Overview

overview

10

Static

static

10

890db792f3...fe.exe

windows7-x64

10

890db792f3...fe.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    04/12/2024, 06:31

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe.exe

  • Size

    853KB

  • MD5

    4c98c7a78bd1785505f062c1b5d3acd4

  • SHA1

    3a359d06901aa4298a8db6070901197dec97001a

  • SHA256

    890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe

  • SHA512

    3ee1e620c0253d6dd51832259f5547776aeaa2f4d454d2453e707470cdc361dfc5685fcb30f20ca7b7928c48f0f7e13121401efd9434c30a6084e8882f771c80

  • SSDEEP

    24576:xnsJ39LyjbJkQFMhmC+6GD9pqra3PCvXvY:xnsHyjtk2MYC5GDkvY

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe.exe
    "C:\Users\Admin\AppData\Local\Temp\890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\._cache_890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe.exe"
      2⤵
      • Executes dropped EXE
      PID:2776
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        PID:2548
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3024

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Synaptics\Synaptics.exe
          Filesize

          853KB

          MD5

          4c98c7a78bd1785505f062c1b5d3acd4

          SHA1

          3a359d06901aa4298a8db6070901197dec97001a

          SHA256

          890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe

          SHA512

          3ee1e620c0253d6dd51832259f5547776aeaa2f4d454d2453e707470cdc361dfc5685fcb30f20ca7b7928c48f0f7e13121401efd9434c30a6084e8882f771c80

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ts4BbIvT.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ts4BbIvT.xlsm
          Filesize

          20KB

          MD5

          d5ff8c08854e6c245292f3508901a965

          SHA1

          9e01c60810101b3dbf00aba1199b45fc81c33e30

          SHA256

          89a79384a31de888d84175168a9ed8108c1b56f2e50576c56b2c1329c3dbf6ea

          SHA512

          aec04ae539e72a06ea3808679390c412f89c5f5325a99f59b648c7cf65eabd5dd346c33442d3d86abb1a8489cecc0ba2f369c67ac8b77cec358a9c512da646ee

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ts4BbIvT.xlsm
          Filesize

          24KB

          MD5

          493eeb5096bd2e918b9687a63132db36

          SHA1

          1eae4dbef7fe4fc5f81b4cb769d765df0a124300

          SHA256

          9c3c8f312c77acc898cead0b3e98d0296d5ab8a2eb96ed105ef19e47b0a75a2f

          SHA512

          cf7d955b67b4f2e66e35962cfb1e2f2557c8252e863954c92f176503ba27d55d21e0ef413232b996085d2f631329a42fe1a52a33d7be8639d405073a564f12ed

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ts4BbIvT.xlsm
          Filesize

          23KB

          MD5

          978d3c3c49ebff3bccf0295b51ce6c89

          SHA1

          684f812d4500019dbac9274a43d06179e532caa3

          SHA256

          721a488ac6fc15b40e80d84d7bd678e8c9856481f6a9d95fa8b7fe057a9bec94

          SHA512

          bd031e14c3fca9ffdf037631ae7e0b77b9f2bdfd96fcf2ba76e155ef1b53e4ee2ee1baa0c945ac1f464fb13b596a4ff3a2b998f5cbcc064d0d781efec3fcdd4a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Ts4BbIvT.xlsm
          Filesize

          28KB

          MD5

          7ca634c09bafbbfa046b4195232273e6

          SHA1

          dbad52f9e490785ff11565998ce71edde9a22707

          SHA256

          433765e6e557847f0182174565e01e3ddde85b63ad02ccd386ce0fc5e629ce93

          SHA512

          b4746257d20f667d37ac1b7a20472fab11bcf40cc3d9bb8ce1c5e9d7e9d250c6228b8fc88e8a1a9779604ed8ba74728b8511569f29f71fdeaa85bad503750e6c

          Download Submit

        • C:\Users\Admin\Documents\~$UsePush.xlsx
          Filesize

          165B

          MD5

          ff09371174f7c701e75f357a187c06e8

          SHA1

          57f9a638fd652922d7eb23236c80055a91724503

          SHA256

          e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

          SHA512

          e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

          Download Submit

        • \Users\Admin\AppData\Local\Temp\._cache_890db792f39b9a133706de13c2d54a9a2d4e783ca9698b537a80a7416d9cb0fe.exe
          Filesize

          100KB

          MD5

          06f46062e7d56457252a9a3e3a73405a

          SHA1

          94533bdd051154303d596dabb51187d146f94512

          SHA256

          8e2bdcaee8dfefcfe42740a43a0079eb1babfc530200bcfb57b1b1a548852af1

          SHA512

          2551f311a4eb2521a8b0c65ff87dd6a425a85cd242676b4553bc1adf807b432bbcc43144ae186dd04097f78e4ac1da979bb60f0242d07665c1125cf66bf63809

          Download Submit

        • memory/2424-28-0x0000000000400000-0x00000000004DB000-memory.dmp

          Filesize

          876KB

          Download

        • memory/2424-0-0x0000000000220000-0x0000000000221000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2852-117-0x0000000000400000-0x00000000004DB000-memory.dmp

          Filesize

          876KB

          Download

        • memory/2852-152-0x0000000000400000-0x00000000004DB000-memory.dmp

          Filesize

          876KB

          Download

        • memory/3024-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download