Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    23-12-2024 03:46

General

  • Target

    db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe

  • Size

    1.8MB

  • MD5

    61ef5a84476d103a712bd15f1e234b59

  • SHA1

    283a10bfbeb188c581038f81de38f292c5f888d5

  • SHA256

    db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c

  • SHA512

    ac489b4b4db5f24b7150da552da52257b39437a9be1b357cf0fdcb691f53d4473bad830bae01f481fa1a5c55615d7ece2c42157e959c12b2b28646e8fe9f0279

  • SSDEEP

    49152:JnsHyjtk2MYC5GDh8iYglRRbCbtiYglRHiYglR1/4mHkl:Jnsmtk2aZiYMXbCbtiYMBiYMH/4Gs

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe
    "C:\Users\Admin\AppData\Local\Temp\db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2172
    • C:\Users\Admin\AppData\Local\Temp\._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1132
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2788
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2848
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:700

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    1.8MB

    MD5

    61ef5a84476d103a712bd15f1e234b59

    SHA1

    283a10bfbeb188c581038f81de38f292c5f888d5

    SHA256

    db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c

    SHA512

    ac489b4b4db5f24b7150da552da52257b39437a9be1b357cf0fdcb691f53d4473bad830bae01f481fa1a5c55615d7ece2c42157e959c12b2b28646e8fe9f0279

  • C:\Users\Admin\AppData\Local\Temp\._cache_db45046c3621a6977cf9b5597544048c258e55dadb9d01b9276328e695f7240c.exe

    Filesize

    1.1MB

    MD5

    d476151065d4ce41bc90647f63b7ad9f

    SHA1

    d3af36d23aca4aac11560e27b463977049f8bf4b

    SHA256

    83f59c81a61f4171347e55c8726a00fd1271ddeea9160d36b9f1425ef903b2fc

    SHA512

    74015e4a18de26319a05a4e1b74ce6f7a99aff209dce45e9768ca162aa65636a19dd49180a23dc94ca62990b854b8d81bc9256c6ca3f9cc4bfc6121285a6d608

  • C:\Users\Admin\AppData\Local\Temp\C6z9nUdZ.xlsm

    Filesize

    23KB

    MD5

    8f282ac5f5748257d40951b58760e0ce

    SHA1

    26a0fe7d4877577f7ae7f05f1b50df8b71e65307

    SHA256

    fbcaf2690ac148e92f01756a625ec85a4db1c58467b472ceb7481f633e899744

    SHA512

    97d4aec3732e69a4e9ab8f3cebe4156afcdb63866455b7669ba2e020ab011256e7bced7b026a7c78f3767524fda82e55e971316e41d823b3e3c3ca6051fe2bd4

  • C:\Users\Admin\AppData\Local\Temp\C6z9nUdZ.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • memory/700-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/700-81-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/1132-18-0x0000000073CC1000-0x0000000073CC2000-memory.dmp

    Filesize

    4KB

  • memory/1132-31-0x0000000073CC0000-0x000000007426B000-memory.dmp

    Filesize

    5.7MB

  • memory/1132-27-0x0000000073CC0000-0x000000007426B000-memory.dmp

    Filesize

    5.7MB

  • memory/1132-82-0x0000000073CC0000-0x000000007426B000-memory.dmp

    Filesize

    5.7MB

  • memory/2172-26-0x0000000000400000-0x00000000005D3000-memory.dmp

    Filesize

    1.8MB

  • memory/2172-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2788-83-0x0000000000400000-0x00000000005D3000-memory.dmp

    Filesize

    1.8MB

  • memory/2788-118-0x0000000000400000-0x00000000005D3000-memory.dmp

    Filesize

    1.8MB