Overview

overview

10

Static

static

3

Supplier R...df.exe

windows7-x64

10

Supplier R...df.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240708-en
  • submitted
    18-10-2024 11:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Supplier RFQ ID 365242213q___________________________pdf.exe

  • Size

    763KB

  • MD5

    f063df845a7bfb23a59cb8c8e5fa28eb

  • SHA1

    a80bf8e2cc122c95a145a34d96da39ad9224bd40

  • SHA256

    ebf8c70201f3fa543de8bc8a93f96f04d39b09f99e39a30729eafb033d2cf14b

  • SHA512

    94de5c5137edebd31b8d048fb87a8682e4d3a7f37ead13c8e50ff5ca05c1a174625138ac4edb794e0a82ad6e30d3955299612de10a6010e2730f1b0b824f864e

  • SSDEEP

    12288:CMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IiKt9j:CnsJ39LyjbJkQFMhmC+6GD9lm

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Supplier RFQ ID 365242213q___________________________pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\Supplier RFQ ID 365242213q___________________________pdf.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1604
    • C:\Users\Admin\AppData\Local\Temp\._cache_Supplier RFQ ID 365242213q___________________________pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Supplier RFQ ID 365242213q___________________________pdf.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:2164
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1808
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3040
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2600

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    763KB

    MD5

    f063df845a7bfb23a59cb8c8e5fa28eb

    SHA1

    a80bf8e2cc122c95a145a34d96da39ad9224bd40

    SHA256

    ebf8c70201f3fa543de8bc8a93f96f04d39b09f99e39a30729eafb033d2cf14b

    SHA512

    94de5c5137edebd31b8d048fb87a8682e4d3a7f37ead13c8e50ff5ca05c1a174625138ac4edb794e0a82ad6e30d3955299612de10a6010e2730f1b0b824f864e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbVb6Ow1.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbVb6Ow1.xlsm
    Filesize

    28KB

    MD5

    0b1e648fca2072ac19a12cbaded09dac

    SHA1

    91f502b86fcdacec1b105087ae1e1a08b45fea49

    SHA256

    b5f2dfb9e88fa85bd273fcbeea4de16104df8fa9315a2b971a0a6940e3e73bfa

    SHA512

    e8da3ac4365a2f054fd8ea59141d8496a900458c7ed1a7f619c5365cdfc3df2624914db731e7eaf80bdf343e6e0152377a0ff6ba6a225f63a5a9e2334780acd9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbVb6Ow1.xlsm
    Filesize

    25KB

    MD5

    ce7807c431572f9c56856a0a53e7cf25

    SHA1

    841e0921487d25fa8dcaf21bfcd5c51f353ecb3d

    SHA256

    f196069d49d919740455713e85561c6e6f052f665a0cabccd0e4462f8a3dff85

    SHA512

    7cce72162e7ac31e1098474a1f53830c1431eababb4bf25de604227769c61b361ed9fa01f8d00c48c61c14a2c4518015d58cf75ae3e14be2bfe2f2a585120df0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\vbVb6Ow1.xlsm
    Filesize

    28KB

    MD5

    37572f56e370941cf06dcdd7c25fe10f

    SHA1

    ae7a1b87e70122fe06dbd0b21fd7c24bd753a593

    SHA256

    19af7d8b19d72da2a8544d86f19149b0bd8e85331a6e9d9154063e3f0919d814

    SHA512

    fe5281264156f8421b76f15f18df96e3d48eaf47b4818f83fc79fcb72bd3878288134768aff28d9418fec344cc968d64c4c93a3fea669cb8d825e3947bf2c38a

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_Supplier RFQ ID 365242213q___________________________pdf.exe
    Filesize

    9KB

    MD5

    f90ea0a295f1f19131fd81e0494df731

    SHA1

    51d5a58045de6d06e2a5eea3c5f823caa18695b6

    SHA256

    905d6410a4f44915a21dcbf57b1709b35959f858ee2cecd773ee40cec5465510

    SHA512

    797b19355a1693c68a24453b0df01ade47253e0f90fe1c1cb1f23b73a4233c6181fb746a6bf41ae0d3add011e0e3cdb656c0715f3879b68a6d7fc4f442e9e1af

    Download Submit

  • memory/1604-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1604-28-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/1808-141-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/1808-109-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/1808-107-0x0000000000400000-0x00000000004C5000-memory.dmp

    Filesize

    788KB

    Download

  • memory/2164-19-0x00000000008E0000-0x00000000008E8000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2164-108-0x00000000737BE000-0x00000000737BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2164-18-0x00000000737BE000-0x00000000737BF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2600-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3040-39-0x00000000010C0000-0x00000000010C8000-memory.dmp

    Filesize

    32KB

    Download