Overview

overview

10

Static

static

10

winer/Winner_Free.exe

windows10-2004-x64

10

Resubmissions

29-11-2024 09:11

241129-k5pcssxkew 10

29-11-2024 09:11

241129-k5kdvaslhk 10

30-12-2023 12:12

231230-pdbpvaegdr 7

Analysis

  • max time kernel
    30s
  • max time network
    27s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 09:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    winer/Winner_Free.exe

  • Size

    6.3MB

  • MD5

    babd90df8276efdedb7a0510d6d6e8aa

  • SHA1

    9a43619fea06385a32a8bda7f125c834b7824f0a

  • SHA256

    925840c7fa54b3bd5f8df5ed843d6872e30c95b423b10dedf6c6f56ec92dec7a

  • SHA512

    7b703f1006f0a67184e95072eb14f5c24161e45ad134e690fc4b25640798e6ecd966d14c736f5782e5efd4d604a34bc89805257250cd80ba9bae30715df9e159

  • SSDEEP

    98304:xnsmtk2aPV6s5YTnGUIcNAYDtYsvs6zqVXoQW07XlOVZ+dHXn8RXHhxBh7ZM5DBW:NLiV6s5XUxNAotvsjoQhLGQHuXrEBW

Score
10/10
xredbackdoordiscoverypersistencevmprotect

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\winer\Winner_Free.exe
    "C:\Users\Admin\AppData\Local\Temp\winer\Winner_Free.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3156
    • C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe
      "C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4628
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c title 0CiYFP6075JunR37aW2PcNr72bteR0pNF9g7PGE8cvb2NF95ZrsttUAS42K7
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3720
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3744
      • C:\Users\Admin\AppData\Local\Temp\winer\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\winer\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:3060
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c title SqRhD58EfB77nc934P2L98BAH3rsBkIS6Uz4oOFsVdOJhxF0CniwY5N71KwD
          4⤵
          • System Location Discovery: System Language Discovery
          PID:4844
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:5032
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Suspicious use of SetWindowsHookEx
    PID:5028
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    6.3MB

    MD5

    babd90df8276efdedb7a0510d6d6e8aa

    SHA1

    9a43619fea06385a32a8bda7f125c834b7824f0a

    SHA256

    925840c7fa54b3bd5f8df5ed843d6872e30c95b423b10dedf6c6f56ec92dec7a

    SHA512

    7b703f1006f0a67184e95072eb14f5c24161e45ad134e690fc4b25640798e6ecd966d14c736f5782e5efd4d604a34bc89805257250cd80ba9bae30715df9e159

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    1KB

    MD5

    67e486b2f148a3fca863728242b6273e

    SHA1

    452a84c183d7ea5b7c015b597e94af8eef66d44a

    SHA256

    facaf1c3a4bf232abce19a2d534e495b0d3adc7dbe3797d336249aa6f70adcfb

    SHA512

    d3a37da3bb10a9736dc03e8b2b49baceef5d73c026e2077b8ebc1b786f2c9b2f807e0aa13a5866cf3b3cafd2bc506242ef139c423eaffb050bbb87773e53881e

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    436B

    MD5

    971c514f84bba0785f80aa1c23edfd79

    SHA1

    732acea710a87530c6b08ecdf32a110d254a54c8

    SHA256

    f157ed17fcaf8837fa82f8b69973848c9b10a02636848f995698212a08f31895

    SHA512

    43dc1425d80e170c645a3e3bb56da8c3acd31bd637329e9e37094ac346ac85434df4edcdbefc05ae00aea33a80a88e2af695997a495611217fe6706075a63c58

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8B2B9A00839EED1DFDCCC3BFC2F5DF12
    Filesize

    174B

    MD5

    75c5c25c440bb3e84cd7c7716e9bcdb7

    SHA1

    8ab594d1f632cc467e1c9c13001fe325754391ce

    SHA256

    f72890fefb6a5fd06f8d767e59c622be7a777e1833e3926728cdc02e0a33e8dc

    SHA512

    7d144d0ce76fd70bb2b2e957127c6800df21692acf1281b3971f59628f77094dc5df223faab476a819bd8a88ea02667ab6aab827ee16caeb0060b425353cd15f

    Download Submit

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B46811C17859FFB409CF0E904A4AA8F8
    Filesize

    170B

    MD5

    cde4a5197698f2b2798ada7a9ac1c93e

    SHA1

    943c23037b41cba8722cc0931ab06fb15cf5dd2e

    SHA256

    ec31238222416ef040d8ee86005df085f0116d6eee0f0d08d3f901760c82f2c7

    SHA512

    347ded90c7c6ec0b3c1bade05d1d62cccb50ca79a6a528ace383d9617630181abac0265d21c5df9a3f431046bfba23f0e9cf058b8e506b9fbb294151cb3f7014

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\R43Hc1kn.xlsm
    Filesize

    21KB

    MD5

    c439dea231c22bbe717cc29614688e0f

    SHA1

    15eba9d70ad5ef9a5a31818572911750cacef26e

    SHA256

    9eb9a1cde9b2e4f7bcce6683be8c87fd8887c1e815cad1aa90e95e5deefe87e7

    SHA512

    7e8f20d82629186d8bf46668a651f3d60d68c0517c658476e6c80a319a744029b42f15f1bfe8acb60a23d449a5939515e133054d6e4db3a8bc9398547985021c

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\R43Hc1kn.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winer\._cache_Winner_Free.exe
    Filesize

    5.6MB

    MD5

    a8133b3fdf3ec104c0f0d503ef6a7ec7

    SHA1

    d875876bd027a59b9157a45df00a24ccd505ed20

    SHA256

    c3429972cc6d611fa4f940f89624658e3aadc85a681bdcd5adce9bdc6c6d3072

    SHA512

    2734304de246490ff8d3ab0487838afc6cc2abb7cfbc0404860cbb395ba69887c33b802a08d32f8ccd2c6e341e4b5062c3aa27b3de2f4bba3c542d984e4721b1

    Download Submit

  • memory/1064-162-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-163-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-167-0x00007FFCD9210000-0x00007FFCD9220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-166-0x00007FFCD9210000-0x00007FFCD9220000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-165-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-164-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1064-161-0x00007FFCDB270000-0x00007FFCDB280000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3060-144-0x0000000000EE0000-0x00000000017E1000-memory.dmp

    Filesize

    9.0MB

    Download

  • memory/3060-143-0x0000000000AB0000-0x0000000000AB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3060-142-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3156-101-0x0000000000400000-0x0000000000A51000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/3156-0-0x00000000027F0000-0x00000000027F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3744-160-0x0000000000400000-0x0000000000A51000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/3744-102-0x0000000000C20000-0x0000000000C21000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3744-214-0x0000000000400000-0x0000000000A51000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/4628-130-0x0000000000F30000-0x0000000000F31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4628-159-0x00000000001A0000-0x0000000000AA1000-memory.dmp

    Filesize

    9.0MB

    Download

  • memory/4628-158-0x00000000001AC000-0x0000000000511000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4628-129-0x00000000001AC000-0x0000000000511000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4628-131-0x0000000000F40000-0x0000000000F41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4628-134-0x00000000001A0000-0x0000000000AA1000-memory.dmp

    Filesize

    9.0MB

    Download

  • memory/4628-132-0x00000000001A0000-0x0000000000AA1000-memory.dmp

    Filesize

    9.0MB

    Download