Overview

overview

10

Static

static

10

FGNEBI.exe

windows7-x64

10

FGNEBI.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    30-12-2024 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    FGNEBI.exe

  • Size

    1.6MB

  • MD5

    1585cb2963dceb92fbcf6c4c057e191e

  • SHA1

    2063f45e9c82553bbc41cb4bc8e10b2d06d701c9

  • SHA256

    67d5fc80b6bf87eb6bc3d505b0102cfdf8e8727d3da004d982467ab08ded7f0b

  • SHA512

    88475b49d4299519b978711b16e0ea40579a3b671eb898d3d3f8391fbc2de55665bc0a978a20578a4c83f6bf3894a857e4013f34b0e2e4db6de404f66ef9ce47

  • SSDEEP

    24576:gnsJ39LyjbJkQFMhmC+6GD9YhloDX0XOf4tHzneKlVLaqueI0psAzrcP39h:gnsHyjtk2MYC5GDyhloJfaelV6skAfX

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops startup file 1 IoCs
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 6 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • AutoIT Executable 17 IoCs

    AutoIT scripts compiled to PE executables.

  • UPX packed file 24 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • NTFS ADS 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 32 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\FGNEBI.exe
    "C:\Users\Admin\AppData\Local\Temp\FGNEBI.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Users\Admin\AppData\Local\Temp\._cache_FGNEBI.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_FGNEBI.exe"
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of WriteProcessMemory
      PID:2728
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c schtasks /create /tn WLJOQW.exe /tr C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2552
        • C:\Windows\SysWOW64\schtasks.exe
          schtasks /create /tn WLJOQW.exe /tr C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe /sc minute /mo 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2988
      • C:\Windows\SysWOW64\WSCript.exe
        WSCript C:\Users\Admin\AppData\Local\Temp\WLJOQW.vbs
        3⤵
        • System Location Discovery: System Language Discovery
        PID:2600
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2640
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2000
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2560
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {78438443-7577-4FE2-9C25-DF58FEC50023} S-1-5-21-4177215427-74451935-3209572229-1000:JSMURNPT\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe
      C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1788
    • C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe
      C:\Users\Admin\AppData\Roaming\Windata\DELPQB.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2780

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.6MB

    MD5

    1585cb2963dceb92fbcf6c4c057e191e

    SHA1

    2063f45e9c82553bbc41cb4bc8e10b2d06d701c9

    SHA256

    67d5fc80b6bf87eb6bc3d505b0102cfdf8e8727d3da004d982467ab08ded7f0b

    SHA512

    88475b49d4299519b978711b16e0ea40579a3b671eb898d3d3f8391fbc2de55665bc0a978a20578a4c83f6bf3894a857e4013f34b0e2e4db6de404f66ef9ce47

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\H3TH5APi.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\H3TH5APi.xlsm
    Filesize

    21KB

    MD5

    50299b0d37a10092e76ec2f016fd13c9

    SHA1

    27a0cb7ef400917478174e04ef60710cd1b1abdf

    SHA256

    a2fdc2aecc9a52c774f28693371bcd15016408cea724028d5566cdcbf2eb8555

    SHA512

    1d6fc6a12c7c31b09e2a470f6fc62b45e855106dbe3b629d2cffb016ca8238d81aeab2e2a75f0fed057adca933d32c2a82e1eccb00976bac83732b6f618cc114

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WLJOQW.vbs
    Filesize

    848B

    MD5

    12f049bc7001bfe995a078cb56c04fe6

    SHA1

    7036c4c3ed4bad795413d823ade98eaa808297fc

    SHA256

    071ca2426c43aa83d946ac2ed49058942566d7e33c1d42937588f9aae5575045

    SHA512

    70e05c2071fb16427906effd1f1fe81677b2f7e136c5cbcc9f4edcc698696f60ca5fca7b08a4ca1487e15c393f1ac6aeec6acec8fd5f187a62e5293d1e6f77f8

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_FGNEBI.exe
    Filesize

    898KB

    MD5

    66a4951d384b55633ab61add85514f07

    SHA1

    bbf7a65a664bb2b8001576bf670a8381aad3a185

    SHA256

    6068b17cf1c362bfe7736e0b192c362735a040a68a6d41eb8ccdd8be242ca191

    SHA512

    d4dc27627baa28e79ae6dbd375a08c2afb5d47f43dd1c15e41a5033ac3c95bad018ebe5087dafad62fe2266fa7b69599ec2bed92da521208aab5011f854c7123

    Download Submit

  • memory/1788-109-0x0000000000EB0000-0x00000000010A0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1788-110-0x0000000000EB0000-0x00000000010A0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2000-49-0x0000000000DB0000-0x0000000000FA0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2000-53-0x0000000000DB0000-0x0000000000FA0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2560-50-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2616-29-0x0000000000400000-0x00000000005A3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2616-17-0x0000000005560000-0x0000000005750000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2616-0-0x0000000000230000-0x0000000000231000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2640-98-0x0000000000400000-0x00000000005A3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2640-46-0x0000000005730000-0x0000000005920000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2640-144-0x0000000000400000-0x00000000005A3000-memory.dmp

    Filesize

    1.6MB

    Download

  • memory/2728-143-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-96-0x0000000000440000-0x0000000000450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2728-99-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-101-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-105-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-36-0x0000000000440000-0x0000000000450000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2728-18-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-113-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-95-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-97-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-145-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-147-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-149-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-151-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-160-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-158-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2728-156-0x0000000000230000-0x0000000000420000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2780-155-0x00000000012A0000-0x0000000001490000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/2780-154-0x00000000012A0000-0x0000000001490000-memory.dmp

    Filesize

    1.9MB

    Download