Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18-11-2024 16:18

General

  • Target

    79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe

  • Size

    1.8MB

  • MD5

    0ff280de0233ba547b6e5e689f83ac90

  • SHA1

    4342b2f852e52892c8d8a00d6b902d2bd10e15ee

  • SHA256

    79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55feb

  • SHA512

    744c18f79e8efba34aca360d3a3931cfd9014db2bd9c5093659c564f5ca50aab0b6f259c168a0ea90faf905c7a7ef9cdfdf7ce924e7e448ba92d96655d1e501f

  • SSDEEP

    49152:ansHyjtk2MYC5GD5KyUqTEBBKjVFVcSLTx:ansmtk2avyyw6Sh

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
    "C:\Users\Admin\AppData\Local\Temp\79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3188
    • C:\Users\Admin\AppData\Local\Temp\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-6DFA-5B88-C059-45C3892906EA}\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe
        "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-6DFA-5B88-C059-45C3892906EA}\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c pause > nul
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4476
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4480
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4388
        • C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-C9A8-51F0-8565-45C3553532E8}\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-C9A8-51F0-8565-45C3553532E8}\._cache_Synaptics.exe" "InjUpdate"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c pause > nul
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4104
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    1.8MB

    MD5

    0ff280de0233ba547b6e5e689f83ac90

    SHA1

    4342b2f852e52892c8d8a00d6b902d2bd10e15ee

    SHA256

    79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55feb

    SHA512

    744c18f79e8efba34aca360d3a3931cfd9014db2bd9c5093659c564f5ca50aab0b6f259c168a0ea90faf905c7a7ef9cdfdf7ce924e7e448ba92d96655d1e501f

  • C:\Users\Admin\AppData\Local\Temp\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe

    Filesize

    1.0MB

    MD5

    4478f8b0da41ed0a9ae85c2005c551e5

    SHA1

    167bae207c3007b89c4e42161f8526ea893c1b70

    SHA256

    3fbc3476af5674b389b1026ab43f48e672c2f0b28e075fae0ad34dcf2362c112

    SHA512

    0d9b4403f5425e7ebfd2c6243a57d93130f21334da7ebc582d6e15765accf1a52632e404b5e453fdba76e95f5f8fd4b3882ca0980e451c15d83c672850c98664

  • C:\Users\Admin\AppData\Local\Temp\dSnDAYLy.xlsm

    Filesize

    17KB

    MD5

    af4d37aad8b34471da588360a43e768a

    SHA1

    83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

    SHA256

    e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

    SHA512

    74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

  • C:\Users\Admin\AppData\Local\Temp\eset.temp\{02D83BBE-6DFA-5B88-C059-45C3892906EA}\._cache_79bedf578b8e61feabedcd9e9e467c5d325bcca87d453b48796ae33d8cb55febN.exe

    Filesize

    840KB

    MD5

    2e8237dc029d6f9458c9f6a892924379

    SHA1

    a747c2df935141a850a5dc3bd2900fd40d448d68

    SHA256

    2fb60fe210a3f0d1ae5b33f5363a7c42e1680d98b3caac6b06ba6c456280b86c

    SHA512

    b0f329b0d6b06af086facd6f18265649eea5a7e312ccde8e8d488ea85d5b00bee1b1fd6dbb86812010e0dc316e2e72551d566b075686e7c279e5018c1c371590

  • memory/904-189-0x00007FFD41290000-0x00007FFD412A0000-memory.dmp

    Filesize

    64KB

  • memory/904-182-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

    Filesize

    64KB

  • memory/904-185-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

    Filesize

    64KB

  • memory/904-187-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

    Filesize

    64KB

  • memory/904-186-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

    Filesize

    64KB

  • memory/904-184-0x00007FFD43690000-0x00007FFD436A0000-memory.dmp

    Filesize

    64KB

  • memory/904-188-0x00007FFD41290000-0x00007FFD412A0000-memory.dmp

    Filesize

    64KB

  • memory/3188-0-0x00000000007A0000-0x00000000007A1000-memory.dmp

    Filesize

    4KB

  • memory/3188-110-0x0000000000400000-0x00000000005CC000-memory.dmp

    Filesize

    1.8MB

  • memory/4480-114-0x0000000002110000-0x0000000002111000-memory.dmp

    Filesize

    4KB

  • memory/4480-200-0x0000000002110000-0x0000000002111000-memory.dmp

    Filesize

    4KB

  • memory/4480-199-0x0000000000400000-0x00000000005CC000-memory.dmp

    Filesize

    1.8MB

  • memory/4480-231-0x0000000000400000-0x00000000005CC000-memory.dmp

    Filesize

    1.8MB