Overview

overview

10

Static

static

10

InternetExplorer.exe

windows7-x64

10

InternetExplorer.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-11-2024 04:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    InternetExplorer.exe

  • Size

    855KB

  • MD5

    c0fc5c9a5e085d4ceba2e938561f2cd7

  • SHA1

    6e5d22ac8bc8db7822d1f7626a00f5525e4e74ef

  • SHA256

    35607928da6aded83ef5a7261408406e3d80bb0a11ee5cfb29e24e91007d5f27

  • SHA512

    30acb5d2fa54d7fcbf8a3253caf34a8e4d632c41cef73756128e506eeac3e8b66acc1c7cb93ccae355b215bf61b7473191624df11ca2ef1a9f67059d8b53c320

  • SSDEEP

    12288:BMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9wvz8czTHkj:BnsJ39LyjbJkQFMhmC+6GD9o8czTHU

Score
10/10
xredadwarebackdoordiscoverypersistencestealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 64 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\InternetExplorer.exe
    "C:\Users\Admin\AppData\Local\Temp\InternetExplorer.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\._cache_InternetExplorer.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_InternetExplorer.exe"
      2⤵
      • Executes dropped EXE
      • Installs/modifies Browser Helper Object
      • System policy modification
      PID:3172
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4656
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System policy modification
        PID:4052
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/p/?LinkId=255141# -embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:392
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:392 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:3528
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2280
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" InjUpdate/# -embedding
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3980 CREDAT:17410 /prefetch:2
      2⤵
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    855KB

    MD5

    c0fc5c9a5e085d4ceba2e938561f2cd7

    SHA1

    6e5d22ac8bc8db7822d1f7626a00f5525e4e74ef

    SHA256

    35607928da6aded83ef5a7261408406e3d80bb0a11ee5cfb29e24e91007d5f27

    SHA512

    30acb5d2fa54d7fcbf8a3253caf34a8e4d632c41cef73756128e506eeac3e8b66acc1c7cb93ccae355b215bf61b7473191624df11ca2ef1a9f67059d8b53c320

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
    Filesize

    471B

    MD5

    c0ef978f645bbbd2d756cdbd7b33f8f1

    SHA1

    37d13acba0dab43fedc33983d8e210e52ebf9a46

    SHA256

    7900093a0b4cad3b1837c7d3f485d6aa8da596447baca8397ac6a140b59924ac

    SHA512

    fba2fc13d390af1674d81236cbac504692fbb56c5a2d97090c93ed4c7b6b83534e2ec72ccafc6b7954f4ba94f482ed8cc29443989d753e4d6cb3bf47be0873b4

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
    Filesize

    412B

    MD5

    236fd1f8d2c8d763e7f6ebac997a5b16

    SHA1

    27e6caddd80fe25c3740df509f0eb7203ce9fa38

    SHA256

    97cfb711021d9879cf01ba98be50ae0ed1ca2c5536c130ee7640747f657b822a

    SHA512

    8e81d9e66041db91e543541de8d5cf0819de89d53425cba9eced393c387a55df0fd35f7e612da0fc1d47d0c069fcafea8d350f566b062ebcb665196c94026f84

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\DOMStore\4TZGA8A9\www.msn[1].xml
    Filesize

    127B

    MD5

    00fc778bf265efb55b79b69716c5f595

    SHA1

    e2bea70d3908b84aac1a2d889510fd26ec9f66d0

    SHA256

    3f3e23e0de85c19c4813d55a04eb7c55e7bd94fdb0062553bb7ba9d0097a392e

    SHA512

    0937ae5ef02d72ebf86c5328030511c22a336d967f44a1bbdd9afa9ce8bd3535d676d8e8b1558c67274b91db49106a07bf454ba2b98de0af5826fa8fcd00e242

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{DC97BE58-9BF7-11EF-B319-C67090DD1599}.dat
    Filesize

    5KB

    MD5

    6f58fa1a75713c1caa530224cbe60df5

    SHA1

    06e360f690c19af046de7d154e16cba5b4f17649

    SHA256

    9ef0ae5e63d161587c59d76bd764f4120fe7ef8a3dec6f542f76f15779af2ad7

    SHA512

    f13a1b182ad654e7924d93a65fc72bda54b02f7d96482b617eb6379b80aa020d0eddc093f2deec0fee9db878b0a65e92edc9082a57c9db388d800f87b61c56fd

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\VersionManager\verF81B.tmp
    Filesize

    15KB

    MD5

    1a545d0052b581fbb2ab4c52133846bc

    SHA1

    62f3266a9b9925cd6d98658b92adec673cbe3dd3

    SHA256

    557472aeaebf4c1c800b9df14c190f66d62cbabb011300dbedde2dcddd27a6c1

    SHA512

    bd326d111589d87cd6d019378ec725ac9ac7ad4c36f22453941f7d52f90b747ede4783a83dfff6cae1b3bb46690ad49cffa77f2afda019b22863ac485b406e8d

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\5a279vn\imagestore.dat
    Filesize

    866B

    MD5

    39908d72765063d57d337a1d564cc0f3

    SHA1

    df2c5ceffb0dbd680937057af3a48ebd443d575a

    SHA256

    80ce4780f1a2800ed78bb48bcda5c3e937850f4200fbfd912df2d8c3dad8124d

    SHA512

    d4c61bae6c133961676eb0401694c6c92df718f2e03213755555feb3483130aa9987545ce94e172df65efe842ada5dbbe9bfbca0fc2730634257136bcab12b73

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\3DWZNJ32\suggestions[1].en-US
    Filesize

    17KB

    MD5

    5a34cb996293fde2cb7a4ac89587393a

    SHA1

    3c96c993500690d1a77873cd62bc639b3a10653f

    SHA256

    c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

    SHA512

    e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\8R55UT9S\favicon[1].ico
    Filesize

    758B

    MD5

    84cc977d0eb148166481b01d8418e375

    SHA1

    00e2461bcd67d7ba511db230415000aefbd30d2d

    SHA256

    bbf8da37d92138cc08ffeec8e3379c334988d5ae99f4415579999bfbbb57a66c

    SHA512

    f47a507077f9173fb07ec200c2677ba5f783d645be100f12efe71f701a74272a98e853c4fab63740d685853935d545730992d0004c9d2fe8e1965445cab509c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_InternetExplorer.exe
    Filesize

    102KB

    MD5

    5844f433866e0eb7d1142a6fe03d67a2

    SHA1

    b98c822ead7d8228de59af904dfc5e9e9d48b7e5

    SHA256

    f0a192490cf0da43cf8c8ec39e7ad95e86a7ba9e7c8493d401727f62fd53f665

    SHA512

    35f083bd789e440619f371ad720aeb1c149c90ba6a4601e04482f41c490b1bdf0cfa43d2110e6c2ee195d4721717cf8d07829e658145fc31fdf383b051b28c27

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7yaGR9Ah.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7yaGR9Ah.xlsm
    Filesize

    21KB

    MD5

    06b6f3901ddac9bc17548bee225ecd10

    SHA1

    ad2ab6bbddb174f325e92ef03d0964128a48f98e

    SHA256

    1c5086fc0f46566ce351981b39fcd5e17b3daf95b25fce9adcbde957332c9f58

    SHA512

    a7bbd794dec069d46c658d539921427de844e2f08ccca20d8670b53282da16d0e28d7a944bc0881c755b32fab93c8f15addf645b8d200ef9cdda652ae03cc7d2

    Download Submit

  • memory/2280-199-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-193-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-200-0x00007FFD4AB00000-0x00007FFD4AB10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-197-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-196-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-194-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2280-195-0x00007FFD4D3B0000-0x00007FFD4D3C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2476-0-0x0000000002280000-0x0000000002281000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2476-130-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/3172-71-0x0000000000650000-0x000000000066E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/3172-65-0x00007FFD6E9C3000-0x00007FFD6E9C5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4656-335-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download

  • memory/4656-336-0x0000000002130000-0x0000000002131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4656-132-0x0000000002130000-0x0000000002131000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4656-386-0x0000000000400000-0x00000000004DC000-memory.dmp

    Filesize

    880KB

    Download