Overview

overview

10

Static

static

10

VPN Plus V...V2.exe

windows7-x64

10

VPN Plus V...V2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-12-2024 04:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VPN Plus V2/VPN Plus V2.exe

  • Size

    2.6MB

  • MD5

    30a3448e4e667492151d200221cc2330

  • SHA1

    392e50785ea1f153b3031d13150ab518c662b446

  • SHA256

    40332154e44a8a75d54aba96f78927fb0e670db9cca93c6219088fb9d3b3c1f4

  • SHA512

    df441bd04d7f8bc1e3d2b43d376de9a47275238ac20e4b635ce806b01d3ad025f806db553e7ecbc331fb64040032b424ef80263f8d007bab018510687d575b4e

  • SSDEEP

    49152:MnsHyjtk2MYC5GDYecxZBslbm1C5Xj+zlyVUBcpm2TFBUQn:Mnsmtk2aAMZB4m1C5X65yVGcp5TB

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 6 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 9 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\VPN Plus V2.exe
    "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\VPN Plus V2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2788
    • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPN Plus V2.exe
      "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPN Plus V2.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2188
      • C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe
        "C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe"
        3⤵
        • Executes dropped EXE
        PID:208
      • C:\Users\Admin\AppData\Roaming\VPNPlus.exe
        "C:\Users\Admin\AppData\Roaming\VPNPlus.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe
          "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1576
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2804
      • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:956
        • C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe
          "C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe"
          4⤵
          • Executes dropped EXE
          PID:1332
        • C:\Users\Admin\AppData\Roaming\VPNPlus.exe
          "C:\Users\Admin\AppData\Roaming\VPNPlus.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:3416
          • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe
            "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2932
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1760

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.6MB

    MD5

    30a3448e4e667492151d200221cc2330

    SHA1

    392e50785ea1f153b3031d13150ab518c662b446

    SHA256

    40332154e44a8a75d54aba96f78927fb0e670db9cca93c6219088fb9d3b3c1f4

    SHA512

    df441bd04d7f8bc1e3d2b43d376de9a47275238ac20e4b635ce806b01d3ad025f806db553e7ecbc331fb64040032b424ef80263f8d007bab018510687d575b4e

    Download Submit

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\VPN Plus Config.exe.log
    Filesize

    871B

    MD5

    386677f585908a33791517dfc2317f88

    SHA1

    2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

    SHA256

    7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

    SHA512

    876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\23285E00
    Filesize

    20KB

    MD5

    109d8ffda735fcc784663b1463665e16

    SHA1

    a9d857b855cdbfed37c7ad86cb0eaeb063045136

    SHA256

    0ecb2d62d397060e8d9102d4bcce88c25746afb0d6f9174dfb054dc09fd3d632

    SHA512

    88ee31aa6943066a992b019b2ad28da7fd15fe79e2aa2b17f7acc9c665fb6019f52c72457371ed42fad674cb6a9fcc21471d149bf494f7d39fe6d0ebedb6ba48

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4hzj8I2B.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPN Plus V2.exe
    Filesize

    1.9MB

    MD5

    e765670f02fbba4fdd9317bba1c325ce

    SHA1

    954e3c2a2d461751fdac14b958cd20d9b5fcb099

    SHA256

    68c222268509688293c1b878e205134f9ab6c6b7a1d9c9541a9c01012e00e97f

    SHA512

    f009bc7c6577768ad42f8bbb08313d4ad81f56b3275c6f7ed01e94f818e9682de787046282ccdf961e96c8408269e2039314a3eaa75c31c740c2d0c58fab0eab

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe
    Filesize

    444KB

    MD5

    f341dc884269172ef968d8fa6927275b

    SHA1

    5351fe61fd39b7704d9d63b1a36c44746536753d

    SHA256

    2d41af98b1f58fa4c8266629e6a8eec3a06970a4bd8132f722a3ad71457da4e6

    SHA512

    0c6933547a0f76b953a6679027e95f2d557c509ac459004baf2a2bf1bb9176d196eb1bea0ef38c6fe8a5b1ad2ecbf92e10542a2be25b563ab2af82f0bdfb1fde

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe
    Filesize

    293KB

    MD5

    0ffc5a768817a65ad00c3225bdcb6a70

    SHA1

    27c84ea9ad25231d0f01f95e7a5b8bc14e719184

    SHA256

    8df7d471e2c777b50b717c44149ee1556032f8123913d5bc3366f6f8780eceae

    SHA512

    282b605a57e3893a966ff482531bbc123ae508ca085b1781516879f09080d797e80ad60811e89f9d6fa0debda6429f5e5600968f5334931cad7a46dbeb96f96c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\VPNPlus.exe
    Filesize

    1.2MB

    MD5

    89099b1cc2d117ad367e9cbf10042916

    SHA1

    65d2b50285a1fb3d7b1e7b691e647abc58b33d5c

    SHA256

    95e9259b2d0a30d7e16b13d886a70d1d8cfaccd0799d1adff2e105390dbf5ceb

    SHA512

    7eda8b5035bbe0aaa0e33b1c0eeafaee0f2a3d0b65954819adc5f3b052948d11575ea240c14037f44fa0aa6f2b029b00e6fb88d10aa63a3bed71d7703abb62f2

    Download Submit

  • memory/208-201-0x0000000000EF0000-0x0000000000F40000-memory.dmp

    Filesize

    320KB

    Download

  • memory/1576-286-0x0000000000760000-0x00000000007D4000-memory.dmp

    Filesize

    464KB

    Download

  • memory/1576-288-0x0000000005680000-0x0000000005C24000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/1576-290-0x00000000050A0000-0x00000000050AA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/1576-289-0x00000000050D0000-0x0000000005162000-memory.dmp

    Filesize

    584KB

    Download

  • memory/1624-281-0x0000000000400000-0x0000000000531000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1760-274-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-273-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-278-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-279-0x00007FFF0C9D0000-0x00007FFF0C9E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-252-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-271-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1760-272-0x00007FFF0EF50000-0x00007FFF0EF60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2188-71-0x00000000007B0000-0x0000000000996000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2188-70-0x00007FFF308D3000-0x00007FFF308D5000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2788-131-0x0000000000400000-0x00000000006A3000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2788-0-0x00000000009B0000-0x00000000009B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2804-336-0x0000000000400000-0x00000000006A3000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2804-367-0x0000000000400000-0x00000000006A3000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3416-285-0x0000000000400000-0x0000000000531000-memory.dmp

    Filesize

    1.2MB

    Download