Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 04:50

General

  • Target

    df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe

  • Size

    1.2MB

  • MD5

    b5b47f531d7f154f40987c7298eeead8

  • SHA1

    f4a3e41d668ebde5403c7e6ecdefebb69733a244

  • SHA256

    df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

  • SHA512

    cd5aa21d668c571a86e8ba61a5b4b537b3ef4bdc7002a7843693a362acbf37fae81ac78164dab5809ef007c63cc55e1ba450c4afbf8f6e3253519258a4fd46dd

  • SSDEEP

    24576:oG+/8l+k1W0tq78x3s+hPNt790/ASMcmqhrbjXxI+PpKWSJTzCduD:L+/8l+kAf78x3B2ASMHKrfPpATz3D

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 2 IoCs

    Office document equipped with macros.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 9 IoCs
  • Reads data files stored by FTP clients 2 TTPs

    Tries to access configuration files associated with programs like FileZilla.

  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Adds Run key to start application 2 TTPs 4 IoCs
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe
    "C:\Users\Admin\AppData\Local\Temp\df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Users\Admin\AppData\Local\Temp\tmp142.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp142.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1040
      • C:\Users\Admin\AppData\Local\Temp\tmp142.exe
        C:\Users\Admin\AppData\Local\Temp\tmp142.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2344
        • C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe"
          4⤵
          • Executes dropped EXE
          • Adds Run key to start application
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2632
          • C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe
            "C:\Users\Admin\AppData\Roaming\VanToM Folder\Server.exe"
            5⤵
            • Executes dropped EXE
            • Adds Run key to start application
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            PID:1876
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2892
          • C:\ProgramData\Synaptics\Synaptics.exe
            C:\ProgramData\Synaptics\Synaptics.exe
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:480
            • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
              "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
              6⤵
              • Executes dropped EXE
              • Adds Run key to start application
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              PID:1868
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c del C:\Users\Admin\AppData\Local\Temp\DF44DE~1.EXE >> NUL
      2⤵
      • Deletes itself
      • System Location Discovery: System Language Discovery
      PID:1624
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1636

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_tmp142.exe

    Filesize

    318KB

    MD5

    166cf19911e45785a3407433a2b447c4

    SHA1

    a08d582e55c5b66ef78bd5dd3e386730d8be4227

    SHA256

    a7b85bf490f372521788658ec25d3de4a14babd79abb5ddb646e30d87dd9ae27

    SHA512

    7934c5bf3657a4396fca70daebe01cd11e61c8e3f9b5cfd9c068d688f8b91ab5058c5dc68b0ba80b32b276348afb8ea6e70bba5f314722a7f04011607a3e7b14

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    21KB

    MD5

    3f1126ffbb960d8d2400f664c01fbf5f

    SHA1

    cca90e9a72c878cc6c659cc0acb75b9d5e1d04ce

    SHA256

    02538e0c41fb63dd537be6557f504c79b24e8172cf24520c1c939ef1520bdefc

    SHA512

    4d768b3cf2b45863127ea40e83b711064030d2f5cfa625f06c3e13073fee6c1fddeaae19f586873e9fe6312f4ab2e1e7fafab50fa6ed9a172adb39a20a136160

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    22KB

    MD5

    79c96884bcd66dde433e418156d863ba

    SHA1

    e510761c8be079848b9effc5595a472637789ef1

    SHA256

    73f5643ca2df80a9ee8dad56cb98abfc730f24c1964b88238ba8c8ed4d80d8ba

    SHA512

    09d17c2a5c7f10468a01502f5e6301ba43c0a51c4094bb740ae1ddf78871d71d327ff007dc8b7a2e8d9d5428a9e5422db06526e0476adab7f2721223b3dfc568

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    22KB

    MD5

    d8f4478fcb96b59676c9c64bf678172d

    SHA1

    3586c9290bc4213034ba6fb448b8eaafe98fc5a2

    SHA256

    df82cc945c89ddd0e45144b17ad6cdbc9b1ee33c2ab3e2f38e5f64dcca67cfd9

    SHA512

    dc9fd60d5ce7d09e8f51af22e8dca92fbc3779a4bb0b5414079451cd4ea82b97616acf6db8cdc3006c8fa6aa231f5b7a365385444531a4d4fc3e331e21772003

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    23KB

    MD5

    dfaf7a593af170c466182727073d3e72

    SHA1

    1d0bf43461a7b8afdeac0ae42803ac22c1b518da

    SHA256

    069c3e229eb556fc261331b1ce9832882f4498ddfaa19326a171ed7f1f8ff3fa

    SHA512

    3c5a21ec7fa3dfad9b139065d758a0ed375b275e582997051fef27b3b2725d52ea5baad4fd65adcdfe5978f33bce3f5e4bb4b1928a4a3d99f533cfa19aba8ea5

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    24KB

    MD5

    1f9724c5b0d9b264f45a6c7d73b9c326

    SHA1

    7d50f89ad3b37ada032d468ec2b886169ad87dda

    SHA256

    a931f882c3ca2769a88b52640dfbea99e3ecfcbfff0ecb2a508fa39af5acc414

    SHA512

    1e5dae39ebfc61cf3f47f72cc9e1e4fc5522ea2ec376f1b1225906e1b3b259f9fceb7104ec4f758b7573969657dbd2aa5983aae3efdc9902106abb27a708174e

  • C:\Users\Admin\AppData\Local\Temp\hB7BF9Cw.xlsm

    Filesize

    25KB

    MD5

    3ac8560d200e532280a9402d7966f381

    SHA1

    8d6614e46a1f26bab85dce1eec20cdf22dead213

    SHA256

    258da5815722986bba741c97b4605a481b90b20eb5f2922366b3f807af7587eb

    SHA512

    cd501445be19fd58eea8e662e64a8bd6e7f4cad20accdb8e493f63710d2f60e82302dadaa02020249d2865adc44b08efbd8f2926155ae30223e799fa192a51be

  • C:\Users\Admin\AppData\Local\Temp\melt.txt

    Filesize

    52B

    MD5

    29d493876bc0b2c8a6f38aa4a4379166

    SHA1

    dbb33f3fc329e87dbf2dd292c61207570706fa41

    SHA256

    984c05a8529073f415e789b0af9355d0c1f2e232993eed1b967403e42b34233e

    SHA512

    45f6921600962d05a6cb03280194324a277d5a81fb1b7ff64679be38ad1b190fca2b531e08a834500861ac08283f063512c3e9d03274748d060d77bb083a006b

  • C:\Users\Admin\Desktop\~$LimitTrace.xlsx

    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

  • \Users\Admin\AppData\Local\Temp\tmp142.exe

    Filesize

    1.2MB

    MD5

    b5b47f531d7f154f40987c7298eeead8

    SHA1

    f4a3e41d668ebde5403c7e6ecdefebb69733a244

    SHA256

    df44de684671c741c6829e74c2ca682c7db85240fa600b769d7cee78a3b73776

    SHA512

    cd5aa21d668c571a86e8ba61a5b4b537b3ef4bdc7002a7843693a362acbf37fae81ac78164dab5809ef007c63cc55e1ba450c4afbf8f6e3253519258a4fd46dd

  • memory/480-221-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/480-188-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/480-187-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/480-185-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/480-184-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/480-76-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/1636-186-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1636-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2344-21-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-11-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2344-27-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-23-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-20-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-13-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-29-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-17-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-54-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-15-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-32-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-31-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB

  • memory/2344-30-0x0000000000400000-0x0000000000510000-memory.dmp

    Filesize

    1.1MB