Analysis

  • max time kernel
    142s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 01:02

General

  • Target

    dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

  • Size

    2.5MB

  • MD5

    955b5c84e9db2eba7f71d15229611e54

  • SHA1

    803fb7d591b378efb2f33f3f4596b41d488edb34

  • SHA256

    dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa

  • SHA512

    318626a5488ddeecc6af91ad37aa30c9811057c41bc39a7de76a4de2bbf5de3dadfafdfbf367b2ec7ecbeb9886e8ca28429179cf754b5bd0b4b2bca6b72dc516

  • SSDEEP

    49152:fnsHyjtk2MYC5GD8oIInpcITYbNbNWo4kSH3OqtwIfKI4GD2z5pvnQ:fnsmtk2akhiIT4bNJFY3Oqtr4lpvQ

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 32 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
    "C:\Users\Admin\AppData\Local\Temp\dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3008
      • \??\c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
        c:\users\admin\appdata\local\temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2932
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1944
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:828
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:1768
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    2.5MB

    MD5

    955b5c84e9db2eba7f71d15229611e54

    SHA1

    803fb7d591b378efb2f33f3f4596b41d488edb34

    SHA256

    dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa

    SHA512

    318626a5488ddeecc6af91ad37aa30c9811057c41bc39a7de76a4de2bbf5de3dadfafdfbf367b2ec7ecbeb9886e8ca28429179cf754b5bd0b4b2bca6b72dc516

  • C:\Users\Admin\AppData\Local\Temp\GubKff35.xlsm

    Filesize

    23KB

    MD5

    1659047ccd57bc438c71a0974475c299

    SHA1

    36e09a2d4bd671b4775a1cab6707f2571a8caa71

    SHA256

    86cfb13a1e329955b5f37c7b9e2d529b0ec6715ea2b29cd0c83adfb33a1aaa02

    SHA512

    c1be34510dbdd648d0c93b2f46164fd20cd8777ebf834780cb8ecf2b2f8e9298c4c60e57320fb60d70f191a11d05b0b2a29f773b689d29e2dc3366ba080ae61c

  • C:\Users\Admin\AppData\Local\Temp\GubKff35.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Windows\Resources\Themes\icsys.icn.exe

    Filesize

    135KB

    MD5

    b2b0f7ed52405ce562cdf3fc98642fc4

    SHA1

    ea849492e1f78495de05274e86166d949f3c5d52

    SHA256

    99540984de3d492d34879a243e04d9ed1c64babe9f41fbaab6ab60bab54083a7

    SHA512

    e63923a1db48345a393f2ae786e54ddc6cd1657d33b6f72df13a5034a17d127671d88ddf6f71e5b97ee3ec597fd966ce450d872db6b7bdf3d181b8c9010caa01

  • \Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe

    Filesize

    1.8MB

    MD5

    391ae2a331ac042af3375a8bec61c542

    SHA1

    2b4ac01d34886e81d492e9b5ce8e0c3867378241

    SHA256

    ab3c3cfc26b066a0118eb29d96751d60f078dbd432b6f2faa6ecdf5b14b8d96e

    SHA512

    c4bd6e66c0a220b2a5e0f4684c85d0a201d9b6ba54fd7a64d47bf3d1851b3d361b3c18f1917c34f68239c47ee31cb414dc4bc3607f8167116ca0b7bfa251ccb5

  • \Users\Admin\AppData\Local\Temp\._cache_dd49cb0cdc819682f71a76643ca69ad86cf25e616a4868e164cdde535b324bfa.exe 

    Filesize

    1.7MB

    MD5

    d440e40758c321682e212e61e6bf297e

    SHA1

    ad0e6fd020d5619a76789e7dc4c51503aa51c854

    SHA256

    03afa67e7c0bebf918c799b844b7ef8f9eb7f982caf6de5f62710e92484cc104

    SHA512

    7456186ef64e682cd6e90bb3598e1c90bd17cc0f0616dbb113c596496a8603973930eca7c5e9b4b5dc12f69456b234b90e500ae60e8cc5a9abb3ff7f4ee5b0bc

  • memory/828-103-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB

  • memory/1768-59-0x00000000000E0000-0x0000000000290000-memory.dmp

    Filesize

    1.7MB

  • memory/1944-139-0x0000000000400000-0x0000000000690000-memory.dmp

    Filesize

    2.6MB

  • memory/1944-104-0x0000000000400000-0x0000000000690000-memory.dmp

    Filesize

    2.6MB

  • memory/1944-45-0x00000000042A0000-0x00000000042BF000-memory.dmp

    Filesize

    124KB

  • memory/1944-141-0x00000000042A0000-0x00000000042BF000-memory.dmp

    Filesize

    124KB

  • memory/2624-101-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2624-60-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2828-36-0x0000000000400000-0x0000000000690000-memory.dmp

    Filesize

    2.6MB

  • memory/2828-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

    Filesize

    4KB

  • memory/2828-5-0x00000000042B0000-0x00000000042CF000-memory.dmp

    Filesize

    124KB

  • memory/2932-46-0x00000000003D0000-0x00000000003EA000-memory.dmp

    Filesize

    104KB

  • memory/2932-39-0x00000000009A0000-0x0000000000B50000-memory.dmp

    Filesize

    1.7MB

  • memory/3008-102-0x0000000000400000-0x000000000041F000-memory.dmp

    Filesize

    124KB