Overview

overview

10

Static

static

10

dd09ce3631...6N.exe

windows7-x64

10

dd09ce3631...6N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 23:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe

  • Size

    1.3MB

  • MD5

    0a4fa68b65129d54274032ef78bcee90

  • SHA1

    ae9f495dda5b693c5941510a5ce5dbec9aa7c605

  • SHA256

    dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06

  • SHA512

    716e78782f31d1bb99c5eae1af575a4f28c9bf34ab6b447c5e5291ef1cd04f309c504658b3fbdd7d3ed7fc90cb5c8446c75e312351978831fd95cf3e04130387

  • SSDEEP

    24576:5nsJ39LyjbJkQFMhmC+6GD9v20DvYefzxB0YAEFgXC75ld1qSVpcqE:5nsHyjtk2MYC5GDB24fJd1qapcqE

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
    "C:\Users\Admin\AppData\Local\Temp\dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4220
    • C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4956
      • C:\Users\Admin\AppData\Local\Temp\is-VIMII.tmp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-VIMII.tmp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp" /SL5="$4017E,337902,54272,C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        PID:4076
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3836
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Users\Admin\AppData\Local\Temp\is-ARSDI.tmp\._cache_Synaptics.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-ARSDI.tmp\._cache_Synaptics.tmp" /SL5="$80090,337902,54272,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:1092
          • C:\Program Files (x86)\Checksum Calculator\ChecksumCalculator.exe
            "C:\Program Files (x86)\Checksum Calculator\ChecksumCalculator.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:856
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4224

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Checksum Calculator\ChecksumCalculator.exe
    Filesize

    894KB

    MD5

    57dea2fb7ccdeb6acf05d55c5ac051d3

    SHA1

    72b643e0463e79ee9795a4ba450bc6dadb6a6e17

    SHA256

    57fb00a72c2791f3b9711d032710f851b4b7b33349939d958b1e03e5a727d821

    SHA512

    8260a8abe4b5dfba230bd7c14ff4181c9e26f1dd1d39636ab424ea652b2089b732b0ab099478354bfe40457f9cdc3974c24ea50492c667c903baf162e0c34cb2

    Download Submit

  • C:\Program Files (x86)\Checksum Calculator\unins000.exe
    Filesize

    705KB

    MD5

    f67c139adf91e12fd1af5fc775b31e42

    SHA1

    d6dd484ea381972c275f9a119743af563cc526c3

    SHA256

    c86e42c056af7aa54245260e83b9ea6a3a28c87a95edce681f001769bf10ccde

    SHA512

    a2cb1253d9e034b0f78d2068c843df3cb47da7a7f9f6371f93846c842b338e22c8e1454cbc3246f5ad874ef166b06ca25d4c6839af1b918d3a5815fb36a869a1

    Download Submit

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.3MB

    MD5

    0a4fa68b65129d54274032ef78bcee90

    SHA1

    ae9f495dda5b693c5941510a5ce5dbec9aa7c605

    SHA256

    dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06

    SHA512

    716e78782f31d1bb99c5eae1af575a4f28c9bf34ab6b447c5e5291ef1cd04f309c504658b3fbdd7d3ed7fc90cb5c8446c75e312351978831fd95cf3e04130387

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
    Filesize

    568KB

    MD5

    bdee7c2788baebdf4c5a217d5c388732

    SHA1

    753b24b1557e53cfe3ccf4b4c8adb72c30ac1aca

    SHA256

    6b3b44ee73983bf60a66c82d0f274002708a99abd9cdb23a9d237c03b5e711d1

    SHA512

    342af8a8273a629d51255d98a3cbd39cb5aa8bd590d77f44c491b084b1ebd7d2cf011e0184f8eefa6b6bdcfcf25e6c99effca42e687ccf3c028b875aa0fd7c52

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PfmRsQFC.xlsm
    Filesize

    17KB

    MD5

    af4d37aad8b34471da588360a43e768a

    SHA1

    83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

    SHA256

    e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

    SHA512

    74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-MMSOI.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-VIMII.tmp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
    Filesize

    695KB

    MD5

    620f32e56b46e90e8aee43febc59f6e3

    SHA1

    d5edd63dd1390a1420b85f746e12a66625ae9354

    SHA256

    bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

    SHA512

    8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

    Download Submit

  • memory/856-250-0x0000000000400000-0x00000000004F2000-memory.dmp

    Filesize

    968KB

    Download

  • memory/856-259-0x0000000000400000-0x00000000004F2000-memory.dmp

    Filesize

    968KB

    Download

  • memory/1092-190-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1092-238-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1092-211-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/1092-245-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/3836-209-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3836-188-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3836-287-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4076-216-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4076-208-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4076-114-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4076-248-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4076-187-0x0000000000400000-0x00000000004BD000-memory.dmp

    Filesize

    756KB

    Download

  • memory/4220-107-0x0000000000400000-0x0000000000550000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/4220-0-0x00000000023D0000-0x00000000023D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4224-193-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-197-0x00007FFF87DF0000-0x00007FFF87E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-196-0x00007FFF87DF0000-0x00007FFF87E00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-192-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-191-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-195-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4224-194-0x00007FFF8A4B0000-0x00007FFF8A4C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4572-189-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4572-246-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4572-175-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4956-63-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download

  • memory/4956-67-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4956-186-0x0000000000400000-0x0000000000414000-memory.dmp

    Filesize

    80KB

    Download