Overview

overview

10

Static

static

10

eb977f1baa...fN.exe

windows7-x64

10

eb977f1baa...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    107s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    19-12-2024 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fN.exe

  • Size

    1.2MB

  • MD5

    796eed038e49be83dc11994ef41330b0

  • SHA1

    6abb7c3a1bbe2dd5e93d068faee89a549357e241

  • SHA256

    eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9f

  • SHA512

    a8e6c7dfa9fbb910ed682d7d0256c4cc86c5bead9b40d945bad8d9c6ad7c243c7199102e8d8fbbf6abbd386759b8ccd2f18d32b1ae919c2eb9879a2c1c8772d6

  • SSDEEP

    24576:PFOajnsJ39LyjbJkQFMhmC+6GD9Kel3+s0DvfeUYqcZQCGm4Yd:tfnsHyjtk2MYC5GDL3Svfe41Yd

Score
10/10
xredbackdoordiscoveryevasionmacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Suspicious Office macro 2 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fN.exe
    "C:\Users\Admin\AppData\Local\Temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fN.exe"
    1⤵
    • Loads dropped DLL
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1992
    • \??\c:\users\admin\appdata\local\temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fn.exe 
      c:\users\admin\appdata\local\temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fn.exe 
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2256
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:816
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:996
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Loads dropped DLL
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2180
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2692
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2592
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2520
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 11:42 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:2528
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 11:43 /f
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1712
        • C:\Windows\Explorer.exe
          C:\Windows\Explorer.exe
          4⤵
            PID:2488
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:1852

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\gy9MO1YN.xlsm
      Filesize

      23KB

      MD5

      b3c47698fb41a6859114786319009871

      SHA1

      240c3e4bfceb4aac6328bf9290cee182fcad526d

      SHA256

      bcdf695f31e230c17a7e56b1dbcbb0e79bc5d7782f1f3f047066e4e2c5682756

      SHA512

      8abf48cb8936e541d27c6c6fe4de3a5a9aeed8959c6e3e6fd88cc25070d6fe751ed8a77aeb2380439b2a933c30acdf7e03b3ad42ff425195fb5a73c41f0b0ef5

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gy9MO1YN.xlsm
      Filesize

      24KB

      MD5

      4d8ae80ad8a6edc083a0949fbdfdec84

      SHA1

      5a1a97338741be779312854268a957a3cc2c2af7

      SHA256

      19e289c6d93ce503c7643b767d22d0b4b7a7dc8efe6ecb051ee2fe13f2b0215a

      SHA512

      e6fb4487eaee089ac1f0ff7f42cb2a3cd412dd01b233349f469c61244ffae2979e9713e011398de3abb51c4e63131419be7d1dd3d6258d4e58414152d07d5299

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gy9MO1YN.xlsm
      Filesize

      27KB

      MD5

      fe2aac1bd49b22652d55afde05119d57

      SHA1

      007215358ada0cc4336825acfeaf3c30e042bd01

      SHA256

      8e2bdf7714f031d66ea813d116ddb8f8bd1925ac5034f742d998e1cd85e8f518

      SHA512

      9b7b582ea334adb562036df3a489adbf24339843893b3c5484b2db007d7e6ae1a2c16ca6f4024bb4fc079d0e397949cbe511fb541c921d35dd40dee040ce5434

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gy9MO1YN.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gy9MO1YN.xlsm
      Filesize

      25KB

      MD5

      be288066d228b9e2ba2d2d90a37eb80d

      SHA1

      7a2259cc0b980d85aa4e0fdccc45e5dd8678005d

      SHA256

      f47ac2d3ea19a4f499a9f0ac963fe1c0d6d7b4ee6b933af917a7d5eded311d6c

      SHA512

      e87cabb57e04009b601a3c7a5dfea9f6373ee8311f7409d2d34365b1ea6882d6ed7fa604710128ff366da8b442163b1e483a4d4d2d9412d2f8cfab6b8c44120b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gy9MO1YN.xlsm
      Filesize

      28KB

      MD5

      4acd34ede788f2fd2bb0fab1af46811f

      SHA1

      e77ca6605b05e14e832bfbfdc0395190aafe361e

      SHA256

      ca9578fa07705d68bce67f4acdc15a3c6d5049ac8e0c6711071961ffaa475b3e

      SHA512

      258661ba53e7e715391f63efd755292cd83bf3fecd5c1b3e0f0c1d1c395a5ff6573932bfb069daba86de19f5ef57c32f8daa46bb3ee3ebe90c5c4b7f0b487445

      Download Submit

    • C:\Users\Admin\Desktop\~$StepInitialize.xlsx
      Filesize

      165B

      MD5

      ff09371174f7c701e75f357a187c06e8

      SHA1

      57f9a638fd652922d7eb23236c80055a91724503

      SHA256

      e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

      SHA512

      e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

      Download Submit

    • C:\Windows\Resources\Themes\icsys.icn.exe
      Filesize

      135KB

      MD5

      bdbb0343d5ce8618b4f6b1c7de2966d6

      SHA1

      610d9cd3932598b9eb72a891b562a22ed9133052

      SHA256

      9fbbc2ae078b4e026cf351323b25a5cfecf109ed0f11382b83d18bb22346ffa0

      SHA512

      8f880712854ed099f8535b5c87173bbfcf80a91d6c1416c8258e03c14c328b0d5cd2447299cf9b2a3c74931067844e57de5f1c2ba7ed241e92a7572b53a21119

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      Filesize

      364KB

      MD5

      38f18ebb5b81b4481b732f68d2b9fe90

      SHA1

      eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0

      SHA256

      a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b

      SHA512

      9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749

      Download Submit

    • \Users\Admin\AppData\Local\Temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fn.exe 
      Filesize

      1.1MB

      MD5

      1ed783cd8aa28a57cc404e304bdb980b

      SHA1

      5a701bf0ff1d75ba49af96f8f0fcce045dba6d12

      SHA256

      dcee609154e98ee26ddb3d559c39ec35bc6f4b2aff448bc44ecd234a3931f30f

      SHA512

      39d24d74cebc7c5bad82765dbe690de43943d60686c5ae2cb81b5f5b5ff6db1aed3d55aa0e0149aa1deaa8acfe896334716b0c5c5bf17d25c316211ab43b14ea

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      135KB

      MD5

      3ac7c5a9f2acaa4ec44741fed6b5a1f6

      SHA1

      b9e3d564188bffdc0b3c200768f888beb77ac3fe

      SHA256

      be39137f7792a5e76af021c941b1fe4f12964709671af784ddb9e85bf08c9e4a

      SHA512

      f8b965b91e1ccbe0ae1c81965600022505c4430bcf06954e1c3d7e82d7eae15d6b51859dad382e7457a90df8e0b35086a53c931d8868fdc7ca4ecbb624bd94d5

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      135KB

      MD5

      496017d315cca3d0f04c89ac97f4d8ed

      SHA1

      9c6b1b316aab44e508c98f697795072be069210d

      SHA256

      9e2a7fe3158de91283bd948c07f3a6e5de094c39c4580043fc938507e7dd7513

      SHA512

      606f7fcc661595d5ca03ce20e705be8f6658474c239ba32dc0bab1ec8a45d6a2e22bc035285d464c0cddd03ac7a2d3324593c15921fd42f78dd3344587adeb90

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      135KB

      MD5

      d24c977c8289e1e2a5560da984c8869c

      SHA1

      48ffbec06d169c7b7ca593e952234abc16c37957

      SHA256

      eb4f38796fd374a74d069841b18c89b2c177eccdd389a3f42fc8887054f2448b

      SHA512

      066f4d9dd940d9bc8f07f37fdd08bd3fa3cba75f5bd5bb93b009e48d5f0f508a3e6a9b8b212522af8f83ff47ac87fcfd8464d14067fa006ff7e5a66c77ec41cf

      Download Submit

    • memory/996-76-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/996-23-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1852-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/1992-22-0x0000000000300000-0x000000000031F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1992-77-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1992-0-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2180-216-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2256-228-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2256-101-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2256-194-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2256-193-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2520-74-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2592-70-0x00000000002F0000-0x000000000030F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2592-227-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2692-52-0x00000000003A0000-0x00000000003BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2692-75-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

      Download

    • memory/2896-13-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2896-71-0x00000000003C0000-0x00000000003C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2896-89-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download