Overview

overview

10

Static

static

10

df935b9361...9N.exe

windows7-x64

df935b9361...9N.exe

windows10-2004-x64

Analysis

  • max time kernel
    35s
  • max time network
    41s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-11-2024 00:25

Sharing

Copy URL
Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe

  • Size

    2.3MB

  • MD5

    e458deafb28333f548c26abb8ab87360

  • SHA1

    0c1fdb03cfc6006c3c698fbfc853d1e9371cfe76

  • SHA256

    df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9

  • SHA512

    eb62aedc33c5a9f48bc9153774fb91f71e2e160fc679f1b7eeb7982c1aab13a8dd206ea51ca39f143b6ed7dcf2660851d43109784639d6adec61bd4ebdaa8ad6

  • SSDEEP

    49152:dnsHyjtk2MYC5GDNYTWPNykHuuSshTypt:dnsmtk2adeoiOln

Score
10/10
xredbackdoordiscoverypersistenceprivilege_escalationupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops file in Drivers directory 5 IoCs
  • Manipulates Digital Signatures 1 TTPs 1 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 12 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 21 IoCs
  • UPX packed file 8 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 64 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies data under HKEY_USERS 57 IoCs
  • Modifies registry class 29 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
    evasionspywaretrojan
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe
    "C:\Users\Admin\AppData\Local\Temp\df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:572
    • C:\Users\Admin\AppData\Local\Temp\._cache_df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\DevCon.exe
        "C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\DevCon.exe" status "root\vclone"
        3⤵
        • Executes dropped EXE
        • Checks SCSI registry key(s)
        PID:1400
      • C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\DevCon.exe
        "C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\DevCon.exe" install VClone.inf "root\vclone"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Modifies system certificate store
        • Suspicious use of AdjustPrivilegeToken
        PID:4632
      • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
        "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /u
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3760
      • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\SetRegACL.exe
        "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\SetRegACL.exe" Software\Microsoft\Windows\CurrentVersion\Explorer\DriveIcons 64
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4300
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Enumerates connected drives
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4904
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:5032
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{412eabda-b9b5-064c-9fb1-ce73c2115c0f}\vclone.inf" "9" "44f288aa3" "0000000000000134" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\local\temp\nst8bd5.tmp"
      2⤵
      • Manipulates Digital Signatures
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      • Suspicious use of WriteProcessMemory
      PID:2844
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{1fc071fd-c931-ec45-8f79-50f9a8c68e98} Global\{9698036d-fc01-f142-9ae9-c8d56c8c546a} C:\Windows\System32\DriverStore\Temp\{b43af63d-d049-4c4d-a8d4-93edd707ae9e}\vclone.inf C:\Windows\System32\DriverStore\Temp\{b43af63d-d049-4c4d-a8d4-93edd707ae9e}\VClone.cat
        3⤵
          PID:2112
      • C:\Windows\system32\DrvInst.exe
        DrvInst.exe "2" "211" "ROOT\SCSIADAPTER\0000" "C:\Windows\INF\oem3.inf" "oem3.inf:1f7d3914215d2b90:miniport:5.4.7.0:root\vclone," "44f288aa3" "0000000000000134"
        2⤵
        • Drops file in Drivers directory
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:4820
    • C:\Windows\system32\LogonUI.exe
      "LogonUI.exe" /flags:0x4 /state0:0xa38e8855 /state1:0x41c64e6d
      1⤵
      • Modifies data under HKEY_USERS
      • Suspicious use of SetWindowsHookEx
      PID:2956

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Event Triggered Execution

    1
    T1546

    Component Object Model Hijacking

    1
    T1546.015

    Defense Evasion

    Modify Registry

    2
    T1112

    Subvert Trust Controls

    2
    T1553

    Install Root Certificate

    1
    T1553.004

    SIP and Trust Provider Hijacking

    1
    T1553.003

    Credential Access

    Discovery

    Peripheral Device Discovery

    2
    T1120

    Query Registry

    4
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\SetRegACL.exe
      Filesize

      52KB

      MD5

      d866d346523fcb09f96384afcbd8f757

      SHA1

      d53600fcaf09f42bf1c0b2411960bb66f702b76a

      SHA256

      bd36f2094a3d2fd79a649f00e4196e45c50727dc745d570d1804e0834266a934

      SHA512

      7547d86136d266f670bcc6d8b126ca58d38596dda3c47183799f7b79cb1461d118b825b91fa066fe1126b123e00351bc18fa335a43e36932f13c047bbe300e53

      Download Submit

    • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
      Filesize

      86KB

      MD5

      3bd79a1f6d2ea0fddea3f8914b2a6a0c

      SHA1

      3ea3f44f81b3501e652b448a7dc33a8ee739772e

      SHA256

      332e6806eff846a2e6d0dc04a70d3503855dabfa83e6ec27f37e2d9103e80e51

      SHA512

      7bbb3f3af90443803f7689c973a64f894fb48bd744ab0c70af7dfa7c763354dc6f67a7fbb7053d38b0c6611b0aaa532e73eb2579c1445b8a31c573f8bf972a67

      Download Submit

    • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDPrefs.exe
      Filesize

      829KB

      MD5

      e4f1c1fe730e63cf118edcd01f7aeaa1

      SHA1

      7c1e2f5a2cf98688d50278e57dad7776805c3536

      SHA256

      d0bd6539714e5e63a6db59c96f4f4374ac9fc8ae86a25e6a20b812d5308db977

      SHA512

      d7b061d77601293903f39b25559ff436d4d1d0f17fbba70e4fd61dc979994a31104549ce1d4619c63d48abe133990be564c51088ef8f8c7f04a8bcc01669e8e9

      Download Submit

    • C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\vcd-uninst.ini
      Filesize

      4KB

      MD5

      b93f0173071839a84b41fee58889eeb6

      SHA1

      f98d8adacf5e85e2070f526e3590326f446cba81

      SHA256

      7f05a7811894c65bf136431a6a6590eaa1e9a4ac3a419934bc4539536f9f83ba

      SHA512

      890d11dea423b126a9f3ff65c4caf327723f4200e47c239b65e151d48ca326ddbf7b73bc3043fa1be8032ac2065bd5ca4a7e8c2a858a415976081f60ec658b65

      Download Submit

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      2.3MB

      MD5

      e458deafb28333f548c26abb8ab87360

      SHA1

      0c1fdb03cfc6006c3c698fbfc853d1e9371cfe76

      SHA256

      df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9

      SHA512

      eb62aedc33c5a9f48bc9153774fb91f71e2e160fc679f1b7eeb7982c1aab13a8dd206ea51ca39f143b6ed7dcf2660851d43109784639d6adec61bd4ebdaa8ad6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_df935b9361d774ecac1e063264480ec45c833a99182f6934bedac4d58bcf14b9N.exe
      Filesize

      1.6MB

      MD5

      06fae12ee71de1dd3535162b86bdf4f1

      SHA1

      c9230cfb03529d1a8732986f79548fe66f0ac7f6

      SHA256

      7d9d787c5b1af4625441fec2d58058dc4e5a0d8d952c28e0d197074b937cddcf

      SHA512

      3c81a44b6f46b1c56f738702743396afe49dc59f0e8fbeb83463fb4b468c93dfb3059c218a734f6bd90f2711c38e8247b3475e5d442cf32076ec57db8e795363

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\DevCon.exe
      Filesize

      130KB

      MD5

      f459bddabb3531c0a6581252ca1b29df

      SHA1

      8989d7c60c69036ae8ba76f8880383b0b49f3153

      SHA256

      dd328dc994d3a32c310d483328fd1e57d36dd0a95994ec8932e91fd8db22b6cb

      SHA512

      48110470b49108c742f78c56a65b497669035f7f92eebd23b7a08f344779eecca70893af5e390d2685b3e664d1f3b85a748bd31d87c9394e31c1ba3898220284

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\ElbyVCDShell.dll
      Filesize

      105KB

      MD5

      d2ba9f5fd755ca798c613812ec8584f0

      SHA1

      b61ba9881e8cc7f9431d745ed81eb1b8c2310b78

      SHA256

      fb0d559bc62e2b9c124e014a78d5d691ff657a1fce3cbeb5263264c66924a23e

      SHA512

      d4e905b777ab8c1d5f16f4e3a26880b0ef3aa9465388ad960bf37288562ca4c856f6b0c4190ef47c808281c0b14b69c2b5c7736b4416ee94823ee9f78e20a153

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\InstallHelp.dll
      Filesize

      100KB

      MD5

      d8c4815356ad88371670b7dd2707da4a

      SHA1

      94b96a4c465df5d94b3260c4a4263ecdabd0d0cf

      SHA256

      2f8b9bbeb76de603fa8b46f325cf2bdde6f8172772dc45df3fb1458d5c5cc347

      SHA512

      0cc7be4c7bb16c716c53a6ab33e3359184490eb3daf82c2242ed90c6a8c2d06c6406829d397ceff517b0e82cceef7a74ed3c16298689237c549734e153a025bb

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\nst8BD5.tmp\VClone.inf
      Filesize

      1KB

      MD5

      b66a6496cd83f4cd091d4a2e0ef2b4f5

      SHA1

      48a5ae4b5904410638ca1991900a027a28e07480

      SHA256

      a669b9cb7694e1177b072dfc5eaaff94d14571c13def16d0d4b8520d64556e29

      SHA512

      1d5a9c75c294c0c7388c798117496881309495a0dfdf1a85aa106db896040c4ac72699444a256eaca02801f7c87361b497ba5c07b0d0f835eeb4a2d9593aa150

      Download Submit

    • C:\Windows\SysWOW64\ElbyCDIO.dll
      Filesize

      94KB

      MD5

      9bc1e3eb2495abb8d2cfd7a92a46e1cd

      SHA1

      2dbd4258b9d5cdccae9a52c153f152ebf2602fc7

      SHA256

      1b6151d37efeab8d7137555989274b4451e0cfe92f0c21d8b5a7423b012fc190

      SHA512

      ebb2d817e99563c99e90e93c458f29ea2ae86fd57ca5deabb73f2753e68b24ab3efb1f409305aed8341ab8c83e247d515e19035728c329a99ccb07974817b17e

      Download Submit

    • C:\Windows\SysWOW64\ElbyVCD.dll
      Filesize

      130KB

      MD5

      f189cc7f7c13a42480d9b58504156c28

      SHA1

      2526566ce83ad4d7678ac75167c16913b9248530

      SHA256

      11a37192b44942fa6b1238f3b7b27fddc35bdf638747425b474109d08c947fd0

      SHA512

      da7fe55a30117196404545dd86a640ad42dc1a0e78d912a8629fe50caa947b0ec08935d82d9e3f8089c76bff89f20acdb148a212bb299a584205a752ae2ce63a

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\nst8bd5.tmp\VClone.cat
      Filesize

      8KB

      MD5

      0aa17500408d2b557a0f7393eb6fde6b

      SHA1

      fb04802c8782d7512cd282f16d26c40d5bbeea03

      SHA256

      0f8d8d64a423480a0f87fa18fe1a5022010bb1596ec200ca68a9210af8d0bc60

      SHA512

      5510923c50c3191bacf441451f99f352867d9477c2bd18695688b0b79d3486ad018163986f06fab495eac950e3ede23b965fe9aadfea8f5a5d149311b321db28

      Download Submit

    • \??\c:\users\admin\appdata\local\temp\nst8bd5.tmp\amd64\VClone.sys
      Filesize

      34KB

      MD5

      f257a2737280f0076eae3ab489c06474

      SHA1

      ab722536518592e73ed43c3f9243c7a07a3e29aa

      SHA256

      a02e37292d86e675d55c13097e9f107c73ddfd8aac69310f7d9910a811a541d8

      SHA512

      ecc3e55e7cd42d21a34cfb9353f05ebc38b6998ad9aad3c5888321182b4239ee270e0715ccd2308a80a7aad6f556747302994f2d4a3827af12e649f07ef8ce1d

      Download Submit

    • memory/572-78-0x0000000000400000-0x0000000000655000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/572-0-0x0000000000940000-0x0000000000941000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1472-77-0x00000000023C0000-0x00000000023C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1472-116-0x00000000023C0000-0x00000000023C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1472-118-0x0000000000400000-0x0000000000655000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1472-506-0x0000000000400000-0x0000000000655000-memory.dmp

      Filesize

      2.3MB

      Download

    • memory/1496-453-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1496-464-0x00000000049A0000-0x00000000049BF000-memory.dmp

      Filesize

      124KB

      Download

    • memory/1496-115-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1496-33-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1496-503-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/1496-505-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/3760-495-0x0000000000480000-0x0000000000498000-memory.dmp

      Filesize

      96KB

      Download

    • memory/4904-114-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download

    • memory/4904-112-0x0000000000400000-0x0000000000428000-memory.dmp

      Filesize

      160KB

      Download