Analysis

  • max time kernel
    143s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    01-02-2025 18:37

General

  • Target

    bound.exe

  • Size

    760KB

  • MD5

    79549e64dc118988e997a209ef99567d

  • SHA1

    48948a955e0266ac2d5fb7c61e3f48aca97a829c

  • SHA256

    adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

  • SHA512

    3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

  • SSDEEP

    12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9KmKj:WnsJ39LyjbJkQFMhmC+6GD9c

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Modifies Windows Firewall 2 TTPs 8 IoCs
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 5 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

    Using powershell.exe command.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 24 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Runs ping.exe 1 TTPs 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bound.exe
    "C:\Users\Admin\AppData\Local\Temp\bound.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2516
    • C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_bound.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2508
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2660
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:468
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2776
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2780
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2056
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2140
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
          4⤵
          • Modifies Windows Firewall
          • Event Triggered Execution: Netsh Helper DLL
          PID:2784
      • C:\Windows\system32\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5E0.tmp.bat""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\system32\PING.EXE
          ping 127.0.0.1 -n 2
          4⤵
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:2488
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2544
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2720
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=in program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2956
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=in "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:2628
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall delete rule name=all dir=out program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe'"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:552
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall delete rule name=all dir=out "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe"
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:2944
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound' dir=in action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3012
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Inbound" dir=in action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1284
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command "netsh advfirewall firewall add rule name='SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound' dir=out action=allow program='C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe' enable=yes profile=private,public"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1984
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall firewall add rule "name=SSTP(Secure Socket Trade Protocol)(SSTF-IN) Outbound" dir=out action=allow "program=C:\Program Files (x86)\Microsoft\Internet Explorer\iexplore.exe" enable=yes profile=private public
            5⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:1388
        • C:\Windows\system32\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA5FF.tmp.bat""
          4⤵
            PID:2420
            • C:\Windows\system32\PING.EXE
              ping 127.0.0.1 -n 2
              5⤵
              • System Network Configuration Discovery: Internet Connection Discovery
              • Runs ping.exe
              PID:1512
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:884

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe

      Filesize

      760KB

      MD5

      79549e64dc118988e997a209ef99567d

      SHA1

      48948a955e0266ac2d5fb7c61e3f48aca97a829c

      SHA256

      adf64abb408b1eaac3668e8b5d984780ce5664e8cc1579a0bebf1380cba23d43

      SHA512

      3c58de1340c4a68509cc5c72b6eddc91ffca7d0d0038363632bd6abd51a165452e0a1d2bf0ecbffa0a1ec4e0e9a2f421deaae681f81373917d9dee72c283e4ea

    • C:\Users\Admin\AppData\Local\Temp\QxKcTrnE.xlsm

      Filesize

      21KB

      MD5

      a67f41a76794a110cbe4260d43ba2c9d

      SHA1

      a3855370aa41c9956487c7b6bde48ede087dd925

      SHA256

      16ed41d2b06f58679272769b4c1501d1964a447015e18f854072a7651db0e895

      SHA512

      1ea0bad22e44425da82c5e6ad1bf2ea1e8d7fd19efbe3b7beec874e6bcbcf5f86d2d98b10fead99e8630192ecccb2067ac4f93963def513c02b878ca3adffc3b

    • C:\Users\Admin\AppData\Local\Temp\QxKcTrnE.xlsm

      Filesize

      25KB

      MD5

      767024d9ad94cc4d72664c247fe71ae9

      SHA1

      44b650fa5c5cbcfb7d5a7000d8fa2c17dcc22692

      SHA256

      531467fe1ace9c81d48d064f1087728aada7af97ced27fb9d0de815e39aa8674

      SHA512

      36f62ffdee38ac75e60fd375b9e54cb2108541d070d04856f883e7de5781ce58cbb244b416c19979e628d13da0d6f66b9d5b416135deea0e66e9968bcbd6a908

    • C:\Users\Admin\AppData\Local\Temp\QxKcTrnE.xlsm

      Filesize

      23KB

      MD5

      4ff22535f0e1c7589432670a4534ce0c

      SHA1

      4985adce46e09015f760b4f3905cb24276ca1dad

      SHA256

      c27441c8eeb0cb0285d1a7b04031340995a3f85d9d54e0d67bd951cac9d916ac

      SHA512

      9bbab57a75fbed3a233d15766982b3cc4e55c5f4cf58aa3122e5b548c84cfb4bdf6f1fb6a7b64d78173b17b5c00636ca9e3400534251082168880149869a66b1

    • C:\Users\Admin\AppData\Local\Temp\QxKcTrnE.xlsm

      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    • C:\Users\Admin\AppData\Local\Temp\QxKcTrnE.xlsm

      Filesize

      21KB

      MD5

      1de0bf904b08064edac5432fd0b519f1

      SHA1

      ba822f7b441c493a76cc8e58f2af222813821539

      SHA256

      3988ef3929282b784d4ece05417ec090a6451644b83170bac5c294b99ef5680b

      SHA512

      f7193c60ee0ef539cc7ad811773f9fb89c676d8d28c7f3576f038e708e49cde4996fd91fb174c7eaa551a6d0e3f6daf998ca4deb854d55a5b561d1ec2ac2b805

    • C:\Users\Admin\AppData\Local\Temp\QxKcTrnE.xlsm

      Filesize

      26KB

      MD5

      63e7fbdc840e8006a3b545030b054afb

      SHA1

      800d05bfc42ac582d97cbf23f644883e08978048

      SHA256

      8b84e0495f880567af872c03731e073cb242ce0468e2fba28db6482722b8589a

      SHA512

      48569baf17294e409f53f9643b9fcdcaae84b5496626203c027b4311168ee15227bb773b53aff17baa011eaae0d36223000786702da74789324b3ac6289aa216

    • C:\Users\Admin\AppData\Local\Temp\tmpA5E0.tmp.bat

      Filesize

      154B

      MD5

      464a96e4e5eae717d84e2e3a6a454767

      SHA1

      33ce8f12a17ea15792c547b6c8935277819b05f4

      SHA256

      785546722254fc398fe5cbbb4d4dfb5fc4e9ecfb1897d4ea1fb54927cf13c6c9

      SHA512

      d9911fb432b3e6dc2a2540b6b82bdd8fa93d15b2fcc84584dea59b108511630f88996ac83b997d07e7d9032845a697805ab22fd1a44be91bae849ef3df0fa2e4

    • C:\Users\Admin\AppData\Local\Temp\tmpA5FF.tmp.bat

      Filesize

      158B

      MD5

      92028a6417825e675af0303e05c21587

      SHA1

      3a944740ffbb7d5fefb8bce7ae373ea707807607

      SHA256

      2bc921855ba7686a155b064970f1a51998fe2330bf4111610eb6892825a6d0d4

      SHA512

      313d4cd6afa39b9aab1e0bb65e991912b9a9b780f9af560691f8f396e2f8e7e6d246661b153dbecbcb4056c55a27ae58266a76d792b9914066224d81142302fd

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

      Filesize

      7KB

      MD5

      bce3bce1279081c3396932a038bb5f4c

      SHA1

      0d0086c61a0b93293f2c77d73cd8ff698104a786

      SHA256

      8ca4d8d9c97e050666a1e8c5ff1da63511da9d564d38933ffb67a6388196876d

      SHA512

      8e9edc81745bfe0013140666ffe3d795bdcd796ff4bc110f700b770914e9be3ae05ff30a40b55e68f451e6dca631bb3e1572803509615a0fe9d813a1ac407168

    • C:\Users\Admin\Desktop\~$OpenBackup.xlsx

      Filesize

      165B

      MD5

      ff09371174f7c701e75f357a187c06e8

      SHA1

      57f9a638fd652922d7eb23236c80055a91724503

      SHA256

      e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

      SHA512

      e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    • \Users\Admin\AppData\Local\Temp\._cache_bound.exe

      Filesize

      7KB

      MD5

      4f335528745cc617396c5c7107e84dff

      SHA1

      e90b4e0e888c43dde82662df49c7c054207a2961

      SHA256

      50e64c6fb2a0fb6898a792d192c35b3f43996c6dea24d5f94c0e90e2be238671

      SHA512

      0bb11a0577108a13ebd98323ea094d05205a07686ab355e9c6bf8976398be0a327306206c64a4d41109fbf2f47f8af0925a605023ea308109d7c80540129138c

    • memory/468-60-0x0000000001F50000-0x0000000001F58000-memory.dmp

      Filesize

      32KB

    • memory/468-55-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

      Filesize

      2.9MB

    • memory/884-98-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/884-185-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

    • memory/2508-28-0x0000000001250000-0x0000000001258000-memory.dmp

      Filesize

      32KB

    • memory/2516-0-0x0000000000220000-0x0000000000221000-memory.dmp

      Filesize

      4KB

    • memory/2516-25-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/2544-186-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/2544-219-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/2544-187-0x0000000000400000-0x00000000004C4000-memory.dmp

      Filesize

      784KB

    • memory/2720-36-0x0000000000360000-0x0000000000368000-memory.dmp

      Filesize

      32KB

    • memory/2956-46-0x000000001B6B0000-0x000000001B992000-memory.dmp

      Filesize

      2.9MB

    • memory/2956-47-0x0000000002760000-0x0000000002768000-memory.dmp

      Filesize

      32KB