Overview

overview

10

Static

static

10

e2649a7a7f...37.exe

windows7-x64

10

e2649a7a7f...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 04:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe

  • Size

    2.3MB

  • MD5

    80891bf92a90f03a779aaca44b832723

  • SHA1

    45ae96961d82606e993064bb761a5c01bf437fd4

  • SHA256

    e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337

  • SHA512

    08adbacde131f22198920104e185d9fce34c2895c4beb6832359ae0e48d009bd70d8a59ab2af519bbac347f1e09d8bee5752b4cd170780c13ac31a77f171da94

  • SSDEEP

    49152:5nsHyjtk2MYC5GDsAmLRP/d6IxNIKnL5mO8ofTrbFWu:5nsmtk2aGw3CKL5mOlQu

Score
10/10
xredbackdoordiscoverymacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Program Files directory 25 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe
    "C:\Users\Admin\AppData\Local\Temp\e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2104
    • C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\svchost.exe
        "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe"
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2496
        • C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe"
          4⤵
          • Executes dropped EXE
          PID:2136
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2372
        • C:\Windows\svchost.exe
          "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1940
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
            5⤵
            • Executes dropped EXE
            PID:5116
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4164
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.3MB

    MD5

    80891bf92a90f03a779aaca44b832723

    SHA1

    45ae96961d82606e993064bb761a5c01bf437fd4

    SHA256

    e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337

    SHA512

    08adbacde131f22198920104e185d9fce34c2895c4beb6832359ae0e48d009bd70d8a59ab2af519bbac347f1e09d8bee5752b4cd170780c13ac31a77f171da94

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    Filesize

    1.5MB

    MD5

    5238f659b6127f1568222f18c238d7b6

    SHA1

    4adca550e837cf0110f7d558d9b0b0b0812b0818

    SHA256

    c15f5085e7c2b7216384e802eae7361350a1f996ec8794f8458b20475ec18cdc

    SHA512

    7f2098a84f6d927141a494be4dc198a0457d35b0d8aa4f4da61c3b67d5cecc049b782df29cee81b748658473c1fbde3e27ebe9059a7afe15312d4f04529158d2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    Filesize

    1.5MB

    MD5

    cf7743709a15a98639413e31bede6feb

    SHA1

    fad378ac147b60d27eba5fa492f612e3247dd883

    SHA256

    33e7f334cca110bf6138ca7b48485c63754c0160d80ac1f6d89bc4a002e44ebc

    SHA512

    257e1c1130a13fc13363a153f969407952a7b8f6b39db33eefec4adcfd40e22f6bc50185c3da13df66c1b6279a24ce076849683fa8b7a6b378a6a2fa51366450

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe
    Filesize

    1.6MB

    MD5

    830647aade3007eeb933a6cafa306800

    SHA1

    ed8b9ad7aa1ec0b07d6db09071053e55daa8eb3a

    SHA256

    bf0b029fc7b4baf19deaec3ca8a5d03b30f830116cef4f59bbc528ceb7a66e56

    SHA512

    5178762b8f5ac821361ffeae8279af49e4d076b1fb21de94f3253f3763d28f8615a16924eba8fa9cfd4f2db757efd1aa09435b9937be783f4996b2b0ecda0eee

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_e2649a7a7f8c5136fd028f9a12c3e7dfe57004c526391b67cf8b066a057f8337.exe
    Filesize

    1.5MB

    MD5

    9ebc7dd20fa66f5deabfd8873a4ed8c6

    SHA1

    cf1b1da0e5215738a8e972077be5804cb326b8ed

    SHA256

    487bd28f3d0b43ed9827ba519d6d113c4f31059bd62b4492da586c7bc82a9474

    SHA512

    5d0a052edec070ee573bc43ed9eb7eb92c0460efe60a5abc31d1200e092937b91eafce5492cd945d46645f9029f0f80a37907fe6292639d37f15f58dae377271

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KnIC1bcb.xlsm
    Filesize

    21KB

    MD5

    75eafaba029b20ba0c395c59eccb1c59

    SHA1

    3bc55e76eec1beef006990fe0a14ff60d6e637ec

    SHA256

    136b96bd459a49cc571349b3026379f78f04451a402517dc80b65e7a053efc16

    SHA512

    e0b2ce3ff5b3e31950314ec11fae99f538fc946a5c96b821ffa37ae9803195b07011119d1333e1cd797ff01081ca24888f84b0c485fa4a6fc364d5d94185cadf

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\KnIC1bcb.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/1672-73-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/1940-208-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/2012-304-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2012-300-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2012-288-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2012-263-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2104-141-0x0000000000400000-0x0000000000653000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2104-0-0x0000000000830000-0x0000000000831000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2372-203-0x0000000000400000-0x0000000000431000-memory.dmp

    Filesize

    196KB

    Download

  • memory/2496-135-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4164-262-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4164-287-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4164-311-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4780-215-0x00007FFCA40B0000-0x00007FFCA40C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-214-0x00007FFCA40B0000-0x00007FFCA40C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-209-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-211-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-212-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-213-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4780-210-0x00007FFCA6330000-0x00007FFCA6340000-memory.dmp

    Filesize

    64KB

    Download