Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

Stix_Advan...ak.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    292s
  • max time network
    289s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/11/2024, 17:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Stix_Advanced_Tweak.exe

  • Size

    1.5MB

  • MD5

    43afea647840c9ed1d2888ce8c85ed32

  • SHA1

    a9ca7722b5d49f42ae01dc20d3b7397f67647cd0

  • SHA256

    2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

  • SHA512

    ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9

  • SSDEEP

    24576:2nsJ39LyjbJkQFMhmC+6GD9k0TO7wx6RZrLSQeMeNyUc7nyWOqmpezMJQF:2nsHyjtk2MYC5GD60TO7JRZHSSr0py

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 25 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe
    "C:\Users\Admin\AppData\Local\Temp\Stix_Advanced_Tweak.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3120
    • C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4460
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4708
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4056
        • C:\Windows\SYSTEM32\cmd.exe
          "cmd.exe" /c start cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"ack":"VaultCord.com FREE Discord backup bot for members & entire server. Avoid Discord term and nukes today!","success":false,"message":"Session not found. Use latest code. You can only have app opened 1 at a time."} && timeout /t 5"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2540
          • C:\Windows\system32\cmd.exe
            cmd /C "color b && title Error && echo Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Response: {"ack":"VaultCord.com FREE Discord backup bot for members
            5⤵
              PID:4916
    • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
      "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
      1⤵
      • Checks processor information in registry
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:980
    • C:\Windows\System32\rundll32.exe
      C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
      1⤵
        PID:8
      • C:\Windows\system32\NOTEPAD.EXE
        "C:\Windows\system32\NOTEPAD.EXE" C:\ProgramData\KeyAuth\debug\._cache_Synaptics\Nov_11_2024_logs.txt
        1⤵
          PID:208
        • C:\Windows\system32\OpenWith.exe
          C:\Windows\system32\OpenWith.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3620
          • C:\Windows\system32\NOTEPAD.EXE
            "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Gui_Test\._cache_Stix_Advanced_Twe_Url_mxys2gi3titc1q3svbxkrtwahaveukl3\1.0.0.0\user.config
            2⤵
              PID:2080

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\KeyAuth\debug\._cache_Synaptics\Nov_11_2024_logs.txt
            Filesize

            508B

            MD5

            c8709399113030a2a05c8384bd0ba61d

            SHA1

            792868a109a4c4da6fa650c0811222fe5f784753

            SHA256

            26c02e6d4d09375408de504b08c296e73db1e897723a5788141dd9545f65f14f

            SHA512

            73d4cc9fc18041e4e26eb9ce1c443003431ee894d5ca2da8ab0900f0b5c5f9822a5a7944edc9cbb42ddcc4961d825b74267f53a0f8b5f3aa2a4c5df24e4fb22c

            Download Submit

          • C:\ProgramData\Synaptics\Synaptics.exe
            Filesize

            1.5MB

            MD5

            43afea647840c9ed1d2888ce8c85ed32

            SHA1

            a9ca7722b5d49f42ae01dc20d3b7397f67647cd0

            SHA256

            2cbf4a18cf8df6a631826a5006d13b3bf36d0971b8c96678b278fc99795a9386

            SHA512

            ffe6cb55700d3e27544315998300c6d2532fa7b9085d9dd83088eb4579124579595c06ef9abe2fcc532468c5477a6fa13c57af2ae24df28b064050691ab48bc9

            Download Submit

          • C:\Users\Admin\AppData\Local\Gui_Test\._cache_Stix_Advanced_Twe_Url_mxys2gi3titc1q3svbxkrtwahaveukl3\1.0.0.0\user.config
            Filesize

            793B

            MD5

            0e95025663d33e31bb45991927273f72

            SHA1

            bf9c7d39c677260c53ea4499fb90e20af23dd6a4

            SHA256

            8c8f9c5cba5018f23bf949501c14a4ea278ea7a007a4149d9c73cc07824dc65e

            SHA512

            43fdd72a9f440e1bd491ed50f9968a49fed487383304d5e8babaf15b0565f84c89487b5cdf7e728cd1bfea2990d71a16103295f8d633d0d0d61ccd4b4165bfa2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\._cache_Stix_Advanced_Tweak.exe
            Filesize

            766KB

            MD5

            204feb8a295ab9432b3ec64419c98484

            SHA1

            d2ccef786b20d3c3a3ff164c51beb149583011df

            SHA256

            7267c4fe27fd5e9aaf8d564f209a12c496d0e053c501504d42cf7234a789cf08

            SHA512

            6d216e8f82bd0f2e9db49e67d5fa440bd1fa6dedeea2476585a8c01029ffbfa093088ac3bf5293edd49e0509c04821cebbfc63e47c6aae44eb7b8db67f6ee088

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\D7975E00
            Filesize

            24KB

            MD5

            a6747c3188e05a1610dbb03916838a2c

            SHA1

            3a0861b5f51919c8ce746a8d296d5ae5d0f5e3a4

            SHA256

            0abdf82e5f5a225eed98e391179c09ec23aab28d5016d8f1c04d3ff35ba21903

            SHA512

            0122af8fb90fc79559147be729e2c75da044fd7662697d8a15ed1bf4063603352c55bca652a57c36f4d65ebf1a2fc99ce11d5d1385f81cc7e2edbc1270f98b7f

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\kzQmeIsy.xlsm
            Filesize

            17KB

            MD5

            e566fc53051035e1e6fd0ed1823de0f9

            SHA1

            00bc96c48b98676ecd67e81a6f1d7754e4156044

            SHA256

            8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

            SHA512

            a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

            Download Submit

          • memory/980-196-0x00007FFE01B50000-0x00007FFE01B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/980-195-0x00007FFE01B50000-0x00007FFE01B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/980-197-0x00007FFE01B50000-0x00007FFE01B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/980-198-0x00007FFE01B50000-0x00007FFE01B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/980-199-0x00007FFE01B50000-0x00007FFE01B60000-memory.dmp

            Filesize

            64KB

            Download

          • memory/980-200-0x00007FFDFF9B0000-0x00007FFDFF9C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/980-201-0x00007FFDFF9B0000-0x00007FFDFF9C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3120-0-0x0000000000880000-0x0000000000881000-memory.dmp

            Filesize

            4KB

            Download

          • memory/3120-130-0x0000000000400000-0x0000000000582000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4056-248-0x000001B82DDC0000-0x000001B82DDD2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/4056-250-0x000001B830110000-0x000001B83014C000-memory.dmp

            Filesize

            240KB

            Download

          • memory/4460-134-0x000002424D160000-0x000002424D24E000-memory.dmp

            Filesize

            952KB

            Download

          • memory/4460-184-0x000002424D3F0000-0x000002424D400000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4460-135-0x0000024233050000-0x0000024233056000-memory.dmp

            Filesize

            24KB

            Download

          • memory/4460-251-0x00007FFE232C3000-0x00007FFE232C5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4460-254-0x000002424D3F0000-0x000002424D400000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4460-71-0x0000024232BF0000-0x0000024232CB4000-memory.dmp

            Filesize

            784KB

            Download

          • memory/4460-65-0x00007FFE232C3000-0x00007FFE232C5000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4708-133-0x0000000000600000-0x0000000000601000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4708-252-0x0000000000600000-0x0000000000601000-memory.dmp

            Filesize

            4KB

            Download

          • memory/4708-253-0x0000000000400000-0x0000000000582000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4708-259-0x0000000000400000-0x0000000000582000-memory.dmp

            Filesize

            1.5MB

            Download

          • memory/4708-286-0x0000000000400000-0x0000000000582000-memory.dmp

            Filesize

            1.5MB

            Download