Overview

overview

10

Static

static

10

23de2ff140...23.exe

windows7-x64

10

23de2ff140...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 05:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923.exe

  • Size

    6.5MB

  • MD5

    66bcf50be9c6bbabed2ca19c2b64b8a3

  • SHA1

    6398f759d71b771c7051cdd25d8c881c73f598c3

  • SHA256

    23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923

  • SHA512

    68cbc0e273fc9c5f1741f6d264b154a6b6a06be87f9e33f7c2ddd15001a17d18cbbb0243edf65a7c8766a5d1c5ea917854ccef7aa0defb32c1880f59d871f6f2

  • SSDEEP

    98304:ansmtk2afBa/eaDz7w3zdnYwPccKfHPqtRzIL6VaL7LahgUtb9khmC9618IB4tkK:UL2Ba3z03+O1KfuNVa/Gycb2D94J4OK

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923.exe
    "C:\Users\Admin\AppData\Local\Temp\23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3224
    • C:\Users\Admin\AppData\Local\Temp\._cache_23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2856
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2268
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2000
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4176

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    6.5MB

    MD5

    66bcf50be9c6bbabed2ca19c2b64b8a3

    SHA1

    6398f759d71b771c7051cdd25d8c881c73f598c3

    SHA256

    23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923

    SHA512

    68cbc0e273fc9c5f1741f6d264b154a6b6a06be87f9e33f7c2ddd15001a17d18cbbb0243edf65a7c8766a5d1c5ea917854ccef7aa0defb32c1880f59d871f6f2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_23de2ff140b880d156bb16b821d92bb464f3eb33ffbeac198587b7a95f783923.exe
    Filesize

    5.8MB

    MD5

    8cc39739b5418a1bbde9684807376325

    SHA1

    232794de7993036c4cad65a1936c1fb341da7b37

    SHA256

    45529eeaac3e24fcd31cb392dc66058dab4f13cce1462c129606aa01c7c66755

    SHA512

    010ee6e2cd656d5b191d1aa5360551facb230605153d879c62de2eff009fd01dd43d525cc81c5fc796892a5507799e5cf70fbc8297e4c21ea4693bece459de5e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\eyk2JawU.xlsm
    Filesize

    17KB

    MD5

    af4d37aad8b34471da588360a43e768a

    SHA1

    83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

    SHA256

    e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

    SHA512

    74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nshCA08.tmp\System.dll
    Filesize

    11KB

    MD5

    cd0664e18c7c4587f9a61be1dd534e22

    SHA1

    ceb2cc7dd87e0221ce8a0bff87c010174c3113e8

    SHA256

    63ddd3d99e919f0d27e0c438c9798ba8307f00ad439b3620e03b7badc6f728ff

    SHA512

    dec32d8f95f15a92f33fb12a65c1e45a3799d1ce6957fa6aa71f5f454fca572d1cb97fff011774bc7b2f4bac9d7da557abe95d4a994dabde9541aa1178766e44

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nshCA08.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    7bdc263925cc66ffbfe5818bdf75db92

    SHA1

    ce4fd90b133a984b00066b16ea7a990be55f5e2d

    SHA256

    717f0c111a9eba8bc06ce7b5e8ca50f55e2bf9a136d5867b7e46ca5709ff83f3

    SHA512

    a4989529dc8f76bf4d5b12542e4d3ab754050ad7d97fe69e4c24504ee0b444a729bdb32c25722800ce2a1a0263c2f35ab3e32e6d7aac12e4244a8dec0dc1c9fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsjC322.tmp\LangDLL.dll
    Filesize

    5KB

    MD5

    8f1c566e12153e91d4a7319892a122a5

    SHA1

    cf2e091b6b7117bf2c4642cfd549c5a8463eb397

    SHA256

    012662cfbb6bfbabca4d5cc3a5904a230d199c29a98b63b5b240aebba3dab9c9

    SHA512

    96a3d36aaf9961c7af1c107df08af2231025f9852c1ad15556c00f2361b1e4772e1a9929890bbdd82d23014dffa3364bc7ee278cc80d3d692c3c47d8d406dd33

    Download Submit

  • memory/2268-195-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2268-245-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2268-220-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/2268-216-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3224-106-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

    Download

  • memory/3224-0-0x0000000002810000-0x0000000002811000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4176-200-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4176-205-0x00007FFB15DD0000-0x00007FFB15DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4176-206-0x00007FFB15DD0000-0x00007FFB15DE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4176-204-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4176-203-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4176-201-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4176-202-0x00007FFB17E30000-0x00007FFB17E40000-memory.dmp

    Filesize

    64KB

    Download