General
-
Target
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
-
Size
6.1MB
-
Sample
241119-sw7rsaxme1
-
MD5
02bec9d86e4839199a60b334dd650e60
-
SHA1
8f86b49725abfae4c201654f3aa43ec0041cea39
-
SHA256
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82
-
SHA512
660d932f4b2fe56d175ba3c2823a0501d13e29876766a57bd4df5b345177887b48fb9eedcf0c3929cca509f49a2bb189395e82c2418fa6e8834e0a2f79425243
-
SSDEEP
196608:iLmGZT4llVN1apVkFGT5KSPNOe7mBuyQzh:iyST4TlIGWK+N0BnQzh
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Targets
-
-
Target
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82.exe
-
Size
6.1MB
-
MD5
02bec9d86e4839199a60b334dd650e60
-
SHA1
8f86b49725abfae4c201654f3aa43ec0041cea39
-
SHA256
6346a63f22a66cd7bea354850db4603944fc7a846c304034b4d359696380ab82
-
SHA512
660d932f4b2fe56d175ba3c2823a0501d13e29876766a57bd4df5b345177887b48fb9eedcf0c3929cca509f49a2bb189395e82c2418fa6e8834e0a2f79425243
-
SSDEEP
196608:iLmGZT4llVN1apVkFGT5KSPNOe7mBuyQzh:iyST4TlIGWK+N0BnQzh
Score10/10-
Modifies WinLogon for persistence
-
Modifies security service
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Disables RegEdit via registry modification
-
Drops file in Drivers directory
-
Event Triggered Execution: Image File Execution Options Injection
-
Server Software Component: Terminal Services DLL
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Impair Defenses: Safe Mode Boot
-
Loads dropped DLL
-
Modifies system executable filetype association
-
Adds Run key to start application
-
Drops desktop.ini file(s)
-
Indicator Removal: Clear Persistence
remove IFEO.
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Server Software Component
1Terminal Services DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Event Triggered Execution
3Change Default File Association
1Component Object Model Hijacking
1Image File Execution Options Injection
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Impair Defenses
1Safe Mode Boot
1Indicator Removal
2Clear Persistence
1File Deletion
1Modify Registry
6