Overview

overview

10

Static

static

1

DOCUMENTZ.zip

windows7-x64

10

DOCUMENTZ.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    59s
  • max time network
    59s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 07:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    DOCUMENTZ.zip

  • Size

    1.2MB

  • MD5

    c2c9a9190ea691fb502a99855dadb789

  • SHA1

    cffcc6d360d5ce539c2f8221cb1a6adb2c468bc6

  • SHA256

    4c939e53a7c2c5b619a63ab6d028d0925d49ecb056f44205dbc27a0045981cd2

  • SHA512

    76983c12cd2f98f4c21e637df1c2bac63027a599fd3647dad9d78abc36f0eb14a3b9d20b02ebaf50c3d90be2f31c18b6badbc537ce7f2c1be551a8fba282b33e

  • SSDEEP

    24576:KSx32nMHd/xfRzr2ZPE/jC695RFgZH/3tlu8SQWOa3u3nc2G40zCsXiG:3FttVZR2Z/tKTMn3G4gC0iG

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 3 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 6 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\DOCUMENTZ.zip"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:3128
    • C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\Supplier 0202AW-PER2 Sheet.exe
      "C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\Supplier 0202AW-PER2 Sheet.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\._cache_Supplier 0202AW-PER2 Sheet.exe
        "C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\._cache_Supplier 0202AW-PER2 Sheet.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • NTFS ADS
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:5048
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c schtasks /create /tn ZMNYQK.exe /tr C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2748
          • C:\Windows\SysWOW64\schtasks.exe
            schtasks /create /tn ZMNYQK.exe /tr C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Scheduled Task/Job: Scheduled Task
            PID:4876
        • C:\Windows\SysWOW64\WSCript.exe
          WSCript C:\Users\Admin\AppData\Local\Temp\ZMNYQK.vbs
          4⤵
          • System Location Discovery: System Language Discovery
          PID:212
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2636
        • C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:4016
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:392

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\._cache_Supplier 0202AW-PER2 Sheet.exe
    Filesize

    892KB

    MD5

    db7fc8188230c44a2b7360862dcf26e9

    SHA1

    648217f05db22b2663a5d3284d2c699da96423f4

    SHA256

    2180493dd5655c4ccf4cc17d0e3b1f69b9005ddc4152eb85ef7a8da026a75573

    SHA512

    9010c19b2c792f90f8edb1233c843b1d999ae84e1b2d49935e4790a8bd3b22446866b62a3f2c679dc89caf33f0d5f620eb97d72dc5882388089bd709be35ebdc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\7zO83CD9B08\Supplier 0202AW-PER2 Sheet.exe
    Filesize

    1.6MB

    MD5

    97e5ba8188b0e2613fd02ee2b8dfee7a

    SHA1

    17e314b66392d3d14e68f3e4a0ce4e3649255835

    SHA256

    2d976b78efe5c7e983ff4cef98deb25d21a901e8f954f6d915d5642e75420296

    SHA512

    dbb0c03170d807be5e43deb0fd7f1198bb56606cd4bb65d3ccb00b19759336f84c49072baedc6e674db308f58618f58e7d6de24fcb12c7f951de04e7e9c76e1f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\90785E00
    Filesize

    24KB

    MD5

    e9ef19c3a928f9a00957ff5f2da01026

    SHA1

    900aa229d50facde3a9cc11b24e958ccef37502e

    SHA256

    94194d9551645a6a3c66a0c44314333883d535cc25117814216484e4af138fc1

    SHA512

    0189c064a73d2f624beb0f7db2cf5558c0d2e48e20ed88a6e461b6438a9c2815b738a3a0f696f29d89d962e23f11463f0a1e3a95b03210466da50a77e613c45e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ZMNYQK.vbs
    Filesize

    900B

    MD5

    6b2fc38c53ce432c5d1748c1b64732de

    SHA1

    5c79a8b9ede2140efc9bdf0e8f07e9ae5a1891dd

    SHA256

    b3135337300fbde21d0a3b6f658436280927f513cc4f8ffca4ffdc75b86998c6

    SHA512

    47c52faac34281f362760c0740cf951e969db462abd1f32199d3810dd02b5ed0f3bc8fe2225c64afb6ab86fea22050159311274bbfdf80a33f4b2dcdb224f39e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\ZU2fNBI4.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/392-214-0x00007FFB77EB0000-0x00007FFB77EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/392-215-0x00007FFB77EB0000-0x00007FFB77EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/392-218-0x00007FFB75B80000-0x00007FFB75B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/392-217-0x00007FFB75B80000-0x00007FFB75B90000-memory.dmp

    Filesize

    64KB

    Download

  • memory/392-212-0x00007FFB77EB0000-0x00007FFB77EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/392-213-0x00007FFB77EB0000-0x00007FFB77EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/392-216-0x00007FFB77EB0000-0x00007FFB77EC0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2012-141-0x0000000000400000-0x00000000005A1000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2012-12-0x0000000002330000-0x0000000002331000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2636-220-0x0000000000400000-0x00000000005A1000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/4016-208-0x0000000000DA0000-0x0000000000F8E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4016-210-0x0000000000DA0000-0x0000000000F8E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/5048-211-0x0000000000B80000-0x0000000000D6E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/5048-219-0x0000000000B80000-0x0000000000D6E000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/5048-82-0x0000000000B80000-0x0000000000D6E000-memory.dmp

    Filesize

    1.9MB

    Download