Overview

overview

10

Static

static

10

1780b674a9...cN.exe

windows7-x64

10

1780b674a9...cN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 01:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe

  • Size

    829KB

  • MD5

    e60d708e062dfc68d4110ad676a056d0

  • SHA1

    e7116b561ebe31a1acecaddb49825b5385168aa3

  • SHA256

    1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc

  • SHA512

    2bbefe5455815ac3b6776182437694e981d627d2addd46b3ac4b10ecbb37fcf2aa2261c5d7cb3be6756c7b17f134651ca9ee27595fd05ecbb1e5d00cf3cab167

  • SSDEEP

    12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9px4DyNL:pnsJ39LyjbJkQFMhmC+6GD91x

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
    "C:\Users\Admin\AppData\Local\Temp\1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:544
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2084
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1512
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:3860

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    829KB

    MD5

    e60d708e062dfc68d4110ad676a056d0

    SHA1

    e7116b561ebe31a1acecaddb49825b5385168aa3

    SHA256

    1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc

    SHA512

    2bbefe5455815ac3b6776182437694e981d627d2addd46b3ac4b10ecbb37fcf2aa2261c5d7cb3be6756c7b17f134651ca9ee27595fd05ecbb1e5d00cf3cab167

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
    Filesize

    75KB

    MD5

    2f9366f62dcd6e73dc3520c65bbf95da

    SHA1

    792d846d45dee9d2f732b242c6f5c843fb27cb17

    SHA256

    bd848b8d9ab1a6dafea89c0fb7647dd68a8356634e378fc2bdf46f44e05f699f

    SHA512

    ee0ac811acbc031bd05442cf21eec537788e46763d6e8380f4a6b56abc6e6cd22868755d2b8bda3a1ed55545de1ecfa83e1ad2e66a13a30e314e5144ae8a257e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\z3sOGQio.xlsm
    Filesize

    17KB

    MD5

    8f3c7fbc1e051b36696dbd67e8ed4249

    SHA1

    b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

    SHA256

    8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

    SHA512

    4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

    Download Submit

  • memory/1968-74-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/1968-0-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-75-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-125-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/2084-126-0x0000000000680000-0x0000000000681000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2084-157-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/3860-110-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-111-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-112-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-113-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-114-0x00007FFA251F0000-0x00007FFA25200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-115-0x00007FFA251F0000-0x00007FFA25200000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3860-109-0x00007FFA27450000-0x00007FFA27460000-memory.dmp

    Filesize

    64KB

    Download