Analysis
-
max time kernel
112s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
17-12-2024 21:19
General
-
Target
3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
-
Size
900KB
-
MD5
da622141c7c1c20462583cac67ca7d50
-
SHA1
dd33f1a243f401360e9d3b43b2fc1643f76828be
-
SHA256
3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897beb
-
SHA512
a10f65b6617a3bb984132f481603bd85a36dcd870f38284b2a7450570d5dc82f05ddd530384eba428a2bc8b2a648d5d9eeb3dfe0d82e7de6762ac10aa0fccc47
-
SSDEEP
12288:sMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9mU6bi9I6VVa:snsJ39LyjbJkQFMhmC+6GD9hIyM
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe"C:\Users\Admin\AppData\Local\Temp\3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe"C:\Users\Admin\AppData\Local\Temp\._cache_3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
900KB
MD5da622141c7c1c20462583cac67ca7d50
SHA1dd33f1a243f401360e9d3b43b2fc1643f76828be
SHA2563618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897beb
SHA512a10f65b6617a3bb984132f481603bd85a36dcd870f38284b2a7450570d5dc82f05ddd530384eba428a2bc8b2a648d5d9eeb3dfe0d82e7de6762ac10aa0fccc47
-
Filesize
147KB
MD52b8e4c792bed0e5882702720bc528ae5
SHA1e7638b294a4f1409f87e449643a02bbd49a481c8
SHA2566d7cb027bc6014cb268c49b46049cdff3ba94d07102a65bd053335a28e83d125
SHA5126cc9457024385c2687b32c5cd49aa45aa21c93c66c78efaa3e9d96e4fd26054fb9a4ef9c4974ca633e5ba63a31f625632aae7097aa6d05b54201c3f383d5a82d
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
22KB
MD5c3be5ed3cc1c75ab3961fbfe8f4cb014
SHA110e7e2a16f4c2254c3b553657d76708c8e73d5bc
SHA25674e76dbc0e951a6d9c9947f65588e4591d4b0169b161dd1d06041df4989abac4
SHA5122791e6a1ad12ac9cccebe6d5ae927a3ab81edc933c35a13faa8fa180c943a399d8c0c1c6f6b139d789117fd6174cdd097b719a3592a9318061bdb9ba94382100
-
Filesize
4KB
-
Filesize
924KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
924KB
-
Filesize
924KB
-
Filesize
924KB