Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22-12-2024 12:23

General

  • Target

    AntiPubs Dork Searcher EZ/Searcher.exe

  • Size

    7.7MB

  • MD5

    89b8241a6504c5f75684558cf8262c92

  • SHA1

    f2572052d0905be7c6df457564f7815419f4a225

  • SHA256

    2d1ce8a3c009c75c31057b02b0fabe91e479ce28d42ac146301e7b7a5944c9de

  • SHA512

    5a05c1d3eb88279329c0a93bd5473732be9d48a0d96527be70d6df04b53d3b386a1282f427e2485d8e1ea34815f38f5e74801b4dcbf6eaaa21c6519a0cecc34b

  • SSDEEP

    98304:Tnsmtk2aDyldpqU5s+h9oK4MtPSXDjLWdNo/v5LlCKly37gjA1tCJa8IRku6FmlC:rLKyldD5smuMQDfUi/vXgIa8IRkZI2N

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 26 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Searcher.exe
    "C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Searcher.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4228
    • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Searcher.exe
      "C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Searcher.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3808
      • \??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_searcher.exe 
        "c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_searcher.exe "
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2260
      • C:\Windows\Resources\Themes\icsys.icn.exe
        C:\Windows\Resources\Themes\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3772
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:856
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2376
            • \??\c:\windows\resources\svchost.exe
              c:\windows\resources\svchost.exe
              6⤵
              • Modifies visiblity of hidden/system files in Explorer
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3880
              • \??\c:\windows\resources\spoolsv.exe
                c:\windows\resources\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:3764
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2872
        • \??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe 
          "c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe " InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2160
        • C:\Windows\Resources\Themes\icsys.icn.exe
          C:\Windows\Resources\Themes\icsys.icn.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2956
          • \??\c:\windows\resources\themes\explorer.exe
            c:\windows\resources\themes\explorer.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2360
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3768

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    7.7MB

    MD5

    89b8241a6504c5f75684558cf8262c92

    SHA1

    f2572052d0905be7c6df457564f7815419f4a225

    SHA256

    2d1ce8a3c009c75c31057b02b0fabe91e479ce28d42ac146301e7b7a5944c9de

    SHA512

    5a05c1d3eb88279329c0a93bd5473732be9d48a0d96527be70d6df04b53d3b386a1282f427e2485d8e1ea34815f38f5e74801b4dcbf6eaaa21c6519a0cecc34b

  • C:\Users\Admin\AppData\Local\Temp\09975E00

    Filesize

    23KB

    MD5

    bdcd3acc065755e008ffe1f5e6b812b2

    SHA1

    3ee4a4f12d0849318f769d50c8d7055019c599bb

    SHA256

    42410bd8a3196420ac4f8aa517c33515046656e4825861fdafbc5ede50fee367

    SHA512

    19c2f77a3ce43838e397d8877e2fe4f1697b87965ba5804d4c1c4d8f2f8495acae5a0600dc8fb4f9fc2de0ae0abb8c789d37c59529ee6d4d9df33eed12616666

  • C:\Users\Admin\AppData\Local\Temp\8SOGfvvb.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Searcher.exe

    Filesize

    7.0MB

    MD5

    15eb4b61e2e64ac84925535dc5ffe8de

    SHA1

    b95491efa58261ca585878238fa24d98fae41287

    SHA256

    3b28aaf3dd8ea9623ab80e4f567e65b8bb5db686b129f27f6d9bc0907f2ed289

    SHA512

    489751c78f8aded9a4b77eada0cccedab4d0faf50443607e17d81f65856ff77ad2842cb2ba5002e377c48fff441d86d38f74273367353fc2572a80ff980c14b5

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    bb38812e659c3d728f409ba8206da43e

    SHA1

    231777c045c807c20eb964c5a8714e1de9e4302b

    SHA256

    9eee738a0be74282659e61da2764f358cd5db063019bab247d513b5b63af748f

    SHA512

    91854244be2838e0efa5f3566ce3a4518484ab71fff5f06b86ef0b1309cb9e8dc988d63b0d35e54a6c7515b0c1cea9b95bbdfd469415459a46c58e96ed42a2fc

  • \??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_searcher.exe 

    Filesize

    6.8MB

    MD5

    d4b43b2ce490d8786ccde6debcad2251

    SHA1

    e88d0c6b5c336ee7c03e145532a6ce44db28af90

    SHA256

    3aad4931bc76e1d654e5fe3fc6a1a10277b0d66190a8547782a3d7fa117ccc27

    SHA512

    8bff940911e750f06c76c724b92de0753f4089d92f95e5d3d3659de3869a91908c6de25e480a0101d8149fcc881b71f585c39a2e9206393bb89f1f5e43bdda46

  • \??\c:\windows\resources\spoolsv.exe

    Filesize

    135KB

    MD5

    af014d16e34af7f302232f13d0c2b534

    SHA1

    8ba1390688670150a391c7892a157257aa7b054d

    SHA256

    8984498291e3135313b6ce89c01edb4c6717adab0b2391c29279b4a86fc23ad2

    SHA512

    1d8eb2ac6814e4b80ae6f71e07f77d77755019297b7ebd0d3b29a3a32b9f855e24c7c9c033414534bb2ca2a385dd86994eab10c49225121c5c9a636fa5f66fbe

  • \??\c:\windows\resources\svchost.exe

    Filesize

    135KB

    MD5

    f96267254ec37b90dd7e09426ef906d8

    SHA1

    76ffdfa7a87c5f9b9a99596bdd72694f94d38c5c

    SHA256

    a375095db88ab000ddb43901abd56d4027b8a3b40021df32523f87535abbb720

    SHA512

    52845f27a431a7287ff6732c53c15b47be06207310240d36c0e1f7c0bb543d9a212154ac4c479e591b49328704a53733f00c711c6c5f4268a34615716b0bcbfe

  • \??\c:\windows\resources\themes\explorer.exe

    Filesize

    135KB

    MD5

    99584567aa503d0ea882aa77df98ab45

    SHA1

    ed43e2ce88867cd076787c84d0937132a7f3e666

    SHA256

    eb8cfcc9ba03704e2250036ea53e54010e06179064994c68f3f69eeff9315862

    SHA512

    474b3783323ca502cc2f46027e9f51516e7b4686a6a6467de303bd642be1bf7a6585260dccbb12a807819e647901e341734c0ea71e88bf830cbd6f915722eb28

  • memory/856-173-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/856-300-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/964-80-0x0000000000E80000-0x0000000000E81000-memory.dmp

    Filesize

    4KB

  • memory/964-267-0x0000000000E80000-0x0000000000E81000-memory.dmp

    Filesize

    4KB

  • memory/964-268-0x0000000000400000-0x0000000000BB8000-memory.dmp

    Filesize

    7.7MB

  • memory/964-279-0x0000000000400000-0x0000000000BB8000-memory.dmp

    Filesize

    7.7MB

  • memory/964-301-0x0000000000400000-0x0000000000BB8000-memory.dmp

    Filesize

    7.7MB

  • memory/2260-202-0x0000000006C70000-0x0000000006C86000-memory.dmp

    Filesize

    88KB

  • memory/2260-145-0x0000000005350000-0x0000000005356000-memory.dmp

    Filesize

    24KB

  • memory/2260-132-0x0000000000330000-0x0000000000A08000-memory.dmp

    Filesize

    6.8MB

  • memory/2260-133-0x0000000005990000-0x0000000005F34000-memory.dmp

    Filesize

    5.6MB

  • memory/2260-206-0x0000000006C60000-0x0000000006C66000-memory.dmp

    Filesize

    24KB

  • memory/2260-158-0x0000000005F50000-0x0000000005F5A000-memory.dmp

    Filesize

    40KB

  • memory/2260-134-0x00000000053E0000-0x0000000005472000-memory.dmp

    Filesize

    584KB

  • memory/2260-135-0x0000000005360000-0x0000000005374000-memory.dmp

    Filesize

    80KB

  • memory/2260-214-0x000000000BC00000-0x000000000BC66000-memory.dmp

    Filesize

    408KB

  • memory/2260-148-0x0000000005970000-0x0000000005990000-memory.dmp

    Filesize

    128KB

  • memory/2360-219-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2376-189-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2376-203-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2872-221-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/2956-220-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3764-201-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3768-155-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

    Filesize

    64KB

  • memory/3768-156-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

    Filesize

    64KB

  • memory/3768-153-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

    Filesize

    64KB

  • memory/3768-157-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

    Filesize

    64KB

  • memory/3768-154-0x00007FFD9ADD0000-0x00007FFD9ADE0000-memory.dmp

    Filesize

    64KB

  • memory/3768-166-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

  • memory/3768-159-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

  • memory/3772-204-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3808-205-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3808-4-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/3880-302-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/4228-0-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

    Filesize

    4KB

  • memory/4228-77-0x0000000000400000-0x0000000000BB8000-memory.dmp

    Filesize

    7.7MB

  • memory/4228-2-0x0000000002C80000-0x0000000002C9F000-memory.dmp

    Filesize

    124KB

  • memory/4228-1-0x0000000002C80000-0x0000000002C9F000-memory.dmp

    Filesize

    124KB