Overview

overview

10

Static

static

10

7ba203cf0e...4N.exe

windows7-x64

10

7ba203cf0e...4N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    119s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-12-2024 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714N.exe

  • Size

    878KB

  • MD5

    7082651a665e7a31c20c1b3463b8a700

  • SHA1

    bf4adfd2ca0bb38fb981ffcc5c9084cf9da92882

  • SHA256

    7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714

  • SHA512

    9e618e294a18d564c1a4fabe4e717894bbeb20e87b4dbc7760e9c40e13fa5d195662df6861d8a9a09d5eb3fa89d0e8b06eba659a51dff352e7231a9c30e6dd32

  • SSDEEP

    12288:AMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9qmwDZzpM:AnsJ39LyjbJkQFMhmC+6GD9+Zza

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714N.exe
    "C:\Users\Admin\AppData\Local\Temp\7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\._cache_7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4152
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4152 -s 804
        3⤵
        • Program crash
        PID:2360
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3892
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3892 -s 792
          4⤵
          • Program crash
          PID:760
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4152 -ip 4152
    1⤵
      PID:1176
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3892 -ip 3892
      1⤵
        PID:1900
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2984

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe
        Filesize

        878KB

        MD5

        7082651a665e7a31c20c1b3463b8a700

        SHA1

        bf4adfd2ca0bb38fb981ffcc5c9084cf9da92882

        SHA256

        7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714

        SHA512

        9e618e294a18d564c1a4fabe4e717894bbeb20e87b4dbc7760e9c40e13fa5d195662df6861d8a9a09d5eb3fa89d0e8b06eba659a51dff352e7231a9c30e6dd32

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\._cache_7ba203cf0e02705516ecb9640a6ec56e1af722c2cdf0ef396a55002b478d6714N.exe
        Filesize

        124KB

        MD5

        dbd2a489c1f5eb8b8a11132aa31d9346

        SHA1

        fe7578c434bbaac60354293bf9aa82119bba9c3e

        SHA256

        88a121b4247bd47a384846467943461e2527c16d21923fbf4398ba1b0dfe824c

        SHA512

        b839ed9196191b66428551896ec8d3291c379583ca655226766bf05c5c9bb58f6d924a4f0ec41d77a291538df25cb1e26f728091c9614e3efa309b08284b9ab3

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\4EA75E00
        Filesize

        21KB

        MD5

        68c6c4fb52b21aea369f8437be48ee2c

        SHA1

        8f14acf631b2c00d6284fd0f802d6210711a0836

        SHA256

        40c7b292b59093bb15a84d6968ab0899c7117d25c26011903e58639df94478bd

        SHA512

        52a4c0c6699dc20847e86580f5a97ef05aae4f19bc6fb7263446e9ab5ee1ca5705967537a6b46878232696d35f8d6c55ba240ccf02af7806e53be57fa9d5a177

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\QtWLHdtR.xlsm
        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

        Download Submit

      • memory/1828-130-0x0000000000400000-0x00000000004E1000-memory.dmp

        Filesize

        900KB

        Download

      • memory/1828-0-0x0000000002390000-0x0000000002391000-memory.dmp

        Filesize

        4KB

        Download

      • memory/2984-196-0x00007FF9D3FF0000-0x00007FF9D4000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-198-0x00007FF9D1C90000-0x00007FF9D1CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-193-0x00007FF9D3FF0000-0x00007FF9D4000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-194-0x00007FF9D3FF0000-0x00007FF9D4000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-195-0x00007FF9D3FF0000-0x00007FF9D4000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-192-0x00007FF9D3FF0000-0x00007FF9D4000000-memory.dmp

        Filesize

        64KB

        Download

      • memory/2984-197-0x00007FF9D1C90000-0x00007FF9D1CA0000-memory.dmp

        Filesize

        64KB

        Download

      • memory/4152-129-0x0000000000D30000-0x0000000000D54000-memory.dmp

        Filesize

        144KB

        Download

      • memory/4152-118-0x0000000072EEE000-0x0000000072EEF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4352-131-0x0000000002250000-0x0000000002251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4352-247-0x0000000000400000-0x00000000004E1000-memory.dmp

        Filesize

        900KB

        Download

      • memory/4352-248-0x0000000002250000-0x0000000002251000-memory.dmp

        Filesize

        4KB

        Download

      • memory/4352-252-0x0000000000400000-0x00000000004E1000-memory.dmp

        Filesize

        900KB

        Download

      • memory/4352-277-0x0000000000400000-0x00000000004E1000-memory.dmp

        Filesize

        900KB

        Download