Overview

overview

10

Static

static

10

2a35078ec0...9f.exe

windows7-x64

10

2a35078ec0...9f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 01:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe

  • Size

    1.5MB

  • MD5

    541530d085f95820042277daebb1f623

  • SHA1

    31d4b8fc956c9436c114e53524b0d80e8e5dfd4c

  • SHA256

    2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f

  • SHA512

    305724ce531d1b6b4cf8739a10d32551334e1a1e712790839c9a81d51cc5496e1f76cd28d9a680bcc251a795739c5f1a3471e2583005af53925fb47c0c77dbd7

  • SSDEEP

    24576:ansJ39LyjbJkQFMhmC+6GD9u5xolYQY6dp7gAVKzarL:ansHyjtk2MYC5GDjYmp7gAVKS

Score
10/10
xredbackdoordiscoveryevasionpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
    "C:\Users\Admin\AppData\Local\Temp\2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1556
    • C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4216
      • \??\c:\users\admin\appdata\local\temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe 
        c:\users\admin\appdata\local\temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe 
        3⤵
        • Executes dropped EXE
        PID:5080
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4896
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4116
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4624
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3844
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:556
              • C:\Windows\SysWOW64\at.exe
                at 01:56 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:2668
              • C:\Windows\SysWOW64\at.exe
                at 01:57 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4680
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4200
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2388
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          PID:3412
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          C:\Users\Admin\AppData\Local\icsys.icn.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3036
          • \??\c:\windows\system\explorer.exe
            c:\windows\system\explorer.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:1316
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4816

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.5MB

    MD5

    541530d085f95820042277daebb1f623

    SHA1

    31d4b8fc956c9436c114e53524b0d80e8e5dfd4c

    SHA256

    2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f

    SHA512

    305724ce531d1b6b4cf8739a10d32551334e1a1e712790839c9a81d51cc5496e1f76cd28d9a680bcc251a795739c5f1a3471e2583005af53925fb47c0c77dbd7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe
    Filesize

    794KB

    MD5

    020e3a7e3dea3fa0efc7dfd92eec9b74

    SHA1

    41b784857d38376f5c56aed0fa8181e5810192ef

    SHA256

    0ca516bbce57427d0819d15a1d02f46cbdbe0729d8d79d8321176e91e3444e57

    SHA512

    2f68fef8d0bc9cea789a8963cf10dfe51ea6313c8cc2b862dde9c3b9da1fa55d787de28e8f076c56be7541f99624e80103c44b44dcfa0e81fb18f633bea68f53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2a35078ec0d7fd71726e92e9f8c2c2614bea1843e5000e37c9ba5792ab5f249f.exe 
    Filesize

    587KB

    MD5

    1799da063f7a1b0c93ea50bc000097f1

    SHA1

    362877bf4f45e2552524fde912a2e6ced309a1a5

    SHA256

    2e41ff11d78405149f88dd9a02347cb94eb044ce4ff4c5001c9e990f53d6e4ae

    SHA512

    cc6878d14930d2419eea813877e7e197441295d00d22f400b8f4354c57157742048c2954469eeb68381c6377dcc3d326480c15e24beb8429e67ed73da636efae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\F0C75E00
    Filesize

    25KB

    MD5

    8a1a7a3a12db166e824fad729d14dbc9

    SHA1

    44e8b2eb79722f272876d2202c4c8987c4262f55

    SHA256

    7d96891664c6741636749aac394d2d9932b89b4eab10c56628d03b2bbe312221

    SHA512

    6862d3ad82d303bb00bdaf9052a0b15d9f9e270af17b802c9433c1e5404b2a6ad44c7892a9af63ada50bf85c1665cc73cedefdc77202b309618fc7e49c97b06b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\i4qjlqMb.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\icsys.icn.exe
    Filesize

    206KB

    MD5

    34a4e56b76b7a84797188bdc281c99ac

    SHA1

    a40b57f5ecaa1770f15be361a4f97468f054eaa5

    SHA256

    210a6be7ccb3a097ff5e26d97c242bfec0e87927e9a539a65e5613b0a2723b87

    SHA512

    ce505811c995b1b7f8e7451aad6768e0e2e552d6f7e7e577dafa2d4ed3c1543b60ea998e687d46f2ac2135d9b1aab9e41d2a5fd70c4b0976d2ee345a0864ece6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    206KB

    MD5

    4f61152889440a451ff7be9bbbcf586f

    SHA1

    020376bd7043af280cd1e6c6c60585692f06ebd5

    SHA256

    85fa7e87bfb2e56f81407c4a1c2e81c34d75fb465595ffa54a3dbfd80512c0f4

    SHA512

    da644dbd187170239a9174f3d749d597fdb2428c327c113444774459c1ab940fcd4e288833a34b0c2853d5efd71d0f34f9bbfe963c74e0733b0cd59e0c263372

    Download Submit

  • C:\Windows\System\explorer.exe
    Filesize

    206KB

    MD5

    a378ebbde0a36dc4062fc201382e9fe0

    SHA1

    c6c7e15643efd82aaf7df9107149b4bfd190485f

    SHA256

    684036d5f2fe98ae08c2c65105b0da61e6c23049896c976cdfa17f3c279e74fe

    SHA512

    b292362f8b6acbfc45c6dc772cff01a8a58d3ae4ab42056640ac75f8e3c921f23ac983163f07e4e700635ee0d79b93b29b05d45883eaf3154580b816ff8cf264

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    206KB

    MD5

    bb2d4fbabc545357c89d4055b16c243c

    SHA1

    0f862b79124eb5ba1441629e2ac243bf2519e119

    SHA256

    fe4b303e1ff347b2087b0dda804c856ff967d6b7520c4cc2ee0257d193d65beb

    SHA512

    649fce035ed41a171eb2762071a7b9c7043fe3573a297312c401956567d7f833644def4351acb076b3be4891d928f3482d47d90fa2bdf25d82857753a0fd2964

    Download Submit

  • C:\Windows\System\svchost.exe
    Filesize

    206KB

    MD5

    9f516e9542a09d0713b085b8a8eee441

    SHA1

    68161ffbced99a50fb863c5562cb7cc7af382ff7

    SHA256

    212fbf6f44b178795eef0ec54bea00fabf9fc2b9d00844dc074f1edfe3df91b4

    SHA512

    d38c0b882bc1e707f162fc34e6a03bd1810cffd65eb9fbfa6a35c9c91e8d4f199017da971430eae10d0bb2bb58e82f76cbdeb3213e0d2338428953728c1e5f1f

    Download Submit

  • memory/556-247-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1316-260-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1556-0-0x0000000002530000-0x0000000002531000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1556-136-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/2388-262-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3036-261-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3844-342-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4116-207-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4116-341-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4200-309-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4200-340-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4216-64-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4216-249-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4624-248-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4816-219-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-222-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-220-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-217-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-244-0x00007FF91C120000-0x00007FF91C130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-228-0x00007FF91E7F0000-0x00007FF91E800000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4816-237-0x00007FF91C120000-0x00007FF91C130000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4896-250-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download