f0f6b334883f79802afc6cbf93f1cd926ad98af968ffc6e6ce8206204417d09627d84d31b008f6e2150ad94af5f1ff40f5210e376160d8c868

  • C:\Users\Admin\AppData\Local\Temp\2p3CUcNh.xlsm

    Filesize

    23KB

    MD5

    ff427854f7475fccd73e99d8c02a47a4

    SHA1

    a7aa9fbc26e3c34a08769b2cf24dcac782904c51

    SHA256

    5e984d418b7379ec263da7bec3c2dd79a8bbc98dce35d39e96db957082315c80

    SHA512

    4d99c09fc84645a45d3c8372e3e39e09e3627397f372cef60c8d23654cf04cb3b50eb79f7fee6f44edbfa9201c719c1fb6787570c033b838b4570ed069ab166d

  • C:\Users\Admin\Documents\~$UsePush.xlsx

    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

  • \Program Files (x86)\Microsoft Office\Office14\gfx.dll.tmp

    Filesize

    1.7MB

    MD5

    929da7b631e3883432c8a9cc3800b2ef

    SHA1

    439d90e32f1a95a18667fb054eee707d8da171c6

    SHA256

    9877f6b53fbdd0977697aacced41d856bca4fb80bda072a9d77f9f84dadb2217

    SHA512

    010d08bdba82f5901cb52560f9f595650cb1920f02aa5244ef42c58a8e98b3450731b5ab53fddc3211c8497a49e31747a8e21858df294321ff8737b196728b45

  • \Program Files\Common Files\System\symsrv.dll

    Filesize

    67KB

    MD5

    7574cf2c64f35161ab1292e2f532aabf

    SHA1

    14ba3fa927a06224dfe587014299e834def4644f

    SHA256

    de055a89de246e629a8694bde18af2b1605e4b9b493c7e4aef669dd67acf5085

    SHA512

    4db19f2d8d5bc1c7bbb812d3fa9c43b80fa22140b346d2760f090b73aed8a5177edb4bddc647a6ebd5a2db8565be5a1a36a602b0d759e38540d9a584ba5896ab

  • \Users\Admin\AppData\Local\Temp\A1D26E2\F5F3A8C94C.tmp

    Filesize

    753KB

    MD5

    d9167c0e9e27b90a13965cdcdcf05e0c

    SHA1

    cae0b273832c2ae23d4aad128de5f7ac1bfb896f

    SHA256

    93262f54fb78e6b875c2b196dc376fec7f38d1064df02cec5cbade3c55255987

    SHA512

    ae0e9fb3c903e1754a3b23b8d3de48816993a44e2be6cacc87799a59e133d20017d667ca476ccc2e67f228322e815cf87ce1b3f1918114f630f29e98cb6c521e

  • memory/2380-25-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2380-29-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2380-3-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-116-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2560-113-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-112-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2560-117-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-121-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-125-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-31-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-129-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-133-0x0000000010000000-0x0000000010030000-memory.dmp

    Filesize

    192KB

  • memory/2560-162-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

  • memory/2668-32-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB