Overview

overview

10

Static

static

10

vpn.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    448s
  • max time network
    438s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-01-2025 02:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vpn.zip

  • Size

    1.0MB

  • MD5

    861aaa95eb83fc455ab27bc5f8fc5024

  • SHA1

    0a479bf9b2ed08d0aae8acb7a583612abc65c470

  • SHA256

    8f19550d0f9777c8ee13b290291787fc2c5b0b83255cb561cebc1f175dc83509

  • SHA512

    70945f088ac6188bc0358dd2fa1c561ac9f2f6cbafc5194de0a87a4ef3d07b98ebed278e48364a34f4e013e124f3908c6e4e2900abdca367c1256e384fc5b5af

  • SSDEEP

    24576:TXeBQ9uVPUsour8JkwW55RqiNGZtYOMdwfOt2aJv+A8myV:7eB/U1QYk53qz/Y3dwla5+PV

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 4 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\vpn.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2000
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:4148
    • C:\Users\Admin\Desktop\vpn\VPNPlus1.exe
      "C:\Users\Admin\Desktop\vpn\VPNPlus1.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Users\Admin\Desktop\vpn\._cache_VPNPlus1.exe
        "C:\Users\Admin\Desktop\vpn\._cache_VPNPlus1.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2468
        • C:\Users\Admin\AppData\Roaming\Windows.exe
          "C:\Users\Admin\AppData\Roaming\Windows.exe"
          3⤵
          • Executes dropped EXE
          PID:4760
        • C:\Users\Admin\AppData\Roaming\VPNPlus.exe
          "C:\Users\Admin\AppData\Roaming\VPNPlus.exe"
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:2340
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:5116
        • C:\Users\Admin\Desktop\vpn\._cache_Synaptics.exe
          "C:\Users\Admin\Desktop\vpn\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:324
          • C:\Users\Admin\AppData\Roaming\Windows.exe
            "C:\Users\Admin\AppData\Roaming\Windows.exe"
            4⤵
            • Executes dropped EXE
            PID:3224
          • C:\Users\Admin\AppData\Roaming\VPNPlus.exe
            "C:\Users\Admin\AppData\Roaming\VPNPlus.exe"
            4⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2700
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:4484

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Windows.exe.log
      Filesize

      871B

      MD5

      386677f585908a33791517dfc2317f88

      SHA1

      2e6853b4560a9ac8a74cdd5c3124a777bc0d874e

      SHA256

      7caf8779608c167ab6fa570df00c973aff6dee850bb63439770889a68c7cdae0

      SHA512

      876d2269e25a4b2754bdf2c7e3c410050f885d7e6bd8abce41c5fc74ae1f8c549b2266dd1588c750f614063f36c8a8e5008cea610505897d04e4ef5c3adc52d9

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\VPNPlus.exe.log
      Filesize

      1KB

      MD5

      c81c2ec1b8be0ab444eedaf2893390ed

      SHA1

      444566609a28efbfed1c21a9a787812945ab04d3

      SHA256

      66e7acc21981c89e9d363178d606d4bed94e9f15e861903c6b94c23b4dc0f876

      SHA512

      ac593a805d22bcbd59ed922f1efd87343f7c03fb9d7b95a5e4a62f35898cd08747a6bade4dae948ee4118a8205ea33d3754a30408d51f642fa1fe847d91469fe

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\3D085E00
      Filesize

      22KB

      MD5

      59d1fff86a8fe59a11fe4d5ff822507a

      SHA1

      fc4f4f7d8ce8b6d71e606b5b4d4c342dd4820636

      SHA256

      db4092d02f34b154fd45e4d40e3bca8a3573fd47c420c00f228f48a7d0ca2b68

      SHA512

      3da157b19d47ef528025d6844c819abe5ce11b46833b1befedeb705b571a586747dc86856041554294951efb92fc2472c3b2c399f2d8ee6a99925f4326f7b762

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\vQbQLxkp.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Roaming\VPNPlus.exe
      Filesize

      50KB

      MD5

      738b8a48cda63b6ce8ebb759ab09110c

      SHA1

      9e9eeb213de04edd8c0bf0b831a5e0f7d725bdf0

      SHA256

      c1cc42e870c6a2cd205d87c09ba343592c13c681dc79f0c09b932e5e3382b11c

      SHA512

      c83687c2d4ce0e10dc54bde33c231c55d328b27317be1797350715308626d95228f0d491cfa4a5efec9c6ecd9a088c784351492217a82f637421263062252969

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Windows.exe
      Filesize

      302KB

      MD5

      e2edcc5e47b2058a8468f1af0ef3b3bd

      SHA1

      7a2ab665d601d5c6871ed8a258ac6adfe1a86cc3

      SHA256

      a4c8c11ca98b742889391e872e63eae423b3e59d4651620d3bd3dc6b6e4d050a

      SHA512

      8cdca934d0f05e24eb88946f108f8ff47c82bf36594e76cddcd450f09912200a3bf74e2de0459ad1120b23ec4bd001fb52485e1c2a4b81e6f8fb8203e7bec777

      Download Submit

    • C:\Users\Admin\Desktop\vpn\._cache_VPNPlus1.exe
      Filesize

      362KB

      MD5

      56361bb37da25fe1327dede87d6f8b11

      SHA1

      263ee9b9e62edf5b7da20f71f8bc994d959b0677

      SHA256

      a5dafb58cd3bb7693a9dcdcc8b0a693034d145b9c6de31853ff755e41f6d1d11

      SHA512

      b34b58d7d3a8db3ed337a4fb5fe294018ec996489bb05cda384d1a416c4bb60fdbe8de569951532ae0c89d83ab4ffdc8cd866c9b8cf39c85eb6e34884ae10663

      Download Submit

    • C:\Users\Admin\Desktop\vpn\VPNPlus1.exe
      Filesize

      1.1MB

      MD5

      b48992447902ff38b5eaab55173bbb83

      SHA1

      f98274c39580c93db9a6336ebebb466f24dab59d

      SHA256

      f8648b6786e2da21207d0ee88975affadefca655b9e011e053a914384bcd96cb

      SHA512

      7f61fdcf1832fbde968086e27a2e797cd66e35fa39e8957e46376ff3392a225616f2f1b209004a7e6d92f8709a618b5ecf9168d398aa4327d6e7ddc3b31ef17b

      Download Submit

    • memory/2340-220-0x0000000005080000-0x0000000005624000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2340-240-0x0000000004C80000-0x0000000004C8A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2340-221-0x0000000004AD0000-0x0000000004B62000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2340-219-0x0000000000200000-0x0000000000212000-memory.dmp

      Filesize

      72KB

      Download

    • memory/2468-85-0x00000000008E0000-0x0000000000940000-memory.dmp

      Filesize

      384KB

      Download

    • memory/4484-239-0x00007FFCDA170000-0x00007FFCDA180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4484-236-0x00007FFCDA170000-0x00007FFCDA180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4484-235-0x00007FFCDA170000-0x00007FFCDA180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4484-238-0x00007FFCDA170000-0x00007FFCDA180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4484-237-0x00007FFCDA170000-0x00007FFCDA180000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4484-254-0x00007FFCD7B40000-0x00007FFCD7B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4484-255-0x00007FFCD7B40000-0x00007FFCD7B50000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4688-144-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4688-14-0x00000000022B0000-0x00000000022B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4760-166-0x00000000004E0000-0x0000000000532000-memory.dmp

      Filesize

      328KB

      Download

    • memory/5116-302-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/5116-336-0x0000000000400000-0x000000000051D000-memory.dmp

      Filesize

      1.1MB

      Download