Overview

overview

10

Static

static

10

9865de372f...bN.exe

windows7-x64

10

9865de372f...bN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-11-2024 16:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68bN.exe

  • Size

    2.6MB

  • MD5

    f4ce74f4aa7fc557cbfdc901b44b93e0

  • SHA1

    3bec2bafe4a3d712f0edf931d2a859b07322018c

  • SHA256

    9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68b

  • SHA512

    b72de7872ed5fed188b995f95a9c3ff929531dd3d67f3f82f793de9a4d6ce3ba3babeaf72a2f0ecfce133510d71784aa1ec35645659eb2b552a14324d95db237

  • SSDEEP

    49152:FnsHyjtk2MYC5GDV0mbtroVy1ysy6RpWn/:Fnsmtk2ae0mJok1Ny6k

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68bN.exe
    "C:\Users\Admin\AppData\Local\Temp\9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68bN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2524
    • C:\Users\Admin\AppData\Local\Temp\._cache_9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68bN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68bN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:780
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5056
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        PID:4296
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4496

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.6MB

    MD5

    f4ce74f4aa7fc557cbfdc901b44b93e0

    SHA1

    3bec2bafe4a3d712f0edf931d2a859b07322018c

    SHA256

    9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68b

    SHA512

    b72de7872ed5fed188b995f95a9c3ff929531dd3d67f3f82f793de9a4d6ce3ba3babeaf72a2f0ecfce133510d71784aa1ec35645659eb2b552a14324d95db237

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_9865de372f9f02c9831491f519111439c008b76e49beccf507c4a03777eff68bN.exe
    Filesize

    1.8MB

    MD5

    cc25dc128174d09d59cbcfc5d2807cff

    SHA1

    4dead10b6acb13ec2da43ca8b85571ee903cf9e3

    SHA256

    30746772f0c66b1b580babf37f625cfb0338fe72ec12ec03bfe4b84a5e8b0299

    SHA512

    04eae72a522d10be99e71fa762466d8daf8a6e0635df2747d161253deb858ba30f86a1dad727541a645ea16034d89f5b2125af60d3d657dbcfd1a0eef296ca20

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\47A75E00
    Filesize

    23KB

    MD5

    2a5e97a704ef43e381eab93af4d4fcfb

    SHA1

    43f159026cf21c9c897fd1e788eb483de749b6f8

    SHA256

    2cc41653d00cf08e4a22409c542ef8639bd4429c625fc3654ae44bad2a11bbab

    SHA512

    18061fcc59c17351be61047565f20e87f6dadc5d670d443b33e3d7a69652966635e3e278c60f4f2ae3586935da6bbb87a270524bdc76f016748edcd9ca0aec28

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\q7alQDiu.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\aardio\std\FontAwesome4.7.ttf
    Filesize

    154KB

    MD5

    52564edf9c4db20c769ca39c2802a421

    SHA1

    491c985064f2446b32325008e273753a11385e77

    SHA256

    e6b98cbad6b8add57fdfd3e8ddfa87146791d9c9df374b32935245269532bad1

    SHA512

    4f6abcce3f02080bb5a753d5e4e205874db0c8462f870ab1c8f31cbb9b973d5a636251c81677c4319046ef47571bdbc170ed64eb46c7e8430a9294f34d60a3e4

    Download Submit

  • memory/780-128-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/780-247-0x0000000002630000-0x0000000002631000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-0-0x0000000000880000-0x0000000000881000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2524-132-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4496-196-0x00007FFEEB1B0000-0x00007FFEEB1C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-197-0x00007FFEEB1B0000-0x00007FFEEB1C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-198-0x00007FFEEB1B0000-0x00007FFEEB1C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-199-0x00007FFEE8A90000-0x00007FFEE8AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-200-0x00007FFEE8A90000-0x00007FFEE8AA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-195-0x00007FFEEB1B0000-0x00007FFEEB1C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4496-194-0x00007FFEEB1B0000-0x00007FFEEB1C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5056-135-0x0000000000960000-0x0000000000961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-249-0x0000000000960000-0x0000000000961000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5056-248-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/5056-280-0x0000000000400000-0x0000000000694000-memory.dmp

    Filesize

    2.6MB

    Download