Overview

overview

10

Static

static

10

New PO - S...R2.exe

windows7-x64

10

New PO - S...R2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 17:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    New PO - Supplier 0202AW-PER2.exe

  • Size

    1.6MB

  • MD5

    17fb4f9df5175e684a3427c5997b2007

  • SHA1

    c7b207497e0171fbb8fca648d82753abbf42b0b8

  • SHA256

    8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3

  • SHA512

    ed454b9588ab5209a926395c03b7e1ee35231bb77f66895187ebe86a3e94fc3568a247983946021887def3e4f396705142134abfdeb857b9e040dd863fe6d51d

  • SSDEEP

    49152:gnsHyjtk2MYC5GDGfhloJfKoKqh1X+T9f8z:gnsmtk2aNfhlHoKqzX+Sz

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 19 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 22 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\New PO - Supplier 0202AW-PER2.exe
    "C:\Users\Admin\AppData\Local\Temp\New PO - Supplier 0202AW-PER2.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Users\Admin\AppData\Local\Temp\._cache_New PO - Supplier 0202AW-PER2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_New PO - Supplier 0202AW-PER2.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2356
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn QHCPYO.exe /tr C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1364
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn QHCPYO.exe /tr C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe /sc minute /mo 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:3696
      • C:\Windows\SysWOW64\WSCript.exe
        WSCript C:\Users\Admin\AppData\Local\Temp\QHCPYO.vbs
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3756
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3572
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3948
  • C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
    C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3232
  • C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
    C:\Users\Admin\AppData\Roaming\Windata\NUHORT.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4076

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.6MB

    MD5

    17fb4f9df5175e684a3427c5997b2007

    SHA1

    c7b207497e0171fbb8fca648d82753abbf42b0b8

    SHA256

    8f66247597f18a7b3f20dbdf2d29330f716222bd500a7a95642137e84fa3b3d3

    SHA512

    ed454b9588ab5209a926395c03b7e1ee35231bb77f66895187ebe86a3e94fc3568a247983946021887def3e4f396705142134abfdeb857b9e040dd863fe6d51d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_New PO - Supplier 0202AW-PER2.exe
    Filesize

    892KB

    MD5

    7e05f5f77f8a0f63634cd734ae52ce55

    SHA1

    be8784d03a832aaddfdcd53a0d337fbfbf100ee6

    SHA256

    0b9a5d51c56644ecd7a0b0b9f31533da83d1d16d6fd2db55bbcda7b095ca8fdb

    SHA512

    29616b472141370252c58c827d733864a119fe87590aa3f2e41ac61cad18bc717de9afcadebfc4bfc0171ee54bc8126efcedd119aea67e260795d187f4bc2c87

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\QHCPYO.vbs
    Filesize

    894B

    MD5

    c4e87d0988f7420e655b18a1faee4a0f

    SHA1

    2cd918793e7414fa3a60d737f0a8877b7400b8a7

    SHA256

    a15fef663e952f30372d8768414226b24fb71eddae1e170741800d54e9cb57ca

    SHA512

    5aa7436cd32e0997ab8266985bfc487b37c9203e563995df5fe1379dfeace2d97f3d1ea0b23ea04ecab08a6f74a89ee1065c1d6fb783bf622a5ec5fb50f9b3b3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\z4VgHHeE.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/2356-266-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-240-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-278-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-276-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-280-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-272-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-270-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-268-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-233-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-231-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-262-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-229-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-70-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-220-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-227-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2356-222-0x0000000000540000-0x000000000072E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2564-223-0x0000000000400000-0x00000000005A1000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2564-221-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2564-228-0x0000000000400000-0x00000000005A1000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2564-130-0x0000000000760000-0x0000000000761000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2564-263-0x0000000000400000-0x00000000005A1000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/3232-238-0x0000000000BD0000-0x0000000000DBE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3232-236-0x0000000000BD0000-0x0000000000DBE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3572-192-0x0000000000F50000-0x000000000113E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3572-194-0x0000000000F50000-0x000000000113E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/3948-201-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-204-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-203-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-205-0x00007FFC3D8E0000-0x00007FFC3D8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-202-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-200-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3948-206-0x00007FFC3D8E0000-0x00007FFC3D8F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4076-275-0x0000000000BD0000-0x0000000000DBE000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4808-0-0x0000000002340000-0x0000000002341000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4808-129-0x0000000000400000-0x00000000005A1000-memory.dmp

    Filesize

    1.6MB

    Download