Overview

overview

10

Static

static

10

eb977f1baa...fN.exe

windows7-x64

10

eb977f1baa...fN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2024 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fN.exe

  • Size

    1.2MB

  • MD5

    796eed038e49be83dc11994ef41330b0

  • SHA1

    6abb7c3a1bbe2dd5e93d068faee89a549357e241

  • SHA256

    eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9f

  • SHA512

    a8e6c7dfa9fbb910ed682d7d0256c4cc86c5bead9b40d945bad8d9c6ad7c243c7199102e8d8fbbf6abbd386759b8ccd2f18d32b1ae919c2eb9879a2c1c8772d6

  • SSDEEP

    24576:PFOajnsJ39LyjbJkQFMhmC+6GD9Kel3+s0DvfeUYqcZQCGm4Yd:tfnsHyjtk2MYC5GDL3Svfe41Yd

Score
10/10
xredbackdoordiscoveryevasionpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fN.exe
    "C:\Users\Admin\AppData\Local\Temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fN.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4244
    • \??\c:\users\admin\appdata\local\temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fn.exe 
      c:\users\admin\appdata\local\temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fn.exe 
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3544
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2820
    • C:\Windows\Resources\Themes\icsys.icn.exe
      C:\Windows\Resources\Themes\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2756
      • \??\c:\windows\resources\themes\explorer.exe
        c:\windows\resources\themes\explorer.exe
        3⤵
        • Modifies visiblity of hidden/system files in Explorer
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4132
        • \??\c:\windows\resources\spoolsv.exe
          c:\windows\resources\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4760
          • \??\c:\windows\resources\svchost.exe
            c:\windows\resources\svchost.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in System32 directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3180
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:4800
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1332

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    Filesize

    364KB

    MD5

    38f18ebb5b81b4481b732f68d2b9fe90

    SHA1

    eae6a3ea6b5b8ac5ccafcc6dd0bbdbb07d6ee6c0

    SHA256

    a27bef270abb8e0649358d89a004573b45156c7a2bb520fb62cfe1f50300145b

    SHA512

    9c38a92d015f8524b28d5b99c83f6923f2505cd65817e11b8079201148f0299cb38646bdbb8fb5f64c97b178507cf8a851c3edb38fb442f0caebfdc0482c2749

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E9B75E00
    Filesize

    22KB

    MD5

    75b84c7be98c1cd19da4a7fc54d3f966

    SHA1

    24cca51ffe6b41402762591349e27b92f508d996

    SHA256

    4aa5bf6262591456ed8daf5317e0ba39a5a4c1c4a771268d33d72810532331d6

    SHA512

    7bcc4c9013a04d77ce4ec6f20ca345b85bbf591ffaa9d5a86898f9dcd0b486049731d8b54f3f2a7ee85aab801af1268dd34a413867a0db79010d29c3f436067a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JWXWovZv.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\eb977f1baa133248915590e1a9de9eb0f523d08fa9015da05cb4703bd821cd9fn.exe 
    Filesize

    1.1MB

    MD5

    1ed783cd8aa28a57cc404e304bdb980b

    SHA1

    5a701bf0ff1d75ba49af96f8f0fcce045dba6d12

    SHA256

    dcee609154e98ee26ddb3d559c39ec35bc6f4b2aff448bc44ecd234a3931f30f

    SHA512

    39d24d74cebc7c5bad82765dbe690de43943d60686c5ae2cb81b5f5b5ff6db1aed3d55aa0e0149aa1deaa8acfe896334716b0c5c5bf17d25c316211ab43b14ea

    Download Submit

  • C:\Windows\Resources\Themes\explorer.exe
    Filesize

    135KB

    MD5

    f40ba07c7dde350c11aeee09da5f326c

    SHA1

    d10ec53749ad2253ba3ae53803adce0ce4e82bec

    SHA256

    87ca11a31c05b8210b799df31fb601e234072b5cab01414c52bc1601fcfb1b2f

    SHA512

    c361e3798cc2063f669af443bf7d3e1debacc6c8a2ac3840c616c19e2716eb4c3e51b88c272bfdbcdb6c0547d830778cf5f764495006fae67be7195cbd93342b

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    135KB

    MD5

    bdbb0343d5ce8618b4f6b1c7de2966d6

    SHA1

    610d9cd3932598b9eb72a891b562a22ed9133052

    SHA256

    9fbbc2ae078b4e026cf351323b25a5cfecf109ed0f11382b83d18bb22346ffa0

    SHA512

    8f880712854ed099f8535b5c87173bbfcf80a91d6c1416c8258e03c14c328b0d5cd2447299cf9b2a3c74931067844e57de5f1c2ba7ed241e92a7572b53a21119

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    135KB

    MD5

    0e9f3665c84e90fb1945753de8f54578

    SHA1

    77edaec8ee0661d150b1ec0afe56edbaceb374fc

    SHA256

    8e976d72234f786a5ea0af59053b73bd0ec66e1c5a8425d77afd2cdb4dd62829

    SHA512

    5833c55b0ef7370575c59470f8a6fb75ae615bc9fe75e246a9bdc90b60a51e951c28781a511d298567d5db7d344190585bae015b5689e77dc9a5b5e7d0e67312

    Download Submit

  • C:\Windows\Resources\svchost.exe
    Filesize

    135KB

    MD5

    f4e22af893d0f1e00a5d93643ef9a3de

    SHA1

    524d5f64472c563d421a57b2c9b93e46c615a558

    SHA256

    f6530e3e3549baeabcfb42fc63dde06e5fc3b43ba0837af8473ad86a63abd38e

    SHA512

    c3993c5141ed46f460a3ab1cd8af9828be619fbd014357db4f2ccff3070aef6f611cec3e328cd688147c991c3eb2aabbf372ac77c9f7001497c8f6e251fb39fe

    Download Submit

  • memory/1332-162-0x00007FFB84E80000-0x00007FFB84E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-161-0x00007FFB84E80000-0x00007FFB84E90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-159-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-158-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-160-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-157-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-156-0x00007FFB871D0000-0x00007FFB871E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2756-106-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3180-239-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/3544-118-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/3544-9-0x00000000022B0000-0x00000000022B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4132-238-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4244-0-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4244-107-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4684-155-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4684-209-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4684-242-0x0000000000400000-0x000000000051D000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4760-31-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4760-99-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download

  • memory/4800-86-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

    Download