Analysis

  • max time kernel
    110s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    06-11-2024 12:04

General

  • Target

    c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe

  • Size

    848KB

  • MD5

    b587fb78d3363dfcd5fc656d51b73a40

  • SHA1

    2ed25a221704a7014571c22b9a9cb85d2786a7bd

  • SHA256

    c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3

  • SHA512

    5ebd2e0568a9e5f194960e3bd08b84a0fe096986f8a3c5b7b3206e9408cd9a7b856889da1906b78f7ded2857079b4c4b4c41d9316f00a39b53b96c81f76bdd6b

  • SSDEEP

    12288:5MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9YCG5ucAVXL7KoanqughtB:5nsJ39LyjbJkQFMhmC+6GD9X

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe
    "C:\Users\Admin\AppData\Local\Temp\c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Local\Temp\._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:1796
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2480
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2948
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2156

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    848KB

    MD5

    b587fb78d3363dfcd5fc656d51b73a40

    SHA1

    2ed25a221704a7014571c22b9a9cb85d2786a7bd

    SHA256

    c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3

    SHA512

    5ebd2e0568a9e5f194960e3bd08b84a0fe096986f8a3c5b7b3206e9408cd9a7b856889da1906b78f7ded2857079b4c4b4c41d9316f00a39b53b96c81f76bdd6b

  • C:\Users\Admin\AppData\Local\Temp\V4NqPput.xlsm

    Filesize

    25KB

    MD5

    e67bd160b8f6403ecb48e44e52dbe2c7

    SHA1

    c8c2e70c8ab81df83787ebb72642ce51b1f47a14

    SHA256

    4a47bfd54ea91dc1f1e9d0f2aa055f870284afd4959e2c4358625136cc78d5ef

    SHA512

    71f204481d52bafaba56b375ec6e12b658573055812bc5cebc46e1a4a60e6636b15aaf6578004fc70b2a0c6d27e3fff8219eb28a55c27de777a87fe9a6812f44

  • C:\Users\Admin\AppData\Local\Temp\V4NqPput.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • \Users\Admin\AppData\Local\Temp\._cache_c4eb0fde141d85f36309251d0a006723d71503a5f5c0b5ec1d577c78256d94d3N.exe

    Filesize

    94KB

    MD5

    d90819dc5dccbc23a1caf3896e6a5cc8

    SHA1

    a8eca18583a4e220037f5d431ebb0879a202133e

    SHA256

    0b54e5c30943e5d334138def5d47b38a6e74fb236fe58a8bc7c5dcff8e42370a

    SHA512

    33fbe5e84a9f7880c33dde25591401b6cf02e13b14bb424ee9dcb3a9e9a194e19bd219495e2caf6e4b17e412cc6172fa82a8e7904ddd8f6ee28aa8b03738da83

  • memory/2156-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2480-80-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/2480-81-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/2480-113-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB

  • memory/2600-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2600-26-0x0000000000400000-0x00000000004DA000-memory.dmp

    Filesize

    872KB