Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

2025-01-03...id.exe

windows7-x64

10

2025-01-03...id.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03/01/2025, 12:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe

  • Size

    11.2MB

  • MD5

    85d2c8e0e00f4750107bac6f6b0b3445

  • SHA1

    f7ac1bdd43a02ac231cbd4be56c1a270f3777a88

  • SHA256

    0c744a4f4902b8c94b87fa579065e1fb2d5f6f2d27a6ebbdff6f3501e2e78c35

  • SHA512

    f9eaccfa9f8815f285f4ad2183997f11ab4c3a17c319b18df0a0ca6153c66a24d0dd99e90c996bbf2244e6bb875c78a4a2aaa0e64e92e7a42aa5962a659d8192

  • SSDEEP

    196608:i4eQZYLJnBg4D2R+Nk3RbBzs/6hkP8S9qRZKzPWz2X2+twU2HfyjLfazM0+WsDRD:3ZYRDxk3RtgOkPJyZcXJz2/6LizmzVHH

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Creates a Windows Service
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe
    "C:\Users\Admin\AppData\Local\Temp\2025-01-03_85d2c8e0e00f4750107bac6f6b0b3445_icedid.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Users\Admin\AppData\Roaming\Server.exe
      "C:\Users\Admin\AppData\Roaming\Server.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3944
      • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:4756
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:392
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of SetWindowsHookEx
          PID:4732
    • C:\Users\Admin\AppData\Roaming\Onetap (1).exe
      "C:\Users\Admin\AppData\Roaming\Onetap (1).exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2036
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Windows\svchost.exe
      C:\Windows\svchost.exe Win7
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      PID:4220

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\._cache_Server.exe
    Filesize

    421KB

    MD5

    a857b537e8649f06ef10a9960fbfb137

    SHA1

    a4e5e981e485d7eff80a60273e980e1dd55c1211

    SHA256

    27e5eae57a9eb81305e03e9c29692f605569e50203ea9bb428c86bc57fca11ca

    SHA512

    cb8d47037cb61432de00132bdda7dd8722db65a2f66384613b8ef9ad5e4f33090131aca2d88b0d72328d4f737f55799dcaa1cc93986cf8621fb781da26ed6dbc

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Onetap (1).exe
    Filesize

    9.1MB

    MD5

    7309886b94ed89dbf84e663891b210aa

    SHA1

    64639fcc149630306e91523428f3e35b5fa38d1f

    SHA256

    aead45444baba74dfbf623c46189e9fd6b29c07839cb2e0ed414138bdf84c1cf

    SHA512

    d65339e0b5590a4b17d185a53596fad09762b1d6b7b633bc1469e3a2131350caab6e9e0739da5e830d7069861aa6308e5db11c13b4be6bd42ce95164bec49e0a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Server.exe
    Filesize

    1.1MB

    MD5

    5ef868a2db9378a57d854c6c1f6257ad

    SHA1

    a7eb959eae127311d466adb45be4983ed1dc03da

    SHA256

    6b8f8725c13cf835a72b49583cd139c5e801ffc5983efbec1dbdb198d5dd55c9

    SHA512

    cd4e4c6604a653b0e8646659c578c0f2c59c0669c7a7fedafc283ca18b112057da443e37dff9f8eee14b715917f1fa4a195fffd790900a35121b0ea87643ae2d

    Download Submit

  • memory/392-1202-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/392-1176-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/2036-155-0x00000001402EA000-0x0000000140927000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/2036-161-0x00007FFF69C60000-0x00007FFF69C62000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2036-162-0x0000000140000000-0x000000014124B000-memory.dmp

    Filesize

    18.3MB

    Download

  • memory/2036-158-0x00007FFF69C50000-0x00007FFF69C52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2036-1177-0x00000001402EA000-0x0000000140927000-memory.dmp

    Filesize

    6.2MB

    Download

  • memory/3944-150-0x0000000000400000-0x000000000052C000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/3944-15-0x0000000000720000-0x0000000000721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4756-151-0x0000000010000000-0x000000001000B000-memory.dmp

    Filesize

    44KB

    Download

  • memory/4756-1134-0x0000000000400000-0x0000000000470000-memory.dmp

    Filesize

    448KB

    Download