Analysis

  • max time kernel
    113s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 05:30

General

  • Target

    4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3N.exe

  • Size

    5.5MB

  • MD5

    366195fd79d48b3396fd0085f9867260

  • SHA1

    05a3ed22e238326df1e140dd035089dd756c7f1b

  • SHA256

    4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3

  • SHA512

    59074b19cd48f4b4f1d30f0e92272ecc3bb846f2a7bcf34f7a79ba47a5d37dd667b0fd2ef5ed4482e9feed36e7455f0e31aad6b1e60477cb9734b1f055858de4

  • SSDEEP

    98304:Ansmtk2aOJMasUKfDKGn/rhbyxZ2702rpA8h0N6Uabhtib7HOWXhXAz0GpEtS5de:eL5Ca6PjgK1ATYkrRGX5dh8

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 2 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3N.exe
    "C:\Users\Admin\AppData\Local\Temp\4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:532
    • C:\Users\Admin\AppData\Local\Temp\._cache_4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3N.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:1900
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1072
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4020

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    5.5MB

    MD5

    366195fd79d48b3396fd0085f9867260

    SHA1

    05a3ed22e238326df1e140dd035089dd756c7f1b

    SHA256

    4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3

    SHA512

    59074b19cd48f4b4f1d30f0e92272ecc3bb846f2a7bcf34f7a79ba47a5d37dd667b0fd2ef5ed4482e9feed36e7455f0e31aad6b1e60477cb9734b1f055858de4

  • C:\Users\Admin\AppData\Local\Temp\$inst\15.tmp

    Filesize

    2KB

    MD5

    7ba60a716ad440f34ae6a54f9b455e35

    SHA1

    228b983184e47f3a8ff2c3c584cdcc9ca50591a6

    SHA256

    8e8611b30d161a2144d510b352fd985d88681d70e3bf87a361769cd9c78df9f4

    SHA512

    93c63448d5c9c2ffd50e3c9ff8edfac9c5f90e34569e64343a3f5d45e57dcdfc4586643d0bfdf9310688ec39a433fc94dc77f7cd3792f2be538e2e625a21c207

  • C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

    Filesize

    34KB

    MD5

    2e3f83afe22f699428a2d2ca1bb2b98b

    SHA1

    cfa105bb8302813adaa9b295594d85420ed970cb

    SHA256

    3e72408bf6ef7e58f29d1bcc7e319504afa67fa6c3e90591d2d8194b5f82cc6a

    SHA512

    0614755d2699bfde7fa62525b89a7b56048b55b28084278b4745b22c6c794417f5a776f81b4d1553d223fa14767153b9edbf1a71d7680c329da485752bc63189

  • C:\Users\Admin\AppData\Local\Temp\$inst\4.tmp

    Filesize

    9KB

    MD5

    20c9f69bb44279a820e969c260437627

    SHA1

    c0f393858fe2b6d265bfef998cb3e4f45e5d794e

    SHA256

    62b312dc745cff4aa1ac8e267ee19c55540bed90d3a66901a8b621b11aec0858

    SHA512

    4887486c1f8949f3a0bacf27e4ce40d58a7c2d5e294a6a53326be71246df293c9bf5c902a28a199fe28ec699b87f068b77a7e6b3a2055c572a55c95965a337dd

  • C:\Users\Admin\AppData\Local\Temp\$inst\5.tmp

    Filesize

    51KB

    MD5

    ab2021e67e0e08657288d880abfbaa72

    SHA1

    ffcf7956d5aaad47f4801b32b5fc893dc78a6dbc

    SHA256

    331d997e586cba40d4da0587887fc4caa4cc44e53421737dafa67e67445e6753

    SHA512

    e2975814169efe247b2f8954d60f331eea9340419f96255e4d0ce3c19ff9ddd3b98ec87f51d73ce3dae045142c2c40e600ad7d5dca3eeb156e038eba1a21bac9

  • C:\Users\Admin\AppData\Local\Temp\$inst\7.tmp

    Filesize

    6KB

    MD5

    420aee57b5e083d256d28e45ef887adb

    SHA1

    39f58e11b68f13932217b98672c4f33adc353be8

    SHA256

    1efb1a8831f68b443a3e3a06599e914162dc1a9b1b8f9ebc8020b40b72bbfb80

    SHA512

    76ae5dbb4aa3baf1df3e5684855ece03cd7693698b993a40da579c78c4cf9ba3dc4baaf699933d4bf56eca12ea2847b02f997d5d8ab8e5f267d5f4d6634a52cc

  • C:\Users\Admin\AppData\Local\Temp\$inst\8.tmp

    Filesize

    6KB

    MD5

    cdfb00ba27ddc4f0649bb274bce55774

    SHA1

    ede9f6eaeb205e5cd184c0a99a551e77fd362da6

    SHA256

    00a49eebe20548de2aa3de3594b323d689e6467cbb63a4791604f4f82fe7360f

    SHA512

    3de2904239fa5223f9dd8ba98d01441e34d692e8706ddacca5d79e712948dccc2785a6326c3b4752357bb7d1852ecf60da4f981e0945c162f06801645a486570

  • C:\Users\Admin\AppData\Local\Temp\._cache_4a3e12ef1e8908d652a3ad0de55afd4d1d0617a8fcf315358f3966d9584b2ec3N.exe

    Filesize

    4.7MB

    MD5

    4fc62e075c53003feb22656b1ce11714

    SHA1

    c97a92a7bcf15571be8a0e6ef900f33627dd895e

    SHA256

    9663474b95fdb46ab5b809469443bb5068760b10e70d75cedddff26ec2ca88de

    SHA512

    ed81e35c2487cff9de23c9ae6628cb1f52948ad94e566ece8a7c067a8967dcb978d69baa0bc8e5b4a7098576cc5e847475c04202333bdb24ad1b73123d33b72b

  • memory/532-119-0x0000000000400000-0x0000000000980000-memory.dmp

    Filesize

    5.5MB

  • memory/532-0-0x0000000000A80000-0x0000000000A81000-memory.dmp

    Filesize

    4KB

  • memory/1072-120-0x00000000024D0000-0x00000000024D1000-memory.dmp

    Filesize

    4KB

  • memory/1072-223-0x0000000000400000-0x0000000000980000-memory.dmp

    Filesize

    5.5MB

  • memory/1072-202-0x0000000000400000-0x0000000000980000-memory.dmp

    Filesize

    5.5MB

  • memory/1072-190-0x00000000024D0000-0x00000000024D1000-memory.dmp

    Filesize

    4KB

  • memory/1072-189-0x0000000000400000-0x0000000000980000-memory.dmp

    Filesize

    5.5MB

  • memory/1900-191-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1900-193-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1900-195-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1900-201-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/1900-188-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB

  • memory/4020-187-0x0000000000400000-0x0000000000425000-memory.dmp

    Filesize

    148KB