Analysis
-
max time kernel
11s -
max time network
0s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
-
submitted
14-01-2025 02:37
General
-
Target
god-potato.exe
-
Size
814KB
-
MD5
d85e84021532b8a1724f013672c7964c
-
SHA1
9802561c9f4dd85dc2b7e2b19da3b27096a96ab6
-
SHA256
1b92eb0299c15c1edf9a381c2480d29de3fd928337972dd645d66003c5d78604
-
SHA512
5ac00504fe244f13158f5c5c01c4c0e15f653f2befb2af86e31e7efb8cc4bbe3bd7af50637db926ac83b86dcb17c1fcb12fa4ff43c13f9a86e0f4348effc18a0
-
SSDEEP
12288:NMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9tfLO4LNzu:NnsJ39LyjbJkQFMhmC+6GD9tLI
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 5 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 12 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\god-potato.exe"C:\Users\Admin\AppData\Local\Temp\god-potato.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_god-potato.exe"C:\Users\Admin\AppData\Local\Temp\._cache_god-potato.exe"2⤵
- Executes dropped EXE
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
814KB
MD5d85e84021532b8a1724f013672c7964c
SHA19802561c9f4dd85dc2b7e2b19da3b27096a96ab6
SHA2561b92eb0299c15c1edf9a381c2480d29de3fd928337972dd645d66003c5d78604
SHA5125ac00504fe244f13158f5c5c01c4c0e15f653f2befb2af86e31e7efb8cc4bbe3bd7af50637db926ac83b86dcb17c1fcb12fa4ff43c13f9a86e0f4348effc18a0
-
Filesize
56KB
MD55f3dd0514c98bab7172a4ccb2f7a152d
SHA1232a0585a7cb6c54e15d5410c96aac5913038e7f
SHA2563027a212272957298bf4d32505370fa63fb162d6a6a6ec091af9d7626317a858
SHA5120643bcce6fe676473ebb43d5b2d13fa908bd6c2b291004ccd2cfa53bceb360db39cd9c9373d0856fbc273766c5f3369e4a50d1f9da13dc14f89508763bba2764
-
Filesize
836KB
-
Filesize
512KB
-
Filesize
4KB
-
Filesize
836KB