Overview

overview

10

Static

static

10

f1c82a831b...0N.exe

windows7-x64

10

f1c82a831b...0N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-12-2024 20:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe

  • Size

    1.5MB

  • MD5

    92fc1b64d702ebee25b1cabea2a81ae0

  • SHA1

    1d3d5ec151eae49d8186d755db49c0d2b1df1a76

  • SHA256

    f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730

  • SHA512

    ac8ad02121c75db44ce5c67c4e7ec7cfdcb2fdcb5577c2675d8c7c63fca27c86626ee45e92c8ec58efedfb35bf9e863b76d482e45eb4dd1427b9a88c73e1981d

  • SSDEEP

    24576:ansJ39LyjbJkQFMhmC+6GD9u5xolYQY6dp7gAVKzar5:ansHyjtk2MYC5GDjYmp7gAVK2

Score
10/10
xredbackdoordiscoveryevasionpersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 12 IoCs
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 40 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
    "C:\Users\Admin\AppData\Local\Temp\f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4764
    • C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1624
      • \??\c:\users\admin\appdata\local\temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe 
        c:\users\admin\appdata\local\temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe 
        3⤵
        • Executes dropped EXE
        PID:2124
      • C:\Users\Admin\AppData\Local\icsys.icn.exe
        C:\Users\Admin\AppData\Local\icsys.icn.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2912
        • \??\c:\windows\system\explorer.exe
          c:\windows\system\explorer.exe
          4⤵
          • Modifies WinLogon for persistence
          • Modifies visiblity of hidden/system files in Explorer
          • Boot or Logon Autostart Execution: Active Setup
          • Executes dropped EXE
          • Adds Run key to start application
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1284
          • \??\c:\windows\system\spoolsv.exe
            c:\windows\system\spoolsv.exe SE
            5⤵
            • Executes dropped EXE
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:3384
            • \??\c:\windows\system\svchost.exe
              c:\windows\system\svchost.exe
              6⤵
              • Modifies WinLogon for persistence
              • Modifies visiblity of hidden/system files in Explorer
              • Boot or Logon Autostart Execution: Active Setup
              • Executes dropped EXE
              • Adds Run key to start application
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3516
              • \??\c:\windows\system\spoolsv.exe
                c:\windows\system\spoolsv.exe PR
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                PID:2688
              • C:\Windows\SysWOW64\at.exe
                at 20:24 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:4836
              • C:\Windows\SysWOW64\at.exe
                at 20:25 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe
                7⤵
                • System Location Discovery: System Language Discovery
                PID:1916
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4792
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          PID:2888
        • C:\Users\Admin\AppData\Local\icsys.icn.exe
          C:\Users\Admin\AppData\Local\icsys.icn.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2096
          • \??\c:\windows\system\explorer.exe
            c:\windows\system\explorer.exe
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            PID:4372
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4484

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.5MB

    MD5

    92fc1b64d702ebee25b1cabea2a81ae0

    SHA1

    1d3d5ec151eae49d8186d755db49c0d2b1df1a76

    SHA256

    f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730

    SHA512

    ac8ad02121c75db44ce5c67c4e7ec7cfdcb2fdcb5577c2675d8c7c63fca27c86626ee45e92c8ec58efedfb35bf9e863b76d482e45eb4dd1427b9a88c73e1981d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730N.exe
    Filesize

    794KB

    MD5

    020e3a7e3dea3fa0efc7dfd92eec9b74

    SHA1

    41b784857d38376f5c56aed0fa8181e5810192ef

    SHA256

    0ca516bbce57427d0819d15a1d02f46cbdbe0729d8d79d8321176e91e3444e57

    SHA512

    2f68fef8d0bc9cea789a8963cf10dfe51ea6313c8cc2b862dde9c3b9da1fa55d787de28e8f076c56be7541f99624e80103c44b44dcfa0e81fb18f633bea68f53

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_f1c82a831b4dbcc5869fe60ea8879f073902d358f80b3525fa2682a895715730n.exe 
    Filesize

    587KB

    MD5

    1799da063f7a1b0c93ea50bc000097f1

    SHA1

    362877bf4f45e2552524fde912a2e6ced309a1a5

    SHA256

    2e41ff11d78405149f88dd9a02347cb94eb044ce4ff4c5001c9e990f53d6e4ae

    SHA512

    cc6878d14930d2419eea813877e7e197441295d00d22f400b8f4354c57157742048c2954469eeb68381c6377dcc3d326480c15e24beb8429e67ed73da636efae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\42C75E00
    Filesize

    24KB

    MD5

    c7af1c967c985311e2a4a1f2b029dcfa

    SHA1

    940ba6219e2b099d0aa9b3634b27ba4e2ba4e2a2

    SHA256

    f52ecb335652034daaaaab61e19f1d0521e9da859b917a99679186ff9868ec6b

    SHA512

    e6a5d1c875fff327eb9c765bf65e4462fab9a3e2ed59d8bf0a55bbf373d10fad017397d9f15a341e7035a4801d15f64f018ab586d97a8a67b7254eadced90e50

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\qjem1HbW.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\icsys.icn.exe
    Filesize

    206KB

    MD5

    34a4e56b76b7a84797188bdc281c99ac

    SHA1

    a40b57f5ecaa1770f15be361a4f97468f054eaa5

    SHA256

    210a6be7ccb3a097ff5e26d97c242bfec0e87927e9a539a65e5613b0a2723b87

    SHA512

    ce505811c995b1b7f8e7451aad6768e0e2e552d6f7e7e577dafa2d4ed3c1543b60ea998e687d46f2ac2135d9b1aab9e41d2a5fd70c4b0976d2ee345a0864ece6

    Download Submit

  • C:\Users\Admin\AppData\Roaming\mrsys.exe
    Filesize

    206KB

    MD5

    854359f594e26980f1874d7305cc8047

    SHA1

    80ecd8231c86eb35b01253603ba47f2b06473f70

    SHA256

    82014163c224c1297db3372b53e53c56e1eaa36593acea97bce333510400b354

    SHA512

    617e5a771430c422201a73a1d7d020d55310ea5db167f4ed59920b3625c359b45d85c9cedf19b407b75c8756b918c627c0c03a79d69a1aa24696f72094fbed3f

    Download Submit

  • C:\Windows\System\spoolsv.exe
    Filesize

    206KB

    MD5

    fbeef1877a06a39dd5621de366d8a735

    SHA1

    33287289c163c6835094da390b1e767c5d8b873f

    SHA256

    1636254c92f5e2f630e84b2dadc3e5ad53ab425f331c04ec0ee81c63dac3e913

    SHA512

    b35d0c810ceebae440fe065eaa8e0050350fc73fb4efe5698a7ee6afb79f4721e18bde23bafa84d8b5494de9034ee690a7acceb0a676ef2f56ac5546f4f83317

    Download Submit

  • C:\Windows\System\svchost.exe
    Filesize

    206KB

    MD5

    a159247483cf1659d45222ec6844f2fe

    SHA1

    4fba585df57b9ed17a2a436c849687d71cd30b09

    SHA256

    c8dffa407b6f32b102231cef0cf24b2f60a136ab15ba681ab5d90dc6ee323e82

    SHA512

    438209ef693d4e0731dab9cdb5a2a30f9c7de701bf8d455534aa825bd5c69168a9dc9fd9d28b3c4f5e4ddf02733473dd53d71b8deda078d36729f9a6f1657a5f

    Download Submit

  • \??\c:\windows\system\explorer.exe
    Filesize

    206KB

    MD5

    debe4c6df95b841d7ac8aff616949fa9

    SHA1

    6d3ebf001c11acb5a6b9d425c6e19e63dc2acb9c

    SHA256

    1190e3dde1284f7582acd13c27a86db557aaf16a69984cea9626fb6153cd4564

    SHA512

    e89445291a0f28d232210378ba801a21948cd18c0af6e9d1b00910510f3304d23e7e45cf6f1069f97662b4f992e9fb56c5109c2d30a7807231c5a8264037cbf1

    Download Submit

  • memory/1284-207-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1284-346-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1624-252-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1624-60-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2096-263-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2688-246-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2912-251-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3384-249-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3516-239-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3516-347-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4372-262-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4484-242-0x00007FFF076C0000-0x00007FFF076D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-229-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-228-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-227-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-230-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-231-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4484-250-0x00007FFF076C0000-0x00007FFF076D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4764-0-0x0000000002420000-0x0000000002421000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4764-132-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/4792-264-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/5096-313-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5096-314-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5096-327-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/5096-135-0x0000000000740000-0x0000000000741000-memory.dmp

    Filesize

    4KB

    Download

  • memory/5096-348-0x0000000000400000-0x0000000000589000-memory.dmp

    Filesize

    1.5MB

    Download