Overview

overview

10

Static

static

10

dc6099f18e...5N.exe

windows7-x64

10

dc6099f18e...5N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10-11-2024 13:49

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45N.exe

  • Size

    4.0MB

  • MD5

    76b1f7cd85f32223befc3df58fe3c680

  • SHA1

    764196098c9ec3991d8a8d923efb903a6c6b4b88

  • SHA256

    dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45

  • SHA512

    1dc282eda022383df2a700f4bb69ec7ce2c5dfd566b609c1c0341546a31ffc2eaf877a2fa8da81b83e655732901eb42d34969f8d6731b220b83ab4928c89974d

  • SSDEEP

    98304:Cnsmtk2amtLutqgwh4NYxtJpkxhGb3331b:MLWxOxtJahCb

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45N.exe
    "C:\Users\Admin\AppData\Local\Temp\dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Users\Admin\AppData\Local\Temp\._cache_dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:736
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4032
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5000

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    4.0MB

    MD5

    76b1f7cd85f32223befc3df58fe3c680

    SHA1

    764196098c9ec3991d8a8d923efb903a6c6b4b88

    SHA256

    dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45

    SHA512

    1dc282eda022383df2a700f4bb69ec7ce2c5dfd566b609c1c0341546a31ffc2eaf877a2fa8da81b83e655732901eb42d34969f8d6731b220b83ab4928c89974d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_dc6099f18e478f2fc415c06019c64a2d4d1f81abb8dd8f18b1a0a3a29e7d2a45N.exe
    Filesize

    3.3MB

    MD5

    184ee15ecf2a52a5a2adb41bfd3e593d

    SHA1

    4565b8e2cbe0225b88724694d5ec06e5a57eac50

    SHA256

    98d753771f822e72422e6b13d860659ddbb3ac7faba203e4a06b753af16ca918

    SHA512

    d42ce7582d5e31c03d3cdfdd5132d40e469ae5f5d1b6bba2043561b1878a85126c185999295524692eb494ce628ab63ae476c32f8bb1ede444f16e9768670460

    Download Submit

  • memory/216-0-0x00000000025A0000-0x00000000025A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/216-129-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/736-70-0x0000000002610000-0x0000000002611000-memory.dmp

    Filesize

    4KB

    Download

  • memory/736-192-0x0000000000400000-0x000000000074C000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4032-130-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-194-0x00000000009C0000-0x00000000009C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4032-193-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/4032-219-0x0000000000400000-0x0000000000803000-memory.dmp

    Filesize

    4.0MB

    Download

  • memory/5000-191-0x0000000000400000-0x000000000074C000-memory.dmp

    Filesize

    3.3MB

    Download