Overview

overview

10

Static

static

10

36d8639d25...dN.exe

windows7-x64

10

36d8639d25...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    120s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250211-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250211-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-02-2025 22:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752dN.exe

  • Size

    1.1MB

  • MD5

    7bc23167b8068c614335900a13489920

  • SHA1

    4099816725b79c0ed69634e326538c412b23c277

  • SHA256

    36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752d

  • SHA512

    11bd51195220d88de0458cd81f34ca97b826e32bc64ed91d5c5891aabfbf72c0074409e5f6e95d8f2a57b3609956570dedf9214e3d5a3bd5606f66b9be328a66

  • SSDEEP

    24576:onsJ39LyjbJkQFMhmC+6GD9epcBi1nyvtouxU7:onsHyjtk2MYC5GDkr1n+t1xU7

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752dN.exe
    "C:\Users\Admin\AppData\Local\Temp\36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752dN.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4200
    • C:\Users\Admin\AppData\Local\Temp\._cache_36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752dN.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752dN.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:1164
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:1280
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1040
  • C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7QzBFQzdFNkItQTY2Qy00QUQxLUFEMzItMDZEQkEyQjQyQTQ5fSIgdXNlcmlkPSJ7OEMwMkY2REMtQTlEQy00NzE5LTkyNjUtM0QwN0Y0ODlEMUVGfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7MjkyRUJCMzYtQjFDQy00RTJFLThDMzAtMjQ1MDJFQUI2QjgzfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4xOTA0MS4xMjg4IiBzcD0iIiBhcmNoPSJ4NjQiIHByb2R1Y3RfdHlwZT0iNDgiIGlzX3dpcD0iMCIgaXNfaW5fbG9ja2Rvd25fbW9kZT0iMCIvPjxvZW0gcHJvZHVjdF9tYW51ZmFjdHVyZXI9IiIgcHJvZHVjdF9uYW1lPSIiLz48ZXhwIGV0YWc9IiZxdW90O0UreGJBejZZNnNVMTI4OWJTNnFsNFZSTGJramZCVUdUTUpzanJIcjQ0aUk9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEyMy4wLjYzMTIuMTIzIiBuZXh0dmVyc2lvbj0iIiBsYW5nPSJlbiIgYnJhbmQ9IkdHTFMiIGNsaWVudD0iIiBpbnN0YWxsYWdlPSI1IiBpbnN0YWxsZGF0ZXRpbWU9IjE3MzkyODMzNzEiIG9vYmVfaW5zdGFsbF90aW1lPSIxMzM4Mzc1NDE5Mjc1MzAwMDAiPjxldmVudCBldmVudHR5cGU9IjMxIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIyMTc5ODYyIiBzeXN0ZW1fdXB0aW1lX3RpY2tzPSI0ODQ0OTA0NTc4Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
    1⤵
    • System Location Discovery: System Language Discovery
    • System Network Configuration Discovery: Internet Connection Discovery
    PID:4896

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.1MB

    MD5

    7bc23167b8068c614335900a13489920

    SHA1

    4099816725b79c0ed69634e326538c412b23c277

    SHA256

    36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752d

    SHA512

    11bd51195220d88de0458cd81f34ca97b826e32bc64ed91d5c5891aabfbf72c0074409e5f6e95d8f2a57b3609956570dedf9214e3d5a3bd5606f66b9be328a66

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_36d8639d25e4f278cad84fff5e26bcf90ae48085da4c47921b7d14d3b1f8752dN.exe
    Filesize

    402KB

    MD5

    9ec17643d3c06f4c18434cfc41a6f631

    SHA1

    f502030036222a7b58aaec1b5bb43b1ef0e5cb34

    SHA256

    c1391a1ced96dfe154bea71197709d5ddf0ab7a3b7ee16bb82e9ae6843080198

    SHA512

    ad324b00d7fccb8599cdcede1b224f51a99f20948acd1ee895de91b0e7fa2c2b9f49b169b2c4da7f9f837c916fae34f9c0cb8d839f6bc2f311829ff14c357fb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4F875E00
    Filesize

    22KB

    MD5

    bd199e237dc845c4957ac90dd6d597c4

    SHA1

    cd1a0c1c9191dbf20de28650ad2e6a417f17c7bf

    SHA256

    833dbd75c555ef533e74dc5e0cd9dd5f07550cf523287bf2c48d822ec3a9ca98

    SHA512

    8c5eae89a28df47297235b1043438c70c808c124bac5c96728e48c52f7e79aed8d2c42e30e016a6d8dbb214d3dd6f135ef04fb26f09f0989b990d309c2c4e900

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AsusBiosIoDll.dll
    Filesize

    113KB

    MD5

    8edf2bf5b0f1527f9225eaf9a9cf8e0e

    SHA1

    5b66a53732decba86667a7dbbd72d63a52e807e0

    SHA256

    940cb99c74879ee07d01be714a754ed9d1762ff2178bfe37e028fee7857d84d0

    SHA512

    ee5a36e563942e3db44505c4e4918df2a363e695a3f20f0f39a4f631e40103dc5bfbbf751a3388aac6e83c9ac29742b67e8900697029dcfeb1407d6117a9fdb2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AsusBiosIoDrv64.sys
    Filesize

    26KB

    MD5

    32464eb41863c9b7dc9e1d4f9b4664f1

    SHA1

    a4b139f25f6faa486c850fec67291ec3c7c58c95

    SHA256

    8378e826057feb4f079bee7b1e1d8e0d0f048b495040ed587aa548c3e4e281e7

    SHA512

    eabf404988feff8c22a1ccfd95cabab50cf5715d1570c79024e9d8c1ccd9b5388a335477c18d8ab7025b284c59f5a5c84fa3d4ec705f55d7f737bfc501a431f6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\PfwGjU8H.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • memory/1040-205-0x00007FFA85C90000-0x00007FFA85CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1040-200-0x00007FFA88490000-0x00007FFA884A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1040-202-0x00007FFA88490000-0x00007FFA884A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1040-203-0x00007FFA88490000-0x00007FFA884A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1040-204-0x00007FFA88490000-0x00007FFA884A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1040-201-0x00007FFA88490000-0x00007FFA884A0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1040-206-0x00007FFA85C90000-0x00007FFA85CA0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1332-133-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1332-256-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1332-255-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/1332-285-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB

    Download

  • memory/4200-0-0x00000000022C0000-0x00000000022C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4200-132-0x0000000000400000-0x0000000000527000-memory.dmp

    Filesize

    1.2MB

    Download