Overview

overview

10

Static

static

10

temp.rar

windows7-x64

1

temp.rar

windows10-2004-x64

10

Resubmissions

07-11-2024 01:27

241107-bt6m9ssfrk 10

Analysis

  • max time kernel
    22s
  • max time network
    23s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-11-2024 01:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    temp.rar

  • Size

    1.3MB

  • MD5

    f301da37cb351e373f8c3743f7db9d9e

  • SHA1

    68b99061cf476e4c55c6585e2b13b6af61c5f868

  • SHA256

    41209e810ad9088d037c75bd7a62784d456fb7e92cb500aa46eb0e6992e2eed1

  • SHA512

    23d84ccb08a0547f8042dd4d443a421db815a25573f6e3024505e90a1040dccc5d260b2af588403746bfb1744757eaa63b2919537b4c0099ee71e86a837a9809

  • SSDEEP

    24576:Y1KK6ImbokiLRq3dieSQiua9oc52Eo7+ylHZMFjYJ6aJxyuOIoo9e5F6RsJW:YcCoo5L4Nn/s+lEM+ylGsJ6a+1to9AFk

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 10 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 9 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\temp.rar"
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4876
  • C:\Users\Admin\Desktop\Plasma Temp.exe
    "C:\Users\Admin\Desktop\Plasma Temp.exe"
    1⤵
    • Checks computer location settings
    • Executes dropped EXE
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4700
    • C:\Users\Admin\Desktop\._cache_Plasma Temp.exe
      "C:\Users\Admin\Desktop\._cache_Plasma Temp.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Modifies Internet Explorer settings
      • Suspicious use of AdjustPrivilegeToken
      PID:832
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Users\Admin\Desktop\._cache_Synaptics.exe
        "C:\Users\Admin\Desktop\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Enumerates system info in registry
        • Modifies Internet Explorer settings
        • Suspicious use of AdjustPrivilegeToken
        PID:1572
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\A4E75E00
    Filesize

    24KB

    MD5

    8040b521b08811cba0160f217d33e75e

    SHA1

    01a4bf3a09c3432d983a923c05d63e49bbf440cc

    SHA256

    bf1c5ae8a7e76cad212166628ac7c1f0e6a586a537ebf28e3fb83fb3d0d44bd5

    SHA512

    c24508cd6b21c654dda9be5e8d569770e070172867dc49e29cba66ce11b845e7b026bfb46e15ea11de53aadaf836958d59d9d741fdde1abb262739d67afe8597

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\uJHW4UGx.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\Desktop\._cache_Plasma Temp.exe
    Filesize

    124KB

    MD5

    a73e87a0ad626312ace6eb56fd8f4133

    SHA1

    e2e803af903fd1f0863952be481106d5a6993646

    SHA256

    1017b3d548aadc0fe735460d50424f2f4d7ac70b506ed8c55d6857a62d83dd9c

    SHA512

    8b5093f20443a730cc51a4d247a5594bd91305ba81ebd9d3f860b49c770c03adb1665e9123e939f1cce4ba8f4d639009c356d6ff98def3ec501459136fc950ad

    Download Submit

  • C:\Users\Admin\Desktop\Guna.UI2.dll
    Filesize

    2.1MB

    MD5

    c19e9e6a4bc1b668d19505a0437e7f7e

    SHA1

    73be712aef4baa6e9dabfc237b5c039f62a847fa

    SHA256

    9ac8b65e5c13292a8e564187c1e7446adc4230228b669383bd7b07035ab99a82

    SHA512

    b6cd0af436459f35a97db2d928120c53d3691533b01e4f0e8b382f2bd81d9a9a2c57e5e2aa6ade9d6a1746d5c4b2ef6c88d3a0cf519424b34445d0d30aab61de

    Download Submit

  • C:\Users\Admin\Desktop\Newtonsoft.Json.dll
    Filesize

    695KB

    MD5

    195ffb7167db3219b217c4fd439eedd6

    SHA1

    1e76e6099570ede620b76ed47cf8d03a936d49f8

    SHA256

    e1e27af7b07eeedf5ce71a9255f0422816a6fc5849a483c6714e1b472044fa9d

    SHA512

    56eb7f070929b239642dab729537dde2c2287bdb852ad9e80b5358c74b14bc2b2dded910d0e3b6304ea27eb587e5f19db0a92e1cbae6a70fb20b4ef05057e4ac

    Download Submit

  • C:\Users\Admin\Desktop\Plasma Temp.exe
    Filesize

    877KB

    MD5

    44b1e07558fac9c7d26e5d3347afaee7

    SHA1

    220280fee94e17188d027a46b3047b0f8a73a722

    SHA256

    a7db46b0ee6fa42808f35ebc28d8bbeaff7f3f665bec867e8bc9e6916af6e0c6

    SHA512

    df4aa702858deb3fadfecedf0185049bfdd8f66d13ff7e86bd00b111660cf3976b157208e61a71f07dd6cf8dd357ac32364993c86dea6ab9c9f157771a6660c5

    Download Submit

  • memory/832-183-0x0000000005110000-0x00000000051A2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/832-215-0x0000000006B30000-0x0000000006B42000-memory.dmp

    Filesize

    72KB

    Download

  • memory/832-194-0x0000000005BD0000-0x0000000005DE4000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/832-140-0x0000000005620000-0x0000000005BC4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/832-227-0x0000000008C40000-0x0000000008F94000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/832-225-0x0000000008B80000-0x0000000008C32000-memory.dmp

    Filesize

    712KB

    Download

  • memory/832-137-0x00000000006A0000-0x00000000006C6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/832-190-0x00000000050A0000-0x00000000050AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1572-229-0x0000000008A60000-0x0000000008A9C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/1572-226-0x0000000008590000-0x00000000085B2000-memory.dmp

    Filesize

    136KB

    Download

  • memory/2232-214-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-216-0x00007FFED5CA0000-0x00007FFED5CB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-213-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-209-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-212-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-210-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2232-211-0x00007FFED83B0000-0x00007FFED83C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4012-275-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4700-136-0x0000000000400000-0x00000000004E1000-memory.dmp

    Filesize

    900KB

    Download

  • memory/4700-8-0x00000000007E0000-0x00000000007E1000-memory.dmp

    Filesize

    4KB

    Download