Analysis

  • max time kernel
    153s
  • max time network
    157s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 12:23

General

  • Target

    AntiPubs Dork Searcher EZ/Update.exe

  • Size

    893KB

  • MD5

    f0f73959988dd4d41de1445fb9075b6f

  • SHA1

    a39d5fe0e269c062c1b7c64be09db16508f6cc4b

  • SHA256

    f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85

  • SHA512

    bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c

  • SSDEEP

    12288:UMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V94vFUNDasQ:UnsJ39LyjbJkQFMhmC+6GD9AFOaP

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 32 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Update.exe
    "C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\Update.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2076
    • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe
      "C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2916
      • \??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_update.exe 
        "c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_update.exe "
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3016
      • C:\Windows\Resources\Themes\icsys.icn.exe
        C:\Windows\Resources\Themes\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2944
        • \??\c:\windows\resources\themes\explorer.exe
          c:\windows\resources\themes\explorer.exe
          4⤵
          • Modifies visiblity of hidden/system files in Explorer
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1720
          • \??\c:\windows\resources\spoolsv.exe
            c:\windows\resources\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:784
            • \??\c:\windows\resources\svchost.exe
              c:\windows\resources\svchost.exe
              6⤵
              • Modifies visiblity of hidden/system files in Explorer
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Drops file in System32 directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:2860
              • \??\c:\windows\resources\spoolsv.exe
                c:\windows\resources\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • Loads dropped DLL
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2024
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:26 /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2068
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:27 /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:836
              • C:\Windows\SysWOW64\schtasks.exe
                schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 12:28 /f
                7⤵
                • System Location Discovery: System Language Discovery
                • Scheduled Task/Job: Scheduled Task
                PID:2108
          • C:\Windows\Explorer.exe
            C:\Windows\Explorer.exe
            5⤵
              PID:2312
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2828
        • C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2316
          • \??\c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe 
            "c:\users\admin\appdata\local\temp\antipubs dork searcher ez\._cache_synaptics.exe " InjUpdate
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:792
          • C:\Windows\Resources\Themes\icsys.icn.exe
            C:\Windows\Resources\Themes\icsys.icn.exe
            4⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:2080
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2700

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe

      Filesize

      893KB

      MD5

      f0f73959988dd4d41de1445fb9075b6f

      SHA1

      a39d5fe0e269c062c1b7c64be09db16508f6cc4b

      SHA256

      f7c2e8367293c26805ea8f0efed61aba293a970eeab7883b7c40619499e4fc85

      SHA512

      bff75fa90f703faf4682061bdd609844d98d64b07b0109091f7c2983e4e1459a702e30a4ee06aa036c0e6bc7a508f39a0c6b95a2c27d25df343b4137deb0520c

    • C:\Users\Admin\AppData\Local\Temp\aREVWbOS.xlsm

      Filesize

      27KB

      MD5

      3023fa12641a0ce6589aa9829fb57213

      SHA1

      4f1177ae770be3fbbe29c10d5516b655ec581395

      SHA256

      6e4e0d1d79d2fff58319a9e12d9bb8fc2b0045d4c745d45d5289334ee5ee0900

      SHA512

      70cab686613638066651d5231641f9ce041061103326001577239629007e586fe1769e9f8bd3e45d60f21e775b33f300f0cfa7b117bc688b15d2cbb06b7d76e3

    • C:\Users\Admin\AppData\Local\Temp\aREVWbOS.xlsm

      Filesize

      28KB

      MD5

      a0e6bede8b904c54fc7614315b332cf2

      SHA1

      3d2457fb729c41ff1c4593efbd1de8c4a72bbded

      SHA256

      f318433222281039e938d575798f60550462ff8f30c34418e3eaba8a1b0a5615

      SHA512

      2ddf9c01c1289026f0c7f335e3a62576c33682019d1f17cc2b9ecfbd755052884e575418ae78e9dfdb390ab1b099f077574e8f78f1f0aa4c4f425f38c86e15c7

    • C:\Users\Admin\AppData\Local\Temp\aREVWbOS.xlsm

      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    • C:\Users\Admin\AppData\Local\Temp\aREVWbOS.xlsm

      Filesize

      29KB

      MD5

      3d3405c4f62123f7cf2ae657e4c594a4

      SHA1

      02dc3730a168be85f7afe2a99ef45af9ffb54aff

      SHA256

      c4433765e3f9e8d700750551a02c565f5bad4ec31425723da12f9d89eda0e840

      SHA512

      fa76f3b3a636e07f4366f5b737a750bc37abaf8742c103842fcb41e5c9045b74eb8ec251ddd515231bd104f386a26d8daa195b472a1e99e0986cea4a863ac766

    • C:\Windows\Resources\Themes\explorer.exe

      Filesize

      135KB

      MD5

      6fedcf3675911bf77cbf996196a36343

      SHA1

      7c8d83be693fe454475b8cd26b83e50498374113

      SHA256

      452b91c70791a0e09ebd3e2d834a2b7fef94de023d672b627419c6f980d8de7e

      SHA512

      14f37e4cd4f28ac31990e3de2957beac1ab74ad246b9d2c36ccf6b7419db00cc551e156e70691be3e57a20aaac3158b385d01b9722795c4c0f4c8c250eb7920b

    • \Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_Update.exe

      Filesize

      140KB

      MD5

      570ddad76b94dd6156587b6f98ce8f6d

      SHA1

      c4b4b2655cc181add7a1e90d840a6735ca4bbace

      SHA256

      324fd9c87d5311ad7ab72f6238afda44f7bd7532daaf2a3d639a4dea81d95c86

      SHA512

      be0be9826d2e6dcb0f3bcbe16ef624154f6357892d4c57d8d1f87508cb3d1b37966d1ceb679487305ea3236acdcd5871a6cda315a89510264850b0629e36aa0f

    • \Users\Admin\AppData\Local\Temp\AntiPubs Dork Searcher EZ\._cache_update.exe 

      Filesize

      5KB

      MD5

      e2032456744fd06c43c2097f8fcd1a1f

      SHA1

      df474bbbd27166ef9a935457c44130fa20fbda5d

      SHA256

      bf9ba9e515c43c1c7d394cbc528e2fa500d98c423df89958485f61d2bd7bb874

      SHA512

      e3520f05508bcd44d989b7e92102586235a1187afbea8e9d903244e5487679190fc83aaf831ded2b9e0da0803b3298c93ff1be0396bbe54e57b5c3a428c6d7ae

    • \Windows\Resources\Themes\icsys.icn.exe

      Filesize

      135KB

      MD5

      fe07e43d610bef7a346eef8f8c5b9a95

      SHA1

      f782e9115af0f9cd8f5d88179476614fd84e1a10

      SHA256

      83caed8278b264c26235d659bf80924ba0969a6209d984cf6a38ac66635af4d3

      SHA512

      2e1539602e62dc13a303f71760a4ed6a155daae438804d5bde7f6ff9aa67818e66ada7eea2fa1eff76144513695e91783f481f5fe7ef1c56dfe15251033c2f65

    • \Windows\Resources\spoolsv.exe

      Filesize

      135KB

      MD5

      acd359672ab8d7d68e69c443e8c92f10

      SHA1

      42fbdf002519ab91ad15b39b4a56eb9e2354e63c

      SHA256

      8ad2e3bcc2bb53bd33249d8edd5483a1b23cbb03e0967610bfb1337b80efa808

      SHA512

      b0c8e2a752945987c0bbc858cd6574e4e2cf64d17c90e4ff40421a75858db75a2d4aa09b6af323b80f027aeebf42d656e47ee649c756bf04f28a706cff300b03

    • \Windows\Resources\svchost.exe

      Filesize

      135KB

      MD5

      cfd682b7bff942e1e6874e0eefcb30f9

      SHA1

      8479183686a10ffcbc9378f122dd1b51885f176e

      SHA256

      82c860229b83325db3cc5511ab8856182f3c213cd7b18c5d5f7e4f1711346509

      SHA512

      69de5542da6af1d61dff2f9407b111b3992436b8355603814336aa4d8a043d9bd858f4cacf1bfdb445371b23bbbfdaffb6ce284942ab1020ded063c3fff06bd9

    • memory/784-135-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/792-137-0x0000000000E10000-0x0000000000E18000-memory.dmp

      Filesize

      32KB

    • memory/1720-214-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2024-136-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2076-56-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

    • memory/2076-5-0x0000000003BD0000-0x0000000003BEF000-memory.dmp

      Filesize

      124KB

    • memory/2076-57-0x0000000003BD0000-0x0000000003BEF000-memory.dmp

      Filesize

      124KB

    • memory/2080-127-0x0000000000020000-0x000000000003F000-memory.dmp

      Filesize

      124KB

    • memory/2080-134-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2080-128-0x0000000000020000-0x000000000003F000-memory.dmp

      Filesize

      124KB

    • memory/2316-138-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2316-122-0x00000000002A0000-0x00000000002BF000-memory.dmp

      Filesize

      124KB

    • memory/2700-205-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2700-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2828-243-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

    • memory/2828-66-0x0000000003A80000-0x0000000003A9F000-memory.dmp

      Filesize

      124KB

    • memory/2828-213-0x0000000003A80000-0x0000000003A9F000-memory.dmp

      Filesize

      124KB

    • memory/2828-207-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

    • memory/2828-206-0x0000000000400000-0x00000000004E5000-memory.dmp

      Filesize

      916KB

    • memory/2860-244-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2916-140-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2916-20-0x0000000000020000-0x000000000003F000-memory.dmp

      Filesize

      124KB

    • memory/2916-33-0x00000000003B0000-0x00000000003CF000-memory.dmp

      Filesize

      124KB

    • memory/2944-53-0x0000000000020000-0x000000000003F000-memory.dmp

      Filesize

      124KB

    • memory/2944-139-0x0000000000400000-0x000000000041F000-memory.dmp

      Filesize

      124KB

    • memory/2944-70-0x0000000000290000-0x00000000002AF000-memory.dmp

      Filesize

      124KB

    • memory/3016-88-0x0000000000F60000-0x0000000000F68000-memory.dmp

      Filesize

      32KB