Overview

overview

10

Static

static

10

99c3ec92fe...56.exe

windows7-x64

10

99c3ec92fe...56.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 00:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe

  • Size

    6.1MB

  • MD5

    3836fdeaf179df63b904a0498fefc3ca

  • SHA1

    81127b3089ca41b081647b13c6ec0474638343ed

  • SHA256

    99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056

  • SHA512

    212dcb46234115aaa3a36cdb5983bbefa4e4766089689eaf7fe7f9de6fe59de0f3f4e7ce613dcb3726d753901fe256a325d8c6521de57429ba072fe388b9ffad

  • SSDEEP

    98304:knsmtk2aNFd7Xy1VkHK5mi8P4aR8qLf3gbz2FSmaI7dl0c:KLsFVXy1KHKQjQbz2FSmaI7dlN

Score
10/10
xredadwarebackdoordiscoverypersistencespywarestealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

    stealeradware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 22 IoCs
    adwarespyware
  • Modifies registry class 17 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
    "C:\Users\Admin\AppData\Local\Temp\99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4060
    • C:\Users\Admin\AppData\Local\Temp\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1440
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3880
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • Installs/modifies Browser Helper Object
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3116
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" /s "C:\Users\Admin\AppData\Local\Temp\IDMShellExt64.dll"
          4⤵
          • System Location Discovery: System Language Discovery
          PID:3684
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3324

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    6.1MB

    MD5

    3836fdeaf179df63b904a0498fefc3ca

    SHA1

    81127b3089ca41b081647b13c6ec0474638343ed

    SHA256

    99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056

    SHA512

    212dcb46234115aaa3a36cdb5983bbefa4e4766089689eaf7fe7f9de6fe59de0f3f4e7ce613dcb3726d753901fe256a325d8c6521de57429ba072fe388b9ffad

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_99c3ec92fe4fbe916e5ea686a0ddfd0f7015d7a1d7a0ec532d9f3538df0e4056.exe
    Filesize

    5.4MB

    MD5

    f1c022844d082a85c760b33c133921b5

    SHA1

    4b48a8c17260c5548a8275135ebb07fe12ac8730

    SHA256

    fe6765341fa4be1316f296e714228a2e0e3e475b6820e6344a293821fcc0859d

    SHA512

    06877660b23fd862dba27af3d86dc12bbecf3c047f722a7681ebf665ad90a9ba0219ac0d5619b7926ad27a5a490cf896a8fc081d290ef10c9d829ccb12cf96fb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Jzdo5MRX.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/3324-192-0x00007FFCE8110000-0x00007FFCE8120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-189-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-190-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-188-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-187-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-191-0x00007FFCEA1D0000-0x00007FFCEA1E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3324-193-0x00007FFCE8110000-0x00007FFCE8120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3880-208-0x0000000000400000-0x0000000000A2C000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3880-240-0x0000000000400000-0x0000000000A2C000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/4060-0-0x00000000028D0000-0x00000000028D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4060-127-0x0000000000400000-0x0000000000A2C000-memory.dmp

    Filesize

    6.2MB

    Download