Overview

overview

10

Static

static

10

d2c46913d7...e2.exe

windows7-x64

10

d2c46913d7...e2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-12-2024 01:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2.exe

  • Size

    842KB

  • MD5

    3d39588fc7fe2010b69b873c6af0f953

  • SHA1

    8f7215b5934dc92a091fbe271ce20fec0958dbe9

  • SHA256

    d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2

  • SHA512

    6dba29d847639a14e56e868e83ce7a46889693a5b600be6f3de89d42f49bef68950c2c05810aa7afc3c35a2a4f316a8ef286ab9a51357d781f2930242cdeb976

  • SSDEEP

    12288:hMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9SptXvxUAqYfj:hnsJ39LyjbJkQFMhmC+6GD9WtXv

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2.exe
    "C:\Users\Admin\AppData\Local\Temp\d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:372
    • C:\Users\Admin\AppData\Local\Temp\._cache_d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:5084
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4668
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1796
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    842KB

    MD5

    3d39588fc7fe2010b69b873c6af0f953

    SHA1

    8f7215b5934dc92a091fbe271ce20fec0958dbe9

    SHA256

    d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2

    SHA512

    6dba29d847639a14e56e868e83ce7a46889693a5b600be6f3de89d42f49bef68950c2c05810aa7afc3c35a2a4f316a8ef286ab9a51357d781f2930242cdeb976

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_d2c46913d72ec99b6e62e9dc1eb4b01882c33a37c209f117d2639cf4144331e2.exe
    Filesize

    88KB

    MD5

    187df9bce5dccd678827ddfef3e2ded5

    SHA1

    c11d6776bcd0cebd227cdb2b8d5ec01921461e35

    SHA256

    93f3e1a24eb49712e1cda2bf867d8f5ab693d9d5eb3368c5803e432f0651863e

    SHA512

    88a4a70d7c6574146379c44b12f3b16d71b8f51e5e84adb6afddfd6350975e4250d4911bc16ebf1978ac4e956bcb63c44ea25ffe977d878133345e711439a92f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\51B75E00
    Filesize

    21KB

    MD5

    551f0bbdccaa4cebfa5f8393e28ad504

    SHA1

    ecef9c496c9a95e81d69d678e70d1d364ad4b588

    SHA256

    9575341c3fb5f59189e694c9be683e88aae3d1dbd7f7d314f29e5ab2860a23d2

    SHA512

    cf244fe695208bd4398be3856f59995b32775c67271231b2df8681101f1a398f60395f843dc9618ca4daae64d1faebd48cfb232edbba412f0d4366bd73d0bfd2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\puNHiNhX.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/372-0-0x0000000002270000-0x0000000002271000-memory.dmp

    Filesize

    4KB

    Download

  • memory/372-129-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3656-198-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-197-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-202-0x00007FFF7EEA0000-0x00007FFF7EEB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-201-0x00007FFF7EEA0000-0x00007FFF7EEB0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-200-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-196-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3656-199-0x00007FFF81090000-0x00007FFF810A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4668-131-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4668-249-0x00000000005C0000-0x00000000005C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4668-250-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/4668-282-0x0000000000400000-0x00000000004D8000-memory.dmp

    Filesize

    864KB

    Download

  • memory/5084-185-0x0000000005A10000-0x0000000005A1A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/5084-134-0x0000000005EA0000-0x0000000006444000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/5084-136-0x00000000059E0000-0x00000000059F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/5084-135-0x0000000005840000-0x00000000058D2000-memory.dmp

    Filesize

    584KB

    Download

  • memory/5084-130-0x0000000000F90000-0x0000000000FAC000-memory.dmp

    Filesize

    112KB

    Download

  • memory/5084-118-0x0000000072C5E000-0x0000000072C5F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5084-251-0x00000000059E0000-0x00000000059F0000-memory.dmp

    Filesize

    64KB

    Download