Analysis

  • max time kernel
    112s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 10:39

General

  • Target

    7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

  • Size

    2.7MB

  • MD5

    89b5d70f47802c99d07cfbd0a66aa31a

  • SHA1

    14b7e4e18394a25e6221b1c4e3d3c267e6b0f79a

  • SHA256

    7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1

  • SHA512

    09956558088ccd7b27027d4b0d4c22751c5ad37dca92692cbd6fa229d20edf04bc564e3600db06b3028ed98650c08ca42aafdb1ab554f9b0d1703bdf1e10fbdd

  • SSDEEP

    49152:0nsHyjtk2MYC5GD09D9vdaaGtXKEY9f5NsJwY03vMNOi:0nsmtk2aZD91aaXL4wY03kIi

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 39 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
    "C:\Users\Admin\AppData\Local\Temp\7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4664
    • C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1324
      • C:\Users\Admin\AppData\Local\Temp\is-30TMM.tmp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp
        "C:\Users\Admin\AppData\Local\Temp\is-30TMM.tmp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp" /SL5="$9025E,1720962,424960,C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of FindShellTrayWindow
        PID:2380
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2556
        • C:\Users\Admin\AppData\Local\Temp\is-HLBAG.tmp\._cache_Synaptics.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-HLBAG.tmp\._cache_Synaptics.tmp" /SL5="$B0242,1720962,424960,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of WriteProcessMemory
          PID:3460
          • C:\Program Files (x86)\wbh-diag\WBH-Diag.exe
            "C:\Program Files (x86)\wbh-diag\WBH-Diag.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:4036
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4996

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\wbh-diag\Microsoft.VisualBasic.PowerPacks.dll

    Filesize

    263KB

    MD5

    e8e4ad69eb6199e3ea7a8e7bc5d253d2

    SHA1

    7713c550e75421bb034790252997fe570e5f929c

    SHA256

    f52a5b0e1d13b197d4cc0632f71c2a3bc44a62a5a6df1ee2116d6547893dd2f6

    SHA512

    d51c234f2defce4191d0c3eff232655ff25384b266d7ccdc09a6212a59e5a22748edac2fc24f30b5eaf68119deed64261c09f5bd2d02f0fcacc8d339f5286ac0

  • C:\Program Files (x86)\wbh-diag\MySql.Data.dll

    Filesize

    446KB

    MD5

    94bbe02a2b7494833014b31da9961c19

    SHA1

    25e0041be5a76545d2d4000e42acf34561c03e37

    SHA256

    d6b70ac9aa8b91570e24a86c5fb44ef183278132781f65f639878eef9477b6fa

    SHA512

    8acfce099b7b5914e83659d630a6c8602a84441dc70ddabc93332cd0ab779d3a5f1a5992d0af8f708be10a8fb93d45e08bc73636a971656e7dc6207de07d3f6d

  • C:\Program Files (x86)\wbh-diag\WBH-Diag.exe

    Filesize

    2.1MB

    MD5

    d9427afabf59556cb442b3173b0d0f65

    SHA1

    60e0997a1eaa51f298eb18d59c69093e922ed348

    SHA256

    5841ff1a15a68f31bc62d6c56e3f5a846f13b08a2a2d73bc688fc60427871178

    SHA512

    e979b88212aed0dcf99041b8f9bcee2acd49c730c9fd1650cd41ff65f6fc48515be12afc5e8d23c340ae7679aa685013e81104f278d8432cb67871d7b454e172

  • C:\Program Files (x86)\wbh-diag\WBH-Diag.exe.config

    Filesize

    3KB

    MD5

    180dba8197005a4879e6ebb0f6de3743

    SHA1

    455dc84860c6756687caec67635cec67b53e1ca9

    SHA256

    ce01b25c7a052569868f5cc0f0a228bced404e29ec6a5150183cacd9b5eba5d4

    SHA512

    c3f305f45c9e26a043cd3de70723c4bae002199dee12bdd642222a20cc1683a26701be1e88a64281db18bf84bc8512410359172af30351e733b0b288b84f4a2e

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    2.7MB

    MD5

    89b5d70f47802c99d07cfbd0a66aa31a

    SHA1

    14b7e4e18394a25e6221b1c4e3d3c267e6b0f79a

    SHA256

    7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1

    SHA512

    09956558088ccd7b27027d4b0d4c22751c5ad37dca92692cbd6fa229d20edf04bc564e3600db06b3028ed98650c08ca42aafdb1ab554f9b0d1703bdf1e10fbdd

  • C:\Users\Admin\AppData\Local\Temp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.exe

    Filesize

    1.9MB

    MD5

    b9cdb56c6e2a49c486751f7e00258726

    SHA1

    1bdc5792898a1d4e53b020df8b2f9e2b98806837

    SHA256

    3bb02f84367e17338b79ed7829df18790f34d0d3e634df71fcf7147a87c3c8dc

    SHA512

    57bc1eee5589fa09bc56cdf4ec53a673a7910574f07254999156ff5fb9840b0c66308a17cb70f70c1aedd957b76549bb831eea89d0d6a2fb766de71767d7c775

  • C:\Users\Admin\AppData\Local\Temp\9QF9Os4r.xlsm

    Filesize

    17KB

    MD5

    af4d37aad8b34471da588360a43e768a

    SHA1

    83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

    SHA256

    e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

    SHA512

    74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

  • C:\Users\Admin\AppData\Local\Temp\is-30TMM.tmp\._cache_7551bd3b780af9647653bd92faf64df4ce2cc6766042d58288f15456594a38a1.tmp

    Filesize

    1.0MB

    MD5

    f911f075a9be615cbd60aa192dc88c54

    SHA1

    580c8a34169daf2730c4afe4675780e3fa928c2c

    SHA256

    3b1215484731c8bf063ad0dd2ff1f83f739186e277ef5bdc4c5d03a181c8a44b

    SHA512

    1902541e66d8d250729f06242c0ef1e545a44586c47b90803b6423bba2ac5d8fa2c3422a8f4fc36cf56506c63aeac3e72c92f9ba4d042e0c4c9b359d304a636e

  • C:\Users\Admin\AppData\Local\Temp\is-PR2CF.tmp\_isetup\_shfoldr.dll

    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

  • memory/1324-66-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1324-72-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

  • memory/1324-199-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/1884-334-0x0000000000400000-0x00000000006AD000-memory.dmp

    Filesize

    2.7MB

  • memory/1884-200-0x0000000000400000-0x00000000006AD000-memory.dmp

    Filesize

    2.7MB

  • memory/2380-201-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/2380-219-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/2380-307-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/2380-214-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/2380-209-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/2556-169-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/2556-202-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/2556-298-0x0000000000400000-0x000000000046E000-memory.dmp

    Filesize

    440KB

  • memory/3460-203-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/3460-221-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/3460-211-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/3460-297-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/3460-216-0x0000000000400000-0x0000000000517000-memory.dmp

    Filesize

    1.1MB

  • memory/4036-287-0x0000000005AA0000-0x0000000006044000-memory.dmp

    Filesize

    5.6MB

  • memory/4036-290-0x00000000057D0000-0x0000000005826000-memory.dmp

    Filesize

    344KB

  • memory/4036-304-0x0000000008980000-0x00000000089CC000-memory.dmp

    Filesize

    304KB

  • memory/4036-303-0x0000000008A60000-0x0000000008DB4000-memory.dmp

    Filesize

    3.3MB

  • memory/4036-285-0x0000000000880000-0x0000000000A9E000-memory.dmp

    Filesize

    2.1MB

  • memory/4036-286-0x0000000005450000-0x00000000054EC000-memory.dmp

    Filesize

    624KB

  • memory/4036-302-0x00000000089E0000-0x0000000008A56000-memory.dmp

    Filesize

    472KB

  • memory/4036-288-0x0000000005590000-0x0000000005622000-memory.dmp

    Filesize

    584KB

  • memory/4036-289-0x0000000005540000-0x000000000554A000-memory.dmp

    Filesize

    40KB

  • memory/4036-294-0x0000000005830000-0x0000000005876000-memory.dmp

    Filesize

    280KB

  • memory/4664-0-0x0000000000970000-0x0000000000971000-memory.dmp

    Filesize

    4KB

  • memory/4664-107-0x0000000000400000-0x00000000006AD000-memory.dmp

    Filesize

    2.7MB

  • memory/4996-181-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

    Filesize

    64KB

  • memory/4996-175-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

    Filesize

    64KB

  • memory/4996-177-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

    Filesize

    64KB

  • memory/4996-178-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

    Filesize

    64KB

  • memory/4996-174-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

    Filesize

    64KB

  • memory/4996-180-0x00007FFBCEA70000-0x00007FFBCEA80000-memory.dmp

    Filesize

    64KB

  • memory/4996-176-0x00007FFBD0C50000-0x00007FFBD0C60000-memory.dmp

    Filesize

    64KB