Overview

overview

10

Static

static

10

f4b7463799...bf.exe

windows7-x64

10

f4b7463799...bf.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    111s
  • max time network
    118s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 15:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe

  • Size

    829KB

  • MD5

    72e95291904617709bd084ddc40514cc

  • SHA1

    8235fdde80b1adc76e98e29d796675d6747c1b29

  • SHA256

    f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf

  • SHA512

    55615ac6ca7abe09f66266fbbd9681cf0f60994f6ca996fcfde7f9b93ce87ce631c1e7ec943f46e5079cf8a493f0cbecf64952122d2f0943082ecd9678538779

  • SSDEEP

    12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9px4DyNT:pnsJ39LyjbJkQFMhmC+6GD91p

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
    "C:\Users\Admin\AppData\Local\Temp\f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:968
    • C:\Users\Admin\AppData\Local\Temp\._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1220
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4520
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4168
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4412

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    829KB

    MD5

    72e95291904617709bd084ddc40514cc

    SHA1

    8235fdde80b1adc76e98e29d796675d6747c1b29

    SHA256

    f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf

    SHA512

    55615ac6ca7abe09f66266fbbd9681cf0f60994f6ca996fcfde7f9b93ce87ce631c1e7ec943f46e5079cf8a493f0cbecf64952122d2f0943082ecd9678538779

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
    Filesize

    75KB

    MD5

    2f9366f62dcd6e73dc3520c65bbf95da

    SHA1

    792d846d45dee9d2f732b242c6f5c843fb27cb17

    SHA256

    bd848b8d9ab1a6dafea89c0fb7647dd68a8356634e378fc2bdf46f44e05f699f

    SHA512

    ee0ac811acbc031bd05442cf21eec537788e46763d6e8380f4a6b56abc6e6cd22868755d2b8bda3a1ed55545de1ecfa83e1ad2e66a13a30e314e5144ae8a257e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\OHOOSpLm.xlsm
    Filesize

    17KB

    MD5

    8f3c7fbc1e051b36696dbd67e8ed4249

    SHA1

    b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

    SHA256

    8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

    SHA512

    4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

    Download Submit

  • memory/968-0-0x0000000002360000-0x0000000002361000-memory.dmp

    Filesize

    4KB

    Download

  • memory/968-74-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/4412-112-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4412-110-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4412-111-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4412-109-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4412-113-0x00007FFC838D0000-0x00007FFC838E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4412-114-0x00007FFC81480000-0x00007FFC81490000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4412-115-0x00007FFC81480000-0x00007FFC81490000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4520-75-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4520-125-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download

  • memory/4520-126-0x0000000002020000-0x0000000002021000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4520-157-0x0000000000400000-0x00000000004D5000-memory.dmp

    Filesize

    852KB

    Download