Analysis

  • max time kernel
    141s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    03/01/2025, 12:32

General

  • Target

    2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe

  • Size

    11.2MB

  • MD5

    85d2c8e0e00f4750107bac6f6b0b3445

  • SHA1

    f7ac1bdd43a02ac231cbd4be56c1a270f3777a88

  • SHA256

    0c744a4f4902b8c94b87fa579065e1fb2d5f6f2d27a6ebbdff6f3501e2e78c35

  • SHA512

    f9eaccfa9f8815f285f4ad2183997f11ab4c3a17c319b18df0a0ca6153c66a24d0dd99e90c996bbf2244e6bb875c78a4a2aaa0e64e92e7a42aa5962a659d8192

  • SSDEEP

    196608:i4eQZYLJnBg4D2R+Nk3RbBzs/6hkP8S9qRZKzPWz2X2+twU2HfyjLfazM0+WsDRD:3ZYRDxk3RtgOkPJyZcXJz2/6LizmzVHH

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Creates a Windows Service
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2384
    • C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2776
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:2648
    • C:\Users\Admin\AppData\Roaming\Onetap (1).exe
      "C:\Users\Admin\AppData\Roaming\Onetap (1).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      PID:2128
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe Win7
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:2652
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2656

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe

    Filesize

    421KB

    MD5

    a857b537e8649f06ef10a9960fbfb137

    SHA1

    a4e5e981e485d7eff80a60273e980e1dd55c1211

    SHA256

    27e5eae57a9eb81305e03e9c29692f605569e50203ea9bb428c86bc57fca11ca

    SHA512

    cb8d47037cb61432de00132bdda7dd8722db65a2f66384613b8ef9ad5e4f33090131aca2d88b0d72328d4f737f55799dcaa1cc93986cf8621fb781da26ed6dbc

  • C:\Users\Admin\AppData\Local\Temp\wTXYm37F.xlsm

    Filesize

    23KB

    MD5

    6578f3d7494c9999e643d773cc8594b0

    SHA1

    c441d6ce1178a3c7ca21584e9013e950a8a5206b

    SHA256

    7df70a24be870d1b739d28ad33c5a2b35942040c99ebe3f4a35059e86f2fd67d

    SHA512

    1eabb7dfc889eb801acff1b372e854ac48faadb02bf6e913e07cd049440548662691fceaa0a53ed00ce8b8b6a7c7c365d2666bfe581ae18e7e811660d009b8d5

  • C:\Users\Admin\AppData\Local\Temp\wTXYm37F.xlsm

    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

  • \Users\Admin\AppData\Roaming\Onetap (1).exe

    Filesize

    9.1MB

    MD5

    7309886b94ed89dbf84e663891b210aa

    SHA1

    64639fcc149630306e91523428f3e35b5fa38d1f

    SHA256

    aead45444baba74dfbf623c46189e9fd6b29c07839cb2e0ed414138bdf84c1cf

    SHA512

    d65339e0b5590a4b17d185a53596fad09762b1d6b7b633bc1469e3a2131350caab6e9e0739da5e830d7069861aa6308e5db11c13b4be6bd42ce95164bec49e0a

  • \Users\Admin\AppData\Roaming\Server.exe

    Filesize

    1.1MB

    MD5

    5ef868a2db9378a57d854c6c1f6257ad

    SHA1

    a7eb959eae127311d466adb45be4983ed1dc03da

    SHA256

    6b8f8725c13cf835a72b49583cd139c5e801ffc5983efbec1dbdb198d5dd55c9

    SHA512

    cd4e4c6604a653b0e8646659c578c0f2c59c0669c7a7fedafc283ca18b112057da443e37dff9f8eee14b715917f1fa4a195fffd790900a35121b0ea87643ae2d

  • memory/2128-63-0x00000000773A0000-0x00000000773A2000-memory.dmp

    Filesize

    8KB

  • memory/2128-61-0x00000000773A0000-0x00000000773A2000-memory.dmp

    Filesize

    8KB

  • memory/2128-59-0x00000000773A0000-0x00000000773A2000-memory.dmp

    Filesize

    8KB

  • memory/2128-58-0x0000000077390000-0x0000000077392000-memory.dmp

    Filesize

    8KB

  • memory/2128-68-0x0000000140000000-0x000000014124B000-memory.dmp

    Filesize

    18.3MB

  • memory/2128-56-0x0000000077390000-0x0000000077392000-memory.dmp

    Filesize

    8KB

  • memory/2128-54-0x0000000077390000-0x0000000077392000-memory.dmp

    Filesize

    8KB

  • memory/2656-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

  • memory/2776-37-0x0000000010000000-0x000000001000B000-memory.dmp

    Filesize

    44KB

  • memory/2776-130-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

  • memory/2824-131-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

  • memory/2824-132-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

  • memory/2824-164-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

  • memory/2988-49-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB