Analysis

  • max time kernel
    112s
  • max time network
    122s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-11-2024 19:00

General

  • Target

    dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe

  • Size

    6.5MB

  • MD5

    869de13d6a202e5074bcabc7947b91e0

  • SHA1

    a2698642df4719a33a7cd3be4d4cb18e16867779

  • SHA256

    dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4

  • SHA512

    8968b5067bbb0ef5e48ed6a49cdad49946e9bfce1019d56dbf478333d229e73d89869bd96b6cae555b40b52cf578e43bb27940faf39d452c8e1c6312751f10ce

  • SSDEEP

    98304:ansmtk2afBa/eaDz7w3zdnYwPccKfHPqtRzIL6VaL7LahgUtb9khmC9618IB4tka:UL2Ba3z03+O1KfuNVa/Gycb2D94J4Oa

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe
    "C:\Users\Admin\AppData\Local\Temp\dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1340
    • C:\Users\Admin\AppData\Local\Temp\._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:4788
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1624
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1556

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    6.5MB

    MD5

    869de13d6a202e5074bcabc7947b91e0

    SHA1

    a2698642df4719a33a7cd3be4d4cb18e16867779

    SHA256

    dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4

    SHA512

    8968b5067bbb0ef5e48ed6a49cdad49946e9bfce1019d56dbf478333d229e73d89869bd96b6cae555b40b52cf578e43bb27940faf39d452c8e1c6312751f10ce

  • C:\Users\Admin\AppData\Local\Temp\._cache_dda150a32ba87e98364c9cc2b4aea0787686b74abb858a7f1215936705062fa4N.exe

    Filesize

    5.8MB

    MD5

    8cc39739b5418a1bbde9684807376325

    SHA1

    232794de7993036c4cad65a1936c1fb341da7b37

    SHA256

    45529eeaac3e24fcd31cb392dc66058dab4f13cce1462c129606aa01c7c66755

    SHA512

    010ee6e2cd656d5b191d1aa5360551facb230605153d879c62de2eff009fd01dd43d525cc81c5fc796892a5507799e5cf70fbc8297e4c21ea4693bece459de5e

  • C:\Users\Admin\AppData\Local\Temp\nskB92F.tmp\System.dll

    Filesize

    11KB

    MD5

    cd0664e18c7c4587f9a61be1dd534e22

    SHA1

    ceb2cc7dd87e0221ce8a0bff87c010174c3113e8

    SHA256

    63ddd3d99e919f0d27e0c438c9798ba8307f00ad439b3620e03b7badc6f728ff

    SHA512

    dec32d8f95f15a92f33fb12a65c1e45a3799d1ce6957fa6aa71f5f454fca572d1cb97fff011774bc7b2f4bac9d7da557abe95d4a994dabde9541aa1178766e44

  • C:\Users\Admin\AppData\Local\Temp\nskB92F.tmp\nsDialogs.dll

    Filesize

    9KB

    MD5

    7bdc263925cc66ffbfe5818bdf75db92

    SHA1

    ce4fd90b133a984b00066b16ea7a990be55f5e2d

    SHA256

    717f0c111a9eba8bc06ce7b5e8ca50f55e2bf9a136d5867b7e46ca5709ff83f3

    SHA512

    a4989529dc8f76bf4d5b12542e4d3ab754050ad7d97fe69e4c24504ee0b444a729bdb32c25722800ce2a1a0263c2f35ab3e32e6d7aac12e4244a8dec0dc1c9fb

  • C:\Users\Admin\AppData\Local\Temp\nslAF3C.tmp\LangDLL.dll

    Filesize

    5KB

    MD5

    8f1c566e12153e91d4a7319892a122a5

    SHA1

    cf2e091b6b7117bf2c4642cfd549c5a8463eb397

    SHA256

    012662cfbb6bfbabca4d5cc3a5904a230d199c29a98b63b5b240aebba3dab9c9

    SHA512

    96a3d36aaf9961c7af1c107df08af2231025f9852c1ad15556c00f2361b1e4772e1a9929890bbdd82d23014dffa3364bc7ee278cc80d3d692c3c47d8d406dd33

  • C:\Users\Admin\AppData\Local\Temp\wUCjxPDi.xlsm

    Filesize

    17KB

    MD5

    af4d37aad8b34471da588360a43e768a

    SHA1

    83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

    SHA256

    e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

    SHA512

    74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

  • memory/1340-106-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

  • memory/1340-0-0x0000000002810000-0x0000000002811000-memory.dmp

    Filesize

    4KB

  • memory/1556-170-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

  • memory/1556-169-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

  • memory/1556-168-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

  • memory/1556-177-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

    Filesize

    64KB

  • memory/1556-178-0x00007FFA65D50000-0x00007FFA65D60000-memory.dmp

    Filesize

    64KB

  • memory/1556-171-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

  • memory/1556-172-0x00007FFA68390000-0x00007FFA683A0000-memory.dmp

    Filesize

    64KB

  • memory/1724-211-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB

  • memory/1724-246-0x0000000000400000-0x0000000000A84000-memory.dmp

    Filesize

    6.5MB