Overview

overview

10

Static

static

10

a07db5ee88...e9.exe

windows7-x64

10

a07db5ee88...e9.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    112s
  • max time network
    93s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 18:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe

  • Size

    1.2MB

  • MD5

    b8827e4fa6149576aa16cbcf9ff30819

  • SHA1

    fc43eee5eff356d8b66cd0e493d990262d1dcc61

  • SHA256

    a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9

  • SHA512

    975a3e56df9fd37b2fb82211caa7d7271ff067a35f1fab271a26bf34c9c864bac775fa09815c37e591d38db914731cf6fb4309700daa1ae19a43aeb24ae3e65f

  • SSDEEP

    24576:TnsJ39LyjbJkQFMhmC+6GD9ANDbqUo5uCMiJ0vH:TnsHyjtk2MYC5GD+Nto5uCAv

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 5 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
    "C:\Users\Admin\AppData\Local\Temp\a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3500
    • C:\Users\Admin\AppData\Local\Temp\._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:5004
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2264
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3104
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2696

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.2MB

    MD5

    b8827e4fa6149576aa16cbcf9ff30819

    SHA1

    fc43eee5eff356d8b66cd0e493d990262d1dcc61

    SHA256

    a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9

    SHA512

    975a3e56df9fd37b2fb82211caa7d7271ff067a35f1fab271a26bf34c9c864bac775fa09815c37e591d38db914731cf6fb4309700daa1ae19a43aeb24ae3e65f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
    Filesize

    485KB

    MD5

    9894a7298ad832b8ef73e749a9acf4ab

    SHA1

    039aa843dbe090f0ea785ae04cf125abbcf4f28f

    SHA256

    128fc38fe26637a05405cbe3031b017a2ab12956877fc575efc709a2f920c86a

    SHA512

    3394e82423c1d5392154295cd1627fef99a6a8cf73a88799170bc845767edb06e6d87c45f1a0bd5635c96666d75a23140e5e04b5a2a6675eb86654dd9cf9e615

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Browser.ini
    Filesize

    23B

    MD5

    5671ad767fc7e1af34132342e9ad06c1

    SHA1

    575fdcb80b55a91e62e6687937038d0ca909bc2d

    SHA256

    80e49c644396b856544a0ea6e0962c8d9fb4f8c499a249880d2ac8c30579accd

    SHA512

    5b7f7bcf14eaa9a2f500711bac3a8d9c3f7adc0c2c2cafbfe6e4d1e406c1b3b7f00df3e0dd85a0e531f4d4d1d58298e77c4d9c0bb976e86e5a191e80ca010974

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\DhYnPHdj.xlsm
    Filesize

    17KB

    MD5

    8f3c7fbc1e051b36696dbd67e8ed4249

    SHA1

    b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

    SHA256

    8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

    SHA512

    4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

    Download Submit

  • memory/2264-383-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2264-247-0x00007FFEED090000-0x00007FFEED285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2264-449-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2264-438-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2264-409-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2264-403-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2264-381-0x00007FFEED090000-0x00007FFEED285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2696-387-0x00007FFEAD110000-0x00007FFEAD120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-386-0x00007FFEAD110000-0x00007FFEAD120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-388-0x00007FFEAD110000-0x00007FFEAD120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-389-0x00007FFEAD110000-0x00007FFEAD120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-390-0x00007FFEAD110000-0x00007FFEAD120000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-391-0x00007FFEAA7B0000-0x00007FFEAA7C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2696-392-0x00007FFEAA7B0000-0x00007FFEAA7C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3104-354-0x0000000000400000-0x0000000000557000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3104-385-0x0000000000400000-0x0000000000557000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/3500-0-0x00007FFEED090000-0x00007FFEED285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3500-245-0x0000000000400000-0x000000000053C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3500-246-0x00007FFEED090000-0x00007FFEED285000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/5004-380-0x0000000000400000-0x0000000000557000-memory.dmp

    Filesize

    1.3MB

    Download

  • memory/5004-70-0x0000000000400000-0x0000000000557000-memory.dmp

    Filesize

    1.3MB

    Download