Overview

overview

10

Static

static

10

2025-01-03...id.exe

windows7-x64

10

2025-01-03...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 12:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe

  • Size

    11.2MB

  • MD5

    85d2c8e0e00f4750107bac6f6b0b3445

  • SHA1

    f7ac1bdd43a02ac231cbd4be56c1a270f3777a88

  • SHA256

    0c744a4f4902b8c94b87fa579065e1fb2d5f6f2d27a6ebbdff6f3501e2e78c35

  • SHA512

    f9eaccfa9f8815f285f4ad2183997f11ab4c3a17c319b18df0a0ca6153c66a24d0dd99e90c996bbf2244e6bb875c78a4a2aaa0e64e92e7a42aa5962a659d8192

  • SSDEEP

    196608:i4eQZYLJnBg4D2R+Nk3RbBzs/6hkP8S9qRZKzPWz2X2+twU2HfyjLfazM0+WsDRD:3ZYRDxk3RtgOkPJyZcXJz2/6LizmzVHH

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Creates a Windows Service
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 16 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3976
    • C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3140
      • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:840
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1556
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4948
    • C:\Users\Admin\AppData\Roaming\Onetap (1).exe
      "C:\Users\Admin\AppData\Roaming\Onetap (1).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4844
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4396
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe Win7
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4288
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
    Filesize

    421KB

    MD5

    a857b537e8649f06ef10a9960fbfb137

    SHA1

    a4e5e981e485d7eff80a60273e980e1dd55c1211

    SHA256

    27e5eae57a9eb81305e03e9c29692f605569e50203ea9bb428c86bc57fca11ca

    SHA512

    cb8d47037cb61432de00132bdda7dd8722db65a2f66384613b8ef9ad5e4f33090131aca2d88b0d72328d4f737f55799dcaa1cc93986cf8621fb781da26ed6dbc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\9DE75E00
    Filesize

    26KB

    MD5

    76532ed7fdbcf57b1097e0dc2390ecf8

    SHA1

    1f462af97b0e2e31b273ca9fa406f8584591b2d4

    SHA256

    0519422e42e816415a22a26a789e466812f2d82a6a66c53edfdf91a867b60d8f

    SHA512

    4f1bd1da93d4a80f2464af1f60bffa263bac475ce4185052ed9d571bd4ed2412823cb93af7ccdded09ae64ede2efa60ca99adb6170406319ad1d8fb36e6a1141

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bQBeS1BM.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Onetap (1).exe
    Filesize

    9.1MB

    MD5

    7309886b94ed89dbf84e663891b210aa

    SHA1

    64639fcc149630306e91523428f3e35b5fa38d1f

    SHA256

    aead45444baba74dfbf623c46189e9fd6b29c07839cb2e0ed414138bdf84c1cf

    SHA512

    d65339e0b5590a4b17d185a53596fad09762b1d6b7b633bc1469e3a2131350caab6e9e0739da5e830d7069861aa6308e5db11c13b4be6bd42ce95164bec49e0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    1.1MB

    MD5

    5ef868a2db9378a57d854c6c1f6257ad

    SHA1

    a7eb959eae127311d466adb45be4983ed1dc03da

    SHA256

    6b8f8725c13cf835a72b49583cd139c5e801ffc5983efbec1dbdb198d5dd55c9

    SHA512

    cd4e4c6604a653b0e8646659c578c0f2c59c0669c7a7fedafc283ca18b112057da443e37dff9f8eee14b715917f1fa4a195fffd790900a35121b0ea87643ae2d

    Download Submit

  • memory/840-230-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download

  • memory/840-140-0x0000000010000000-0x000000001000B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/1556-1228-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1556-1259-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1584-223-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-225-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-226-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-228-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-224-0x00007FFBC73D0000-0x00007FFBC73E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-229-0x00007FFBC4A70000-0x00007FFBC4A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1584-240-0x00007FFBC4A70000-0x00007FFBC4A80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3140-154-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3140-17-0x00000000006E0000-0x00000000006E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4844-239-0x0000000140000000-0x000000014124B000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/4844-231-0x00007FFC07550000-0x00007FFC07552000-memory.dmp

    Filesize

    8KB

    Download

  • memory/4844-235-0x00007FFC07560000-0x00007FFC07562000-memory.dmp

    Filesize

    8KB

    Download