Analysis

  • max time kernel
    111s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 00:16

General

  • Target

    9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe

  • Size

    769KB

  • MD5

    6db4320c191b06ddd85567b74efb6e70

  • SHA1

    747086d62c1b6b441a10a055334de4813addff78

  • SHA256

    9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3

  • SHA512

    3256d70188c5ff90b35b7b4f0ab00df6117ccd4c84ce9dd223118732a1b28d1eeb02bc12b74fe607585c6e55e60e38a7797e4cd83cae69ce01f2773f0108fc75

  • SSDEEP

    12288:yMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V911KE+VIo1/:ynsJ39LyjbJkQFMhmC+6GD9fKE+VIop

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe
    "C:\Users\Admin\AppData\Local\Temp\9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3080
    • C:\Users\Admin\AppData\Local\Temp\._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe"
      2⤵
      • Executes dropped EXE
      PID:4748
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:116
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        PID:2848
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:5116

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    769KB

    MD5

    6db4320c191b06ddd85567b74efb6e70

    SHA1

    747086d62c1b6b441a10a055334de4813addff78

    SHA256

    9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3

    SHA512

    3256d70188c5ff90b35b7b4f0ab00df6117ccd4c84ce9dd223118732a1b28d1eeb02bc12b74fe607585c6e55e60e38a7797e4cd83cae69ce01f2773f0108fc75

  • C:\Users\Admin\AppData\Local\Temp\._cache_9524a1cadb215fe07b2bd4ee53f1f5492dada313e84ce1cb01b56006b1b7b6b3N.exe

    Filesize

    15KB

    MD5

    a66641f10443a02ffb730bcc6c2f630c

    SHA1

    fc8c9ac0b0fda230c8cb47b1c98fc6daf5c6b0ed

    SHA256

    3898114b93d5102fda924637e06c952c1cf0477223b61f0138086a6a73120a89

    SHA512

    ead3c4825d9cdc0877f267b9853014cc408555fcf4eafdb1ae0778c6a194ca4d6352d24512429efa109b92a33f07f2cc97994f71e346e43c188256f8a9ec6c7a

  • C:\Users\Admin\AppData\Local\Temp\7Kn4noDi.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\A7A75E00

    Filesize

    23KB

    MD5

    97e3906de1496c60bb296997c8af77b7

    SHA1

    97dba89b3957196c8971bbbff8d9fed2b38818a3

    SHA256

    f0f9592de9dce7581be82827c55e89fc0bd503aec0875de77d93f32418d31671

    SHA512

    d15471f69ab9e56a92034f78c3a31d5def63a99d00f9fa8e9531b27ad478edc480636b8f819f01cc07d4e261b27cb104075de8ba0a5b55810e39ce5bfe276b13

  • memory/116-101-0x0000000000590000-0x0000000000591000-memory.dmp

    Filesize

    4KB

  • memory/116-187-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/116-188-0x0000000000590000-0x0000000000591000-memory.dmp

    Filesize

    4KB

  • memory/116-219-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/3080-0-0x0000000002250000-0x0000000002251000-memory.dmp

    Filesize

    4KB

  • memory/3080-100-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/5116-135-0x00007FFD000F0000-0x00007FFD00100000-memory.dmp

    Filesize

    64KB

  • memory/5116-134-0x00007FFD000F0000-0x00007FFD00100000-memory.dmp

    Filesize

    64KB

  • memory/5116-137-0x00007FFD000F0000-0x00007FFD00100000-memory.dmp

    Filesize

    64KB

  • memory/5116-136-0x00007FFD000F0000-0x00007FFD00100000-memory.dmp

    Filesize

    64KB

  • memory/5116-138-0x00007FFD000F0000-0x00007FFD00100000-memory.dmp

    Filesize

    64KB

  • memory/5116-139-0x00007FFCFE090000-0x00007FFCFE0A0000-memory.dmp

    Filesize

    64KB

  • memory/5116-140-0x00007FFCFE090000-0x00007FFCFE0A0000-memory.dmp

    Filesize

    64KB