Overview

overview

10

Static

static

10

0386f907a9...cN.exe

windows7-x64

10

0386f907a9...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-12-2024 20:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cN.exe

  • Size

    1.2MB

  • MD5

    635b87245cb5ab0b4a6bf4bae99cefd0

  • SHA1

    dffe11f4febd037201eb7bc182e65d7fc1606236

  • SHA256

    0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3c

  • SHA512

    d46aea739f50ba28378c6cf201b834bfa336c0260b7fc116c9b97d4b84efb0a968975a393e9843b2f359244d0ff266e485e7fb18f4eb99f7240ec6b4cb065de3

  • SSDEEP

    24576:e5xolYQY64nsJ39LyjbJkQFMhmC+6GD9VLMWMa/k9wxa:pYNnsHyjtk2MYC5GDf7Iw4

Score
10/10
xredbackdoordiscoveryevasionpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 18 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cN.exe
    "C:\Users\Admin\AppData\Local\Temp\0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cN.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • \??\c:\users\admin\appdata\local\temp\0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cn.exe 
      c:\users\admin\appdata\local\temp\0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cn.exe 
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4420
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:536
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 220
            5⤵
            • Program crash
            PID:3044
    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      C:\Users\Admin\AppData\Local\icsys.icn.exe
      2⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2580
      • \??\c:\windows\system\explorer.exe
        c:\windows\system\explorer.exe
        3⤵
        • Modifies WinLogon for persistence
        • Modifies visiblity of hidden/system files in Explorer
        • Boot or Logon Autostart Execution: Active Setup
        • Executes dropped EXE
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4760
        • \??\c:\windows\system\spoolsv.exe
          c:\windows\system\spoolsv.exe SE
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3936
          • \??\c:\windows\system\svchost.exe
            c:\windows\system\svchost.exe
            5⤵
            • Modifies WinLogon for persistence
            • Modifies visiblity of hidden/system files in Explorer
            • Boot or Logon Autostart Execution: Active Setup
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1132
            • \??\c:\windows\system\spoolsv.exe
              c:\windows\system\spoolsv.exe PR
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              PID:2884
            • C:\Windows\SysWOW64\at.exe
              at 20:42 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:3964
            • C:\Windows\SysWOW64\at.exe
              at 20:43 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
              6⤵
              • System Location Discovery: System Language Discovery
              PID:1792
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2588
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 536 -ip 536
    1⤵
      PID:3684

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      Filesize

      219KB

      MD5

      95af1aeca693bd2553270882f851d566

      SHA1

      ecfaf37db3ba81298aec2d884284449854d034eb

      SHA256

      e5d72e127690fa86999f1c9c6818264eaabed7624edce401e56777a36a029c7a

      SHA512

      7cba044fe666979cd43c393ec04ef32ec416540a209a8442b845264c0801df260a29c2fcd7e1fc3de93e166e59197f7896ab77abec0595c09c4753bed9a65732

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\0386f907a997e0d2f1b768facff9ef0ef70e917395a7c9f9972232a786903e3cn.exe 
      Filesize

      973KB

      MD5

      790032dd55b94919099af8b97670ac24

      SHA1

      404d441c2dc47edcaff0e29a24604d19d1ca009e

      SHA256

      27940e2d339bad9c92aa9a65fdf88ee142514758e4b951a8ae8f522069ae370c

      SHA512

      c582db5e9d43aacd60a999db79e931c4e09d200f78ab7ffe2fc704a8ec0ecce745f2c3ae0956c50070b1630e74739aa5f5bec933ab7cb1c815b64ab2208444b3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\LqGZliZj.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Local\icsys.icn.exe
      Filesize

      206KB

      MD5

      d6109007ddad132db4d6cbaa6c600cc6

      SHA1

      5ae8216d060b5687d1e45284a656471601164bee

      SHA256

      5b4a5172c0d199d6c1c557781ddfdad618f8847d6312c8941e5cb4b502dee76c

      SHA512

      139f4a179025a47787abb9604ce70496ebab2715c527900b05a96dc0d881d6887bea893f9a38a2b7f17a5b364fa0594623390995865a5b34b16f42be80e5cf92

      Download Submit

    • C:\Users\Admin\AppData\Roaming\mrsys.exe
      Filesize

      207KB

      MD5

      67155d8c1696fad746c8aa7d063981cf

      SHA1

      1dd5be4c44267e65d6b5891e346a77d61e55f460

      SHA256

      e942b75123e362c89ee0f9be1cd7cfaffc118be6a3d8acbb02d233d4dc68b39b

      SHA512

      55f6e01587d5682e24e371aff8ad5c87bf430aca13c86d4c0623d65b3def470bf74633f4028b8410457adec060f927788d3ef973f03bc2e64bdfb864418e9c5f

      Download Submit

    • C:\Windows\System\spoolsv.exe
      Filesize

      207KB

      MD5

      53aae9071fefd940c6608c7edc6a56c5

      SHA1

      7f21cb6822cb6ded13255893d8da994f4c0aa7c0

      SHA256

      349595b72ec5821648488b98922c80b92a69c9b14c5b46a12c41e41267e44b8f

      SHA512

      68269dd50d7b184a82e959788ce8a100df04aeeda712d826acafb722792ae658632212969f32530702d2fa3348760050008c73a160d8a23917570f5674338ff7

      Download Submit

    • \??\c:\windows\system\explorer.exe
      Filesize

      206KB

      MD5

      4a53d09e4de4fb16bfca00c0d30d1ef9

      SHA1

      4f6b23e40690ee054ff883923249511ebdc5b68f

      SHA256

      73c7dca72f880e34983d1923611befde8b491aac3fc048451d02c16c94c131f5

      SHA512

      922c84d4136ef2eba19725010d0b57bd6bc08b72bd71ce6c3c4e24ddb2df036128969fe64e7ad27b579dbff00cdabb67936eff2bad8c74783760444fcda295bf

      Download Submit

    • \??\c:\windows\system\svchost.exe
      Filesize

      206KB

      MD5

      22cbff3697079649fd2441592ed56532

      SHA1

      ca8be53efaceba8abb6df5b6f3a3a9b64094c4e3

      SHA256

      e3ae43d6a957cc1d01e8e3a50d4846716d7620d22cf2d70e97e418436f3ee1bd

      SHA512

      eec3cdd13361888e9cf6a2ecb6d908eca798d0087973fc26f7362beddcee96dff603b1fd3fef6ee59866c2492c9e95ba40e7f278a2dc353a000c5f2f2dbf753e

      Download Submit

    • memory/464-212-0x0000000000400000-0x00000000004F9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/464-175-0x0000000000400000-0x00000000004F9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/536-176-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/536-153-0x0000000000400000-0x000000000048A000-memory.dmp

      Filesize

      552KB

      Download

    • memory/1132-215-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1996-104-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1996-0-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2580-103-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/2588-159-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-156-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-155-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-160-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-157-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-161-0x00007FFF52050000-0x00007FFF52060000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2588-158-0x00007FFF540B0000-0x00007FFF540C0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2884-58-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/3936-100-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download

    • memory/4420-120-0x0000000000400000-0x00000000004F9000-memory.dmp

      Filesize

      996KB

      Download

    • memory/4420-9-0x0000000002290000-0x0000000002291000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4760-214-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download