Analysis

  • max time kernel
    144s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-12-2024 20:44

General

  • Target

    SolaraBootStrapper-main/SolaraBootstrapper.exe

  • Size

    766KB

  • MD5

    d994d58e87f0deda637e325d0a54a347

  • SHA1

    8b72ea95b3569ba1ca12cb7ead4edd6e5694614d

  • SHA256

    6607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3

  • SHA512

    cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9

  • SSDEEP

    12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9i8Oj:GnsJ39LyjbJkQFMhmC+6GD9i

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\SolaraBootstrapper.exe
    "C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\SolaraBootstrapper.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2148
    • C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_SolaraBootstrapper.exe
      "C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_SolaraBootstrapper.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2184
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2296
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:644

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    766KB

    MD5

    d994d58e87f0deda637e325d0a54a347

    SHA1

    8b72ea95b3569ba1ca12cb7ead4edd6e5694614d

    SHA256

    6607cc8e27767479f97d55d7f4e8073589836bd5bf832ae951f3b565ab0541e3

    SHA512

    cc9959f52a5c55644b85a24d203137ad43408014ea63bf453bd2b36b7a1ad9f937f5e2cae45f6c6a5c732a5928d9edf14f00e768a5584e43ca1c70c7cef94ca9

  • C:\Users\Admin\AppData\Local\Temp\SolaraBootStrapper-main\._cache_SolaraBootstrapper.exe

    Filesize

    13KB

    MD5

    6557bd5240397f026e675afb78544a26

    SHA1

    839e683bf68703d373b6eac246f19386bb181713

    SHA256

    a7fecfc225dfdd4e14dcd4d1b4ba1b9f8e4d1984f1cdd8cda3a9987e5d53c239

    SHA512

    f2399d34898a4c0c201372d2dd084ee66a66a1c3eae949e568421fe7edada697468ef81f4fcab2afd61eaf97bcb98d6ade2d97295e2f674e93116d142e892e97

  • C:\Users\Admin\AppData\Local\Temp\i67uYlwG.xlsm

    Filesize

    24KB

    MD5

    2bbddd4d9f4f9a5812a4b01845103536

    SHA1

    8a76133e8234f1ed909325df46a35dabe0e74222

    SHA256

    9127995c1ceb27ee0fcf9884a77f48c4f7112143e737001d58cb3e0e8a34f3cf

    SHA512

    8bc0226ead3b10521510f510cc181466bd0f46d598ae52b14b0d310b0662639209aa6f82b13872e427f8714293a86d6eda09d226ef1ee580ad2186054357137a

  • C:\Users\Admin\AppData\Local\Temp\i67uYlwG.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • memory/644-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1912-83-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/1912-116-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/1912-84-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/2148-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2148-28-0x0000000000400000-0x00000000004C6000-memory.dmp

    Filesize

    792KB

  • memory/2184-19-0x0000000000E20000-0x0000000000E2A000-memory.dmp

    Filesize

    40KB

  • memory/2184-18-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

    Filesize

    4KB

  • memory/2296-39-0x0000000000340000-0x000000000034A000-memory.dmp

    Filesize

    40KB