Analysis
-
max time kernel
145s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
18-11-2024 22:59
General
-
Target
b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe
-
Size
2.4MB
-
MD5
4a3d911453118d58a4bc16043c726142
-
SHA1
30755f517d05c784ef5857b3d5fa665cea91b438
-
SHA256
b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2
-
SHA512
ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3
-
SSDEEP
49152:snsHyjtk2MYC5GDvxdth7VaHBIW2Y4XxChF6Hq2BIetbWr:snsmtk2a8F6fT4XAhIH+eVWr
Malware Config
Extracted
xred
xred.mooo.com
-
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978
https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download
https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1
http://xred.site50.net/syn/SUpdate.ini
https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download
https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1
http://xred.site50.net/syn/Synaptics.rar
https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download
https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1
http://xred.site50.net/syn/SSLLibrary.dll
Signatures
-
Xred
Xred is backdoor written in Delphi.
-
Xred family
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 11 IoCs
-
Loads dropped DLL 20 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 27 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 11 IoCs
-
Suspicious use of SetWindowsHookEx 4 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"C:\Users\Admin\AppData\Local\Temp\b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"C:\Users\Admin\AppData\Local\Temp\._cache_b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pftDA93.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pftDA93.tmp\Disk1\Setup.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
C:\ProgramData\Synaptics\Synaptics.exe"C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\pftE0AD.tmp\Disk1\Setup.exe"C:\Users\Admin\AppData\Local\Temp\pftE0AD.tmp\Disk1\Setup.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\Engine\6\Intel 32\IKernel.exe" -RegServer5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exeC:\PROGRA~2\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe"C:\Program Files (x86)\Common Files\InstallShield\engine\6\Intel 32\iKernel.exe" /REGSERVER2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
27KB
MD562d5f9827d867eb3e4ab9e6b338348a1
SHA1828e72f9c845b1c0865badaef40d63fb36447293
SHA2565214789c08ee573e904990dcd29e9e03aaf5cf12e86fae368005fd8f4e371bd5
SHA512b38bb74dc2e528c2a58a7d14a07bd1ecaaf55168b53afc8f4718f3bf5d6f8c8b922b98551a355ebb1009f23cff02fd8596413468993a43756c4de7dfed573732
-
Filesize
600KB
MD5b3fd01873bd5fd163ab465779271c58f
SHA1e1ff9981a09ab025d69ac891bfc931a776294d4d
SHA256985eb55ecb750da812876b8569d5f1999a30a24bcc54f9bab4d3fc44dfedb931
SHA5126674ab1d65da9892b7dd2fd37f300e087f58239262d44505b53379c676fd16da5443d2292aeaae01d3e6c40960b12f9cac651418c827d2a33c29a6cdf874be43
-
Filesize
76KB
MD5003a6c011aac993bcde8c860988ce49b
SHA16d39d650dfa5ded45c4e0cb17b986893061104a7
SHA256590be865ddf8c8d0431d8f92aa3948cc3c1685fd0649d607776b81cd1e267d0a
SHA512032aba4403eb45646aa1413fdc6c5d08baab4d0306d20b4209e70c84e47f6b72e68457bbc4331a5f1a5fa44aa776a89eb9fd29d0d956fa2fe11364c26ab09ee7
-
Filesize
172KB
MD5377765fd4de3912c0f814ee9f182feda
SHA1a0ab6a28f4ba057d5eae5c223420eb599cd4d3b1
SHA2568efcbd8752d8bbfd7ee559502d1aa28134c9bf391bf7fc5ce6fdfd4473599afb
SHA51231befb11715f78043b7684287b4086ce003cb66f97c6eff8c2b438eae29045d8856172c6b898be9f08c139edc4647c2bce000da497aed208b7a5a69d4d90c710
-
Filesize
32KB
MD58f02b204853939f8aefe6b07b283be9a
SHA1c161b9374e67d5fa3066ea03fc861cc0023eb3cc
SHA25632c6ad91dc66bc12e1273b1e13eb7a15d6e8f63b93447909ca2163dd21b22998
SHA5128df23b7d80a4dd32c484ca3bd1922e11938d7ecda9fc5fd5045eed882054efca7b7131ea109c4f20d8279845ffeb50ef46fb7419d190b8cf307eb00168746e59
-
Filesize
220KB
MD5b2f7e6dc7e4aae3147fbfc74a2ddb365
SHA1716301112706e93f85977d79f0e8f18f17fb32a7
SHA2564f77a9018b6b0d41151366e9acab3397416d114fc895703deb82b20f40116ad1
SHA512e6ae396bd9b4f069b5fafe135c0f83718cc236d1cf9007db7305bd5442c86483c0f1e0fad9cd6d547e8715278e23e6fafa973c63ebbe998a31a2153dbbbe7f83
-
Filesize
200B
MD52faaf3e9574a06e5fd06128832059804
SHA1bd674c3d5d52bc77aad7151ec41faff98d9ffe3f
SHA256e564cdc2a8560d1307340c94006227e4d59c443514d2ddd1c6086af57a6d46ad
SHA51211896122d14862617b92e2917753d880298a126826013bf8c8d1b4bf90153ecf3c8dc09accbc355e49f9be162c5193fcd12e28dcab1a9e87aa59793c40cb5b3c
-
Filesize
2.4MB
MD54a3d911453118d58a4bc16043c726142
SHA130755f517d05c784ef5857b3d5fa665cea91b438
SHA256b828dc24877aa7129ea58fb4bdf7373ec5a8ac06d02907cfe663a4599eae2aa2
SHA512ad39db2d93687bec5761514440ef1566049a1c567fcd1ef852c52c312a24f3c2497e9c8ce9fc9564537b5607748daf87bc6f71f4cdd7e1f486833c58708f41f3
-
Filesize
1.6MB
MD506c21d83808efc7c0348753acff24e1e
SHA1a5fcbd6893610e89ed924f4d27d740ad6f462a2a
SHA256c503d2caad26da47dc01712b5fbad62980f7150facf0511e21d452ac64d13b6e
SHA512a939d05a45282233b41c98ac992b74542df2a4146155e2bdc86f3a934be67b92d8fd336d7265e54ec477691a94697d303643597f1d4a636207f1b80d798abc96
-
Filesize
17KB
MD5af4d37aad8b34471da588360a43e768a
SHA183ed64667d4e68ea531b8bcf58aab3ed4a5ca998
SHA256e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1
SHA51274f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da
-
Filesize
338KB
MD593b63f516482715a784bbec3a0bf5f3a
SHA12478feca446576c33e96e708256d4c6c33e3fa68
SHA256fbf95719b956b548b947436e29feb18bb884e01f75ae31b05c030ebd76605249
SHA5122c8f29dda748e21231ab8c30c7a57735104b786120bb392eb1c20a320f2dddde392d136fd0c70853bb9af851bbe47df2955d8f9d5973b64870ac90bd12d2dd70
-
Filesize
164KB
MD5fb6674a519505cc93e28cf600bbc23a3
SHA1d5dbd3dabc4872710d5bdabfb3829f976efe92c6
SHA256fe95a9fc8b2cdb5add76fbd326b1a11801eaa43c7d908f20cbdf413fd4d8dfde
SHA512fd4e93d545a704bbc197bcbfd1731c24fffff7aa05db11ed4ad9bcac458253b8fb368d13e48df3d3d322044f4d4cc9e134c24cc7bee4079110f591623e988912
-
Filesize
172B
MD5f538540e2cfc9a49e1d1a19d7db8234f
SHA14ccc89fe6709a2b58d675e70e1150af32a399d4d
SHA2562f6f2a479b5a083238d960bb24c5f9f9bd551777e9f66205defeeac6db51eb81
SHA512d469cba1840803096590d7d44c998459623fc1176f10e14884ac62abc2daa18924c2b174c432bbfdda571c10affe84c6cd54668cce58d8f927e5a31225d88044
-
Filesize
1.3MB
MD5fc1dc50af3c04a4504005db443b047be
SHA1df5b171c45b10d3ca7c9a30285f6bb3b5b9f8ea5
SHA25696a8733706b182b10c60c509c0cca9e1da329385b78a7fe5bbe1655168c966f7
SHA512f418e0d9fcd7935fd43f9928d86d16266ae896ddd72cc5e3a8235bc4ee365253b6fe4bfec31c217414b60a72a9ef1b4e790c4bbd78d29678a01304be23a090cd
-
Filesize
586KB
MD57a6a7bed57891197746b6f32344c75f5
SHA183a0d2d72052f86cc6fce776490189317684764e
SHA25652e8bfd8231b9fc5fa91541a7b73e9a378bff912d73f260f9697395e13934fb3
SHA5126396266d4f8e1b986d0f3d6814999caa38832116e84a752ee29a853d7753d162e1586970cc87f138820a2a3644899864f1cd1835be6d9a759842087f20b0a8b8
-
Filesize
14KB
MD5b2caa6c179bd67968e7828e9005a07f7
SHA16dc8d77254cb32b73047ca6310e2bb7c3953bdd7
SHA256d2f967c808f13b3d64d99f2109a735dd759a5814f8a1fa72aa1751035904499b
SHA51207a7c517e379ab5821867fadaa5e2c75245745d2c8b029849de0b468a9f5a0f3777ea02e2999f3d8ccc7ae969d020efba3e800ba01e30fb584de153c77f44a0b
-
Filesize
380KB
MD53f665a0e2eb71ca283522916c3519dd6
SHA1c0bfef9824b40c1e29adc0c81f8c15d1d0ec984b
SHA2561c479ea42ad6188db660d39726c7a8b7072ad6ae4805475c96ec6dc39ec92655
SHA5127ce361dc93f9e852e4df2158a8cab2436a5ffdd0f936dbcbb869cafe43b3ce54a042737ef84a1fddaca4c40bf1dc870eaf72144733cd6049886e710356a6b7a6
-
Filesize
417B
MD5879bd0a51200b47312d8c4b78f740858
SHA1acdaec259f2b4587dadf0d7d0f1b90442224c017
SHA256b2c060f31e0db36f18874ec85c55f1e0966c1dbaf2a132398d0f8bfa7a0a84a8
SHA5126df263d03f5796b522425514eacebf7110f6e73ae4cbd004c7757e6ce1e1e755ae79071366ed64f153b77556a4a239fab4222edfd7bf6e9061989a2e1247f1e1
-
Filesize
134KB
MD565c7eed62975bee4c118e332110daabf
SHA189dbf17bdb0992026d6a9b98c39cdc7c30351d73
SHA2561f5689560acf38d2a08eb546bedb8854337fd5961a44e28cc937db57c70c28e5
SHA51209cc634b42c9bdd21323d69d387fc5b67862fc2e2e83d7a37051d2aeb08b7b6fc17ae2cc15b5217e0af3f729e210731ed6733ce5fd1123057fcfd2ad32156640
-
Filesize
5KB
MD59efcc61a0baa38a6d7c67a05a97c7b87
SHA172b713a72ef7e972dfd5be5f79da8e9aacedb296
SHA2567ccb3a50ca08c66a220e4da614cbaba1d05157359edd174223c788b86d929edf
SHA512ac57100b76826af9f7650417dd765c23b522e31a1f3b44bfe9e70ed520bf6c6eb1978118a8147c99487b05a7a4c4afc964f457b79f921ff8236e4d60561b1238
-
Filesize
252KB
MD548ea604d4fa7d9af5b121c04db6a2fec
SHA1dc3c04977106bc1fbf1776a6b27899d7b81fb937
SHA256cbe8127704f36adcc6adbab60df55d1ff8fb7e600f1337fb9c4a59644ba7aa2b
SHA5129206a1235ce6bd8ceda0ff80fc01842e9cbbeb16267b4a875a0f1e6ea202fd4cbd1a52f8a51bed35a2b38252eb2b2cd2426dc7d24b1ea715203cc0935d612707
-
Filesize
324KB
MD561c056d2df7ab769d6fd801869b828a9
SHA14213d0395692fa4181483ffb04eef4bda22cceee
SHA256148d8f53bba9a8d5558b192fb4919a5b0d9cb7fd9f8e481660f8667de4e89b66
SHA512a2da2558c44e80973badc2e5f283cec254a12dfbcc66c352c8f394e03b1e50f98551303eab6f7995ac4afd5a503bd29b690d778b0526233efc781695ed9e9172
-
Filesize
1KB
MD50c620d9cfc847b371fc8977640acc456
SHA1a32b945b0b00893df823d4d3f84ba600984ec938
SHA256b90db587b775b5bcdd23bd03cae1cea5919ec4e63cdd5754de7b8e4d1b2c4918
SHA5126ce79d61f663708ebf5b2de5d450fde5d8b36d5a1854116219e60b69593a9aa05a8434c3ce754feb0ab6d05ff79d3a72d106a264eea1142044c297a323d89c6e
-
Filesize
356KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
76KB
-
Filesize
224KB
-
Filesize
176KB
-
Filesize
332KB
-
Filesize
356KB
-
Filesize
356KB
-
Filesize
2.4MB
-
Filesize
4KB
-
Filesize
2.4MB
-
Filesize
2.4MB