Analysis

  • max time kernel
    141s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 04:48

General

  • Target

    f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

  • Size

    1.5MB

  • MD5

    2756afc3782b185d3c05dd880a8e8313

  • SHA1

    82417bd86f1fb249e296bb6b073b560e47639dde

  • SHA256

    f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682

  • SHA512

    9ffea594cd493cbd6fcb9f6f63dffa9127b17487177e63a466b786bc2d24d8af270c56dc653720266e6ad410ddce0931423354b6fa2dc02a7b2cb91e42321fc2

  • SSDEEP

    24576:WnsJ39LyjbJkQFMhmC+6GD9+wfLrvi4cRIyDe3SUNaXy+WypoGHgQ:WnsHyjtk2MYC5GDf+i3DsX1WH5Q

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 2 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 25 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in System32 directory 21 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
    "C:\Users\Admin\AppData\Local\Temp\f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2224
    • C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2804
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2172
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        PID:2660
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2560

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe

    Filesize

    1.5MB

    MD5

    2756afc3782b185d3c05dd880a8e8313

    SHA1

    82417bd86f1fb249e296bb6b073b560e47639dde

    SHA256

    f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682

    SHA512

    9ffea594cd493cbd6fcb9f6f63dffa9127b17487177e63a466b786bc2d24d8af270c56dc653720266e6ad410ddce0931423354b6fa2dc02a7b2cb91e42321fc2

  • C:\Users\Admin\AppData\Local\Temp\PdyZTJVN.xlsm

    Filesize

    20KB

    MD5

    6ab00cd80470d549c06715b46c934ba9

    SHA1

    4370c83a63c106949758687dc7bfe6541a652d50

    SHA256

    bf7dfebbcfda8cb31738a2b1e99d6f382a6a6752a92fc0d28073a636e93121f5

    SHA512

    d2468ad178c3565a17bf6651ea869552371824165e8e9a53be50f15a672132fdd3cea40a520c353fac4534a0caf69b0a433184c07a12917d3fde49d017e7ec95

  • C:\Users\Admin\AppData\Local\Temp\PdyZTJVN.xlsm

    Filesize

    24KB

    MD5

    a714b8c5a03851735238b4cdd75cafe0

    SHA1

    60785776b49eb25c5bd1fcbec5e9340f85f85907

    SHA256

    2930b9cd46cb6e58000b7b2f0b3fb23e849ccbde8037f610b4a8925fc101af5c

    SHA512

    1281691c12ea401500520147a57b4dafb212a63a44dba3da9bf0836249d50d822c3074436d4f7db6b8a8fa2bff329211481b67db4e81f1a89f7ada8bff3c9112

  • C:\Users\Admin\AppData\Local\Temp\PdyZTJVN.xlsm

    Filesize

    23KB

    MD5

    868a821a705f02b22543ec0bcde7b23d

    SHA1

    74a6222c1361c8f65138a4a8d13c6dedd46d381a

    SHA256

    100a6447f6d3d03c276d8c968822ad937172ca163a87adc9ed81610279329b52

    SHA512

    71d939a69eedb86e7b752193779a1d65537374580207d39517fef271cbc61c6917d3ffbf392e5204570e959fda1fcc696e33901de9e6d9839df87690dcbd1c68

  • C:\Users\Admin\AppData\Local\Temp\PdyZTJVN.xlsm

    Filesize

    28KB

    MD5

    c02dcf85814f134f16a84ba250684ae0

    SHA1

    5e47701709b25d94ee4274e1ffde780bfe5999a1

    SHA256

    b46b85d3de0e2af70ac3f4b91bb6dd83988bf6103f4975c2254003ec4647796f

    SHA512

    572e7c419b7043cf57a1dfa3609db72190a6f37fdcc1e7633b9dda4f67c18b6ee728325cfc85119cc5fdb3b2f98f771845f427b1364ff66ba4cd3c86c44a0f85

  • C:\Users\Admin\AppData\Local\Temp\PdyZTJVN.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • C:\Users\Admin\Documents\~$UsePush.xlsx

    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

  • \Users\Admin\AppData\Local\Temp\._cache_f05b2555733c2ae2ee5a39c1e7b7a833c0bbae64a020c42a5446274a2545d682.exe

    Filesize

    790KB

    MD5

    694f54bd227916b89fc3eb1db53f0685

    SHA1

    21fdc367291bbef14dac27925cae698d3928eead

    SHA256

    b8f39714d41e009f75efb183c37100f2cbabb71784bbd243be881ac5b42d86fd

    SHA512

    55bc0de75a7f27f11eb8f4ee8c9934dfe1acd044d8b7b2151c506bdcbead3ab179df7023f699c9139c77541bbc4b1c0657e93c34a6bc4309b665c6cb7636a7e5

  • \Windows\SysWOW64\OpenAL32.new

    Filesize

    106KB

    MD5

    235355a8dd26903e75d5e812ecf50e53

    SHA1

    8316319341a0f9054e19e4a7b21df3dc49386fee

    SHA256

    1797d150a2e23af4f390f5c33eb598c6f58d0454011d74941f5316add900bbdd

    SHA512

    5beb9343028790f993d0acb1007fd112b7e2ef6f9fbedfdb62b0140d2bbadf3b6368417ea19edb0bc8674d19418e5784fef4430ce1c329de8e83c304706d39ac

  • \Windows\SysWOW64\wrap_oal.new

    Filesize

    434KB

    MD5

    d494267bc169604fac5e3679b9a97fed

    SHA1

    c093ce5a4f7dc40f7f604945bd1facfb2c805c4b

    SHA256

    a4e46e6d09c4b0966824a2f6628ebf738e813672692a52a0d63d982e1030ef4f

    SHA512

    7cfcfb570ecfa974054b5285c7d6ad3bccf502866ea70789750c3748394cb0991d1fa6dec9c50a506dbc697953663ec2605277a4451098bb8cd6699c4e506040

  • \Windows\System32\OpenAL32.new

    Filesize

    120KB

    MD5

    2ad7b4f3c8d2bb686d231edff404b7a4

    SHA1

    f29676b96d04bd2765925a3834d9babfdce6a0b3

    SHA256

    87802322c8e63555c26fe473ce234ce7099745ccb28c02766c2224c726454039

    SHA512

    51a6c8cfe30e34c37437e6c5f8c602aa0759b65559a82521e2dbcf8a9865b826077854acb6497df6085d67b4c66083ae5f0f192b743a4b6f77ce7b18f01bf528

  • \Windows\System32\wrap_oal.new

    Filesize

    455KB

    MD5

    549347bcd4aacd63243d78e8f869dbb1

    SHA1

    efc00d2a7c5acfe17b8a58023826e6840aef39a6

    SHA256

    5379373cf3eff41cdd8c912c65e27e1bd492bd84238d19a093aa846c9b1ce909

    SHA512

    c6789376d05deb8c5050225c37c023055c107a72b49afddfd3f91e7e7429d38db9346e2e5d38986c2000c3828389cfbe5d74d80423a79eebd0367bcc81137cd5

  • memory/2172-146-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

  • memory/2172-228-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

  • memory/2224-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

  • memory/2224-25-0x0000000000400000-0x0000000000588000-memory.dmp

    Filesize

    1.5MB

  • memory/2560-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB