Overview

overview

10

Static

static

10

Sleezy Cr...er.exe

windows10-ltsc 2021-x64

10

Analysis

  • max time kernel
    18s
  • max time network
    18s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    07-12-2024 06:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Sleezy Cracked temp spoofer.exe

  • Size

    786KB

  • MD5

    88182e9317dac3dec77c746461684560

  • SHA1

    c7fe653bf7ec84e9eca05377ca4eb0f153f58b7a

  • SHA256

    5f8b9031c966a67887f5d4d3faacab049e6451d30a4ba52f6610ba4f06a7eaa4

  • SHA512

    b682e256869757b4dc301cc75e4c980b4f6a88a8e389fc95f45e41958ccc0c8af4801729c3320849fb7dc225dc81a88405370abf6b297cf7dbd3411eba526aa3

  • SSDEEP

    12288:2MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V93C++5oj:2nsJ39LyjbJkQFMhmC+6GD9y++q

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Sleezy Cracked temp spoofer.exe
    "C:\Users\Admin\AppData\Local\Temp\Sleezy Cracked temp spoofer.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Users\Admin\AppData\Local\Temp\._cache_Sleezy Cracked temp spoofer.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Sleezy Cracked temp spoofer.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\windows\system32\s4c.vbs"
        3⤵
          PID:4780
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3092
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2196

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      753KB

      MD5

      fefbc610031d089f0eff0500ef448834

      SHA1

      86dcd51fcbdeccc142209b85c342b5fd18ce947b

      SHA256

      6ee1eb73b9b217d83f7a37f74a73b8ae76bea8c156c5f40dc83469bd5414a59a

      SHA512

      d21603e9ea12979dfc91f305f2e58bce27398880acc282ea545d444ba96a3942eb6fa792e25f5f05cc699aae83cfade1f307ce545c8eb64b48ff3df405753be0

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_Sleezy Cracked temp spoofer.exe
      Filesize

      33KB

      MD5

      3ae9c64d0788d00d12c9f35bd8898e64

      SHA1

      44c945ec3909f21c0b53e46c29ca588030302fa6

      SHA256

      3c2a93366f4eea1bfee9858c07a8ae16602337c536a93f36b7ca1c879ea0e615

      SHA512

      0f676645624af527cb9f97f51457a485ab4a98ea1d0072b42d1c32118124fec7d44872c29c477c49ba473200aba0671119c3c5d5d31c9252a1eca19c2675853f

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\03975E00
      Filesize

      24KB

      MD5

      dbb7c75635e16f7c9e8034156a141689

      SHA1

      4c396b931b43fbc47ab816f4baa637e669553691

      SHA256

      f0d897227994fa3826f43236b50d395a6ef354b73abb8c455027f92cef9e16e6

      SHA512

      a90afd7883cade908f8e502468f950d82ff9fc9be15ae5f72554ca0312171a30b003aa8b49c8ce3f242460fcbbb58aa5b8e7cba7d81222f1e1d2f4b1139cd89a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Zpy47Yz6.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Windows\System32\s4c.vbs
      Filesize

      233B

      MD5

      dedec69355e1ca8cdd26f8f3c7450183

      SHA1

      486225ceef570787e5fc4596eae174fc84f4f4b4

      SHA256

      5e7dec4d2a66a7fb1423950b198a215fabd7404e9f1ae85548c3e4d6447f4761

      SHA512

      8ccf333c4181cee696b24ead443f903dabee23382e74e5e8b6f4d804a56efddd91f500d0a6f6fae37d90b53d3a9d315fb3e4b6b858fa926cbe9d6a8caab17405

      Download Submit

    • memory/1064-67-0x00007FFCF6BF3000-0x00007FFCF6BF5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1064-69-0x0000000000220000-0x000000000022E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2196-134-0x00007FFCD5190000-0x00007FFCD51A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-132-0x00007FFCD5190000-0x00007FFCD51A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-135-0x00007FFCD5190000-0x00007FFCD51A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-133-0x00007FFCD5190000-0x00007FFCD51A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-142-0x00007FFCD2900000-0x00007FFCD2910000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-144-0x00007FFCD2900000-0x00007FFCD2910000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2196-131-0x00007FFCD5190000-0x00007FFCD51A0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2424-0-0x00000000007B0000-0x00000000007B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2424-129-0x0000000000400000-0x00000000004CB000-memory.dmp

      Filesize

      812KB

      Download

    • memory/3092-185-0x0000000000400000-0x00000000004C2000-memory.dmp

      Filesize

      776KB

      Download