Analysis

  • max time kernel
    37s
  • max time network
    43s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-11-2024 00:25

Errors

Reason
Machine shutdown

General

  • Target

    df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe

  • Size

    2.3MB

  • MD5

    e458deafb28333f548c26abb8ab87360

  • SHA1

    0c1fdb03cfc6006c3c698fbfc853d1e9371cfe76

  • SHA256

    df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9

  • SHA512

    eb62aedc33c5a9f48bc9153774fb91f71e2e160fc679f1b7eeb7982c1aab13a8dd206ea51ca39f143b6ed7dcf2660851d43109784639d6adec61bd4ebdaa8ad6

  • SSDEEP

    49152:dnsHyjtk2MYC5GDNYTWPNykHuuSshTypt:dnsmtk2adeoiOln

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Drops file in Drivers directory 2 IoCs
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 18 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 13 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 51 IoCs
  • Modifies registry class 21 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Users\Admin\AppData\Local\Temp\df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe
    "C:\Users\Admin\AppData\Local\Temp\df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\._cache_df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3008
      • C:\Users\Admin\AppData\Local\Temp\nstCCB1.tmp\DevCon.exe
        "C:\Users\Admin\AppData\Local\Temp\nstCCB1.tmp\DevCon.exe" status "root\vclone"
        3⤵
        • Executes dropped EXE
        PID:3032
      • C:\Users\Admin\AppData\Local\Temp\nstCCB1.tmp\DevCon.exe
        "C:\Users\Admin\AppData\Local\Temp\nstCCB1.tmp\DevCon.exe" install VClone.inf "root\vclone"
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:988
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2812
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2888
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2536
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4c5657e9-3fa1-1c4c-6f62-e10190806926}\vclone.inf" "9" "64f288aa3" "00000000000005A4" "WinSta0\Default" "0000000000000390" "208" "c:\users\admin\appdata\local\temp\nstccb1.tmp"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:760
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{19d404db-1bfe-440a-3bcd-db124e79495b} Global\{24bb92b9-825d-25d5-d8e2-ad1019417e52} C:\Windows\System32\DriverStore\Temp\{6c871e5c-6078-0da4-f66b-1f33b992bb24}\vclone.inf C:\Windows\System32\DriverStore\Temp\{6c871e5c-6078-0da4-f66b-1f33b992bb24}\VClone.cat
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1700
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3064
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x0
    1⤵
      PID:1032
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x1
      1⤵
        PID:2852

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.ini

        Filesize

        4KB

        MD5

        b93f0173071839a84b41fee58889eeb6

        SHA1

        f98d8adacf5e85e2070f526e3590326f446cba81

        SHA256

        7f05a7811894c65bf136431a6a6590eaa1e9a4ac3a419934bc4539536f9f83ba

        SHA512

        890d11dea423b126a9f3ff65c4caf327723f4200e47c239b65e151d48ca326ddbf7b73bc3043fa1be8032ac2065bd5ca4a7e8c2a858a415976081f60ec658b65

      • C:\ProgramData\Synaptics\Synaptics.exe

        Filesize

        2.3MB

        MD5

        e458deafb28333f548c26abb8ab87360

        SHA1

        0c1fdb03cfc6006c3c698fbfc853d1e9371cfe76

        SHA256

        df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9

        SHA512

        eb62aedc33c5a9f48bc9153774fb91f71e2e160fc679f1b7eeb7982c1aab13a8dd206ea51ca39f143b6ed7dcf2660851d43109784639d6adec61bd4ebdaa8ad6

      • C:\Users\Admin\AppData\Local\Temp\Cab315F.tmp

        Filesize

        70KB

        MD5

        49aebf8cbd62d92ac215b2923fb1b9f5

        SHA1

        1723be06719828dda65ad804298d0431f6aff976

        SHA256

        b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

        SHA512

        bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

      • C:\Users\Admin\AppData\Local\Temp\NSKrngjS.xlsm

        Filesize

        17KB

        MD5

        af4d37aad8b34471da588360a43e768a

        SHA1

        83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

        SHA256

        e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

        SHA512

        74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

      • C:\Users\Admin\AppData\Local\Temp\Tar3181.tmp

        Filesize

        181KB

        MD5

        4ea6026cf93ec6338144661bf1202cd1

        SHA1

        a1dec9044f750ad887935a01430bf49322fbdcb7

        SHA256

        8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

        SHA512

        6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

      • C:\Users\Admin\AppData\Local\Temp\nstCCB1.tmp\VClone.inf

        Filesize

        1KB

        MD5

        b66a6496cd83f4cd091d4a2e0ef2b4f5

        SHA1

        48a5ae4b5904410638ca1991900a027a28e07480

        SHA256

        a669b9cb7694e1177b072dfc5eaaff94d14571c13def16d0d4b8520d64556e29

        SHA512

        1d5a9c75c294c0c7388c798117496881309495a0dfdf1a85aa106db896040c4ac72699444a256eaca02801f7c87361b497ba5c07b0d0f835eeb4a2d9593aa150

      • C:\Windows\Temp\Cab3297.tmp

        Filesize

        29KB

        MD5

        d59a6b36c5a94916241a3ead50222b6f

        SHA1

        e274e9486d318c383bc4b9812844ba56f0cff3c6

        SHA256

        a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

        SHA512

        17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

      • C:\Windows\Temp\Tar329A.tmp

        Filesize

        81KB

        MD5

        b13f51572f55a2d31ed9f266d581e9ea

        SHA1

        7eef3111b878e159e520f34410ad87adecf0ca92

        SHA256

        725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

        SHA512

        f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

      • \??\c:\users\admin\appdata\local\temp\nstccb1.tmp\VClone.cat

        Filesize

        8KB

        MD5

        0aa17500408d2b557a0f7393eb6fde6b

        SHA1

        fb04802c8782d7512cd282f16d26c40d5bbeea03

        SHA256

        0f8d8d64a423480a0f87fa18fe1a5022010bb1596ec200ca68a9210af8d0bc60

        SHA512

        5510923c50c3191bacf441451f99f352867d9477c2bd18695688b0b79d3486ad018163986f06fab495eac950e3ede23b965fe9aadfea8f5a5d149311b321db28

      • \??\c:\users\admin\appdata\local\temp\nstccb1.tmp\amd64\VClone.sys

        Filesize

        34KB

        MD5

        f257a2737280f0076eae3ab489c06474

        SHA1

        ab722536518592e73ed43c3f9243c7a07a3e29aa

        SHA256

        a02e37292d86e675d55c13097e9f107c73ddfd8aac69310f7d9910a811a541d8

        SHA512

        ecc3e55e7cd42d21a34cfb9353f05ebc38b6998ad9aad3c5888321182b4239ee270e0715ccd2308a80a7aad6f556747302994f2d4a3827af12e649f07ef8ce1d

      • \Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.exe

        Filesize

        29KB

        MD5

        b9957aa5ab846d609bc6a5ad0e4207bc

        SHA1

        33b6a0538d3d785eb6ea88c245ae388cd9a0ae9a

        SHA256

        f1de5def45ebee13b5de7b8f12b417cc213503aff8bfce14c42fdd3218f49126

        SHA512

        28d01f93fb5a47cf28c6c0f908d99b737f850fb2b4093a7dc3c1c8850dfbf4cb7964817d9616cae5c75881a920455919e82c8cd3e428d62d17d594bbf5ba85cd

      • \Users\Admin\AppData\Local\Temp\._cache_df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe

        Filesize

        1.6MB

        MD5

        06fae12ee71de1dd3535162b86bdf4f1

        SHA1

        c9230cfb03529d1a8732986f79548fe66f0ac7f6

        SHA256

        7d9d787c5b1af4625441fec2d58058dc4e5a0d8d952c28e0d197074b937cddcf

        SHA512

        3c81a44b6f46b1c56f738702743396afe49dc59f0e8fbeb83463fb4b468c93dfb3059c218a734f6bd90f2711c38e8247b3475e5d442cf32076ec57db8e795363

      • \Users\Admin\AppData\Local\Temp\nstCCB1.tmp\DevCon.exe

        Filesize

        130KB

        MD5

        f459bddabb3531c0a6581252ca1b29df

        SHA1

        8989d7c60c69036ae8ba76f8880383b0b49f3153

        SHA256

        dd328dc994d3a32c310d483328fd1e57d36dd0a95994ec8932e91fd8db22b6cb

        SHA512

        48110470b49108c742f78c56a65b497669035f7f92eebd23b7a08f344779eecca70893af5e390d2685b3e664d1f3b85a748bd31d87c9394e31c1ba3898220284

      • \Users\Admin\AppData\Local\Temp\nstCCB1.tmp\InstallHelp.dll

        Filesize

        100KB

        MD5

        d8c4815356ad88371670b7dd2707da4a

        SHA1

        94b96a4c465df5d94b3260c4a4263ecdabd0d0cf

        SHA256

        2f8b9bbeb76de603fa8b46f325cf2bdde6f8172772dc45df3fb1458d5c5cc347

        SHA512

        0cc7be4c7bb16c716c53a6ab33e3359184490eb3daf82c2242ed90c6a8c2d06c6406829d397ceff517b0e82cceef7a74ed3c16298689237c549734e153a025bb

      • memory/2204-6-0x0000000004070000-0x0000000004098000-memory.dmp

        Filesize

        160KB

      • memory/2204-30-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/2204-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

        Filesize

        4KB

      • memory/2536-44-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2536-462-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2812-38-0x0000000004170000-0x0000000004198000-memory.dmp

        Filesize

        160KB

      • memory/2812-50-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/2812-52-0x0000000000400000-0x0000000000655000-memory.dmp

        Filesize

        2.3MB

      • memory/2888-43-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/3008-48-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/3008-51-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/3008-9-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/3008-65-0x0000000002A80000-0x0000000002A88000-memory.dmp

        Filesize

        32KB

      • memory/3008-449-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB

      • memory/3008-457-0x0000000002A80000-0x0000000002A9F000-memory.dmp

        Filesize

        124KB

      • memory/3008-459-0x0000000002A80000-0x0000000002A88000-memory.dmp

        Filesize

        32KB

      • memory/3008-461-0x0000000000400000-0x0000000000428000-memory.dmp

        Filesize

        160KB