Overview

overview

10

Static

static

10

b828dc2487...a2.exe

windows7-x64

10

b828dc2487...a2.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-11-2024 22:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe

  • Size

    2.4MB

  • MD5

    4a3d911453118d58a4bc16043c726142

  • SHA1

    30755f517d05c784ef5857b3d5fa665cea91b438

  • SHA256

    b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2

  • SHA512

    ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3

  • SSDEEP

    49152:snsHyjtk2MYC5GDvxdth7VaHBIW2Y4XxChF6Hq2BIetbWr:snsmtk2a8F6fT4XAhIH+eVWr

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 27 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
    "C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2692
    • C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2644
      • C:\Users\Admin\AppData\Local\Temp\pft5D20.tmp\Disk1\Setup.exe
        "C:\Users\Admin\AppData\Local\Temp\pft5D20.tmp\Disk1\Setup.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
          "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          PID:2876
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:576
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\Setup.exe
          "C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\Setup.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2208
          • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
            "C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            PID:2948
  • C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
    C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:928
  • C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe
    C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
    1⤵
    • Executes dropped EXE
    • Loads dropped DLL
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe
      "C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      PID:908
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2256
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2572

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\corecomp.ini
    Filesize

    27KB

    MD5

    62d5f9827d867eb3e4ab9e6b338348a1

    SHA1

    828e72f9c845b1c0865badaef40d63fb36447293

    SHA256

    5214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5

    SHA512

    b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732

    Download Submit

  • C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe
    Filesize

    600KB

    MD5

    b3fd01873bd5fd163ab465779271c58f

    SHA1

    e1ff9981a09ab025d69ac891bfc931a776294d4d

    SHA256

    985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931

    SHA512

    6674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43

    Download Submit

  • C:\Program Files (x86)\Common Files\InstallShield\IScript\iscript.dll
    Filesize

    220KB

    MD5

    b2f7e6dc7e4aae3147fbfc74a2ddb365

    SHA1

    716301112706e93f85977d79f0e8f18f17fb32a7

    SHA256

    4f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1

    SHA512

    e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83

    Download Submit

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.4MB

    MD5

    4a3d911453118d58a4bc16043c726142

    SHA1

    30755f517d05c784ef5857b3d5fa665cea91b438

    SHA256

    b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2

    SHA512

    ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft5D20.tmp\Disk1\IKernel.ex_
    Filesize

    338KB

    MD5

    93b63f516482715a784bbec3a0bf5f3a

    SHA1

    2478feca446576c33e96e708256d4c6c33e3fa68

    SHA256

    fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249

    SHA512

    2c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft5D20.tmp\Disk1\setup.ini
    Filesize

    172B

    MD5

    f538540e2cfc9a49e1d1a19d7db8234f

    SHA1

    4ccc89fe6709a2b58d675e70e1150af32a399d4d

    SHA256

    2f6f2a479b5a083238d960bb24c5f9f9bd551777e9f66205defeeac6db51eb81

    SHA512

    d469cba1840803096590d7d44c998459623fc1176f10e14884ac62abc2daa18924c2b174c432bbfdda571c10affe84c6cd54668cce58d8f927e5a31225d88044

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft5D20.tmp\pftw1.pkg
    Filesize

    1.3MB

    MD5

    fc1dc50af3c04a4504005db443b047be

    SHA1

    df5b171c45b10d3ca7c9a30285f6bb3b5b9f8ea5

    SHA256

    96a8733706b182b10c60c509c0cca9e1da329385b78a7fe5bbe1655168c966f7

    SHA512

    f418e0d9fcd7935fd43f9928d86d16266ae896ddd72cc5e3a8235bc4ee365253b6fe4bfec31c217414b60a72a9ef1b4e790c4bbd78d29678a01304be23a090cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\data1.cab
    Filesize

    586KB

    MD5

    7a6a7bed57891197746b6f32344c75f5

    SHA1

    83a0d2d72052f86cc6fce776490189317684764e

    SHA256

    52e8bfd8231b9fc5fa91541a7b73e9a378bff912d73f260f9697395e13934fb3

    SHA512

    6396266d4f8e1b986d0f3d6814999caa38832116e84a752ee29a853d7753d162e1586970cc87f138820a2a3644899864f1cd1835be6d9a759842087f20b0a8b8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\data1.hdr
    Filesize

    14KB

    MD5

    b2caa6c179bd67968e7828e9005a07f7

    SHA1

    6dc8d77254cb32b73047ca6310e2bb7c3953bdd7

    SHA256

    d2f967c808f13b3d64d99f2109a735dd759a5814f8a1fa72aa1751035904499b

    SHA512

    07a7c517e379ab5821867fadaa5e2c75245745d2c8b029849de0b468a9f5a0f3777ea02e2999f3d8ccc7ae969d020efba3e800ba01e30fb584de153c77f44a0b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\data2.cab
    Filesize

    380KB

    MD5

    3f665a0e2eb71ca283522916c3519dd6

    SHA1

    c0bfef9824b40c1e29adc0c81f8c15d1d0ec984b

    SHA256

    1c479ea42ad6188db660d39726c7a8b7072ad6ae4805475c96ec6dc39ec92655

    SHA512

    7ce361dc93f9e852e4df2158a8cab2436a5ffdd0f936dbcbb869cafe43b3ce54a042737ef84a1fddaca4c40bf1dc870eaf72144733cd6049886e710356a6b7a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\layout.bin
    Filesize

    417B

    MD5

    879bd0a51200b47312d8c4b78f740858

    SHA1

    acdaec259f2b4587dadf0d7d0f1b90442224c017

    SHA256

    b2c060f31e0db36f18874ec85c55f1e0966c1dbaf2a132398d0f8bfa7a0a84a8

    SHA512

    6df263d03f5796b522425514eacebf7110f6e73ae4cbd004c7757e6ce1e1e755ae79071366ed64f153b77556a4a239fab4222edfd7bf6e9061989a2e1247f1e1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\pft602C.tmp\Disk1\setup.inx
    Filesize

    134KB

    MD5

    65c7eed62975bee4c118e332110daabf

    SHA1

    89dbf17bdb0992026d6a9b98c39cdc7c30351d73

    SHA256

    1f5689560acf38d2a08eb546bedb8854337fd5961a44e28cc937db57c70c28e5

    SHA512

    09cc634b42c9bdd21323d69d387fc5b67862fc2e2e83d7a37051d2aeb08b7b6fc17ae2cc15b5217e0af3f729e210731ed6733ce5fd1123057fcfd2ad32156640

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\plf5CEF.tmp
    Filesize

    5KB

    MD5

    9efcc61a0baa38a6d7c67a05a97c7b87

    SHA1

    72b713a72ef7e972dfd5be5f79da8e9aacedb296

    SHA256

    7ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf

    SHA512

    ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238

    Download Submit

  • \Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\ctor.dll
    Filesize

    76KB

    MD5

    003a6c011aac993bcde8c860988ce49b

    SHA1

    6d39d650dfa5ded45c4e0cb17b986893061104a7

    SHA256

    590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a

    SHA512

    032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7

    Download Submit

  • \Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\iuser.dll
    Filesize

    172KB

    MD5

    377765fd4de3912c0f814ee9f182feda

    SHA1

    a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1

    SHA256

    8efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb

    SHA512

    31befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710

    Download Submit

  • \Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\objectps.dll
    Filesize

    32KB

    MD5

    8f02b204853939f8aefe6b07b283be9a

    SHA1

    c161b9374e67d5fa3066ea03fc861cc0023eb3cc

    SHA256

    32c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998

    SHA512

    8df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
    Filesize

    1.6MB

    MD5

    06c21d83808efc7c0348753acff24e1e

    SHA1

    a5fcbd6893610e89ed924f4d27d740ad6f462a2a

    SHA256

    c503d2caad26da47dc01712b5fbad62980f7150facf0511e21d452ac64d13b6e

    SHA512

    a939d05a45282233b41c98ac992b74542df2a4146155e2bdc86f3a934be67b92d8fd336d7265e54ec477691a94697d303643597f1d4a636207f1b80d798abc96

    Download Submit

  • \Users\Admin\AppData\Local\Temp\pft5D20.tmp\Disk1\Setup.exe
    Filesize

    164KB

    MD5

    fb6674a519505cc93e28cf600bbc23a3

    SHA1

    d5dbd3dabc4872710d5bdabfb3829f976efe92c6

    SHA256

    fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde

    SHA512

    fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912

    Download Submit

  • memory/576-128-0x0000000004040000-0x0000000004099000-memory.dmp

    Filesize

    356KB

    Download

  • memory/576-312-0x0000000000400000-0x0000000000662000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/576-349-0x0000000004040000-0x0000000004099000-memory.dmp

    Filesize

    356KB

    Download

  • memory/576-279-0x0000000000400000-0x0000000000662000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/576-348-0x0000000000400000-0x0000000000662000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/576-354-0x0000000000400000-0x0000000000662000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/576-317-0x0000000000400000-0x0000000000662000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1540-274-0x0000000002510000-0x000000000253C000-memory.dmp

    Filesize

    176KB

    Download

  • memory/1540-264-0x0000000000980000-0x0000000000993000-memory.dmp

    Filesize

    76KB

    Download

  • memory/1540-271-0x0000000003490000-0x00000000034E3000-memory.dmp

    Filesize

    332KB

    Download

  • memory/1540-265-0x0000000003450000-0x0000000003488000-memory.dmp

    Filesize

    224KB

    Download

  • memory/2332-129-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2332-316-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2572-306-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2644-311-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2644-23-0x0000000000300000-0x0000000000359000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2644-19-0x0000000000400000-0x0000000000459000-memory.dmp

    Filesize

    356KB

    Download

  • memory/2692-0-0x0000000000240000-0x0000000000241000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2692-93-0x0000000000400000-0x0000000000662000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2692-6-0x00000000041E0000-0x0000000004239000-memory.dmp

    Filesize

    356KB

    Download