Analysis
-
max time kernel
120s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
15-01-2025 23:32
General
-
Target
4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3N.exe
-
Size
2.6MB
-
MD5
525b2fd46d2aebd8acb6bd4200c79c70
-
SHA1
f792a76e6223fabbef5060c8e4fd80cd16ec061d
-
SHA256
4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3
-
SHA512
4d658a6c3b822c45d8ecaafffd400bf21295703020b61a1a0b57d04a0e1cdc16d7d72bd378d1bee8d44952cd687c83bb6a4e2e6d65c25104a87aa9b6a4d8f04d
-
SSDEEP
49152:gnsHyjtk2MYC5GDnYolY+iOo7/PpGpL0oh6jgvZ:gnsmtk2aDoCOqpG1fh6jgR
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Boot or Logon Autostart Execution: Active Setup 2 TTPs 8 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Adds Run key to start application 2 TTPs 5 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 2 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
-
Suspicious use of SetWindowsHookEx 26 IoCs
-
Suspicious use of WriteProcessMemory 37 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3N.exe"C:\Users\Admin\AppData\Local\Temp\4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3N.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3N.exe"C:\Users\Admin\AppData\Local\Temp\._cache_4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3N.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3n.exec:\users\admin\appdata\local\temp\._cache_4b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3n.exe3⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\._cache_synaptics.exec:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate4⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
-
C:\Users\Admin\AppData\Local\icsys.icn.exeC:\Users\Admin\AppData\Local\icsys.icn.exe4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\explorer.exec:\windows\system\explorer.exe5⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe SE6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\svchost.exec:\windows\system\svchost.exe7⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system\spoolsv.exec:\windows\system\spoolsv.exe PR8⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Windows\SysWOW64\at.exeat 23:34 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe8⤵
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\at.exeat 23:35 /interactive /every:M,T,W,Th,F,S,Su c:\windows\system\svchost.exe8⤵
- System Location Discovery: System Language Discovery
-
-
-
-
-
-
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.6MB
MD5525b2fd46d2aebd8acb6bd4200c79c70
SHA1f792a76e6223fabbef5060c8e4fd80cd16ec061d
SHA2564b9a374c136502529bcafeb728a58a27bd0407fb839add8276fbb15004b50ed3
SHA5124d658a6c3b822c45d8ecaafffd400bf21295703020b61a1a0b57d04a0e1cdc16d7d72bd378d1bee8d44952cd687c83bb6a4e2e6d65c25104a87aa9b6a4d8f04d
-
Filesize
1.9MB
MD56cab864533a299853f65a2c65d2c013b
SHA158d06ffffe4e4b14b7eb392a2ce8aa1e9ab27cf9
SHA2562cd738461c8944a57780cbbc426c189599bd7c32ba8b38a56493fb3ba3e2624c
SHA512a49273595d740c17f8b2a0d87e7f9ab89971edb70fe782178cecd44dda9c1a7690d4a777a22ffa98add482f5e538aeba7bfb4279883a1b6b6113513cd7e5814b
-
Filesize
22KB
MD5d16fee749896103d86096dc1c476e39c
SHA1672f0859031dfca31cb9ef5eee0de0d3032bdb48
SHA2561bc6e967be290cb7b105e9a5e667dffa8ee4821a458d02d391ed4522cbb70407
SHA512956c5ee2c8b36be1bf309ffe45e559e6ba81f2e87d7fea47ab51cc72323eac5f7ecdbe47cf02c6f5c16b29ee84626fda2cbec09b14873d34f0e740fa32b388bc
-
Filesize
17KB
MD5e566fc53051035e1e6fd0ed1823de0f9
SHA100bc96c48b98676ecd67e81a6f1d7754e4156044
SHA2568e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15
SHA512a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04
-
Filesize
206KB
MD5370a09c146d6836b664651e7d92d3e8d
SHA1eabeb391996a2eda0b30e088cdde381f4b737dd4
SHA2567c0b05b33d7fdc83fb72b7fc9685666e24c7a3846cf33dabd83ab579a296fd40
SHA51298faccdd90d5c9f5ef09ee1184e92d98e89585f7aec0a764af9e23dec0d8aba22bf8071fead54f4a68c60d82de77ff095782f33364cbaf0dddce5a94ce2740c1
-
Filesize
206KB
MD5d38bbf6437c6ff36323771adccdd5991
SHA10b5759c5e96713436faf0e83a8e21f4dbe8e0443
SHA256d0238e6111f7f8e1b0d1c78fe06764f2edf77b1f9a5ad9caf2f9fcb85b3679e2
SHA51261f9210b4ee19feb5f2e0e8c98e9a5c25de3fcde95f144a6c98944d852ca7d66b28a281ab4683908758c3c66a612ff60ec035ee5d4c9e3b26cb86c437a4d326c
-
Filesize
1.7MB
MD5408e9726f1a063874b9b841f1a066e7a
SHA1a7bde856807a58ff4278974b28aba0e0b475c6fd
SHA256bc9f40641b7b1652a42939695a79f4b2b2cf109f0c6f7ebeae4a060915fea311
SHA5120efa1d8bfdd881df71d68934898eb76c7e7672d80688aae4b9029c450900490e7fd3a5a801033edb919e05188b222246d1c418907b1b7f8624c3f909c400532b
-
Filesize
206KB
MD5ad2b03d7f24b88d8f3b97f356bc8c1b8
SHA194686bab3cd2af27767aad0965b3ae5fd2847d5c
SHA25627963edc4da48d2d47edcd99b82564aebc4c3475d32700612404f64f5cd3fc05
SHA5125f3c297b32f9f7467a01ba88a4658eca1ff8b27119582927cb14c66af829d727a312643aa9f4ef2cd4c5d7c3e3dad417be3c87a2a4e813b6b9d83809f7723c6b
-
Filesize
206KB
MD5d9c3f37ccda63450f998ff976d5d2ce5
SHA127fd95a5558d9976c8bc258f700aa28d4a800b5e
SHA256b3aaa8db6700b90126882b4539f1d75f6828da6790bb0fbc35644cd6f9cd8f93
SHA5128e47caf77bc1653d75bdb2a281798af64c2e44c602d97cf522b5dcf85da15efbb67383b9f5bf545026aebab463e554681afd7725a09018506b3d29c2a6349272
-
Filesize
206KB
MD5d8f35e8df3059b502200f1b64a80029b
SHA19848daa56d28d70932a67a899a9e85353ab8f422
SHA2569917a2fb83c5c89977d702f737a6ba298bd441a9217f3f9ac858b5369c3f3f90
SHA512a97bee081230e7ddd2a2da43477399157ec61baea86cc8b60a5a504060b499bbcdb8d498ed61192da2fdeda91a228144d9e98827f71f8d0d3c193140a5ec655f
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
2.6MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
4KB
-
Filesize
2.6MB
-
Filesize
2.6MB
-
Filesize
4KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
260KB
-
Filesize
624KB
-
Filesize
4KB
-
Filesize
4.8MB
-
Filesize
648KB
-
Filesize
32KB
-
Filesize
260KB
-
Filesize
260KB