Overview

overview

10

Static

static

10

1ce6e133b0...37.exe

windows10-2004-x64

10

1ce6e133b0...37.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    142s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe

  • Size

    5.7MB

  • MD5

    6ef27d77f5e163e63bcef83aad488dac

  • SHA1

    e58d1eea2b997c9c57ed917002aa3f180258283d

  • SHA256

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

  • SHA512

    73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

  • SSDEEP

    98304:snsmtk2a1oiKjvpG51TDyWAYAZkEIVGzUihpHQSUggLFsXmL+uEqZEJh9bkUDRpp:CLO+jvIALYih2SUgpXa+jKEJh9b/9D

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Manipulates Digital Signatures 1 TTPs 5 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 25 IoCs
  • UPX packed file 14 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 2 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3164
    • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
      2⤵
      • Manipulates Digital Signatures
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4596
      • C:\Users\Admin\usb_driver\installer_x64.exe
        "C:\Users\Admin\usb_driver\installer_x64.exe" "WinUSB_Generic_Device.inf"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2864
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5096
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4644
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2660
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4580
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{4ffe6ecc-e07b-ec43-967d-d0b97a125b3b}\WinUSB_Generic_Device.inf" "9" "494de428f" "0000000000000148" "WinSta0\Default" "0000000000000150" "208" "C:\Users\Admin\usb_driver"
      2⤵
      • Manipulates Digital Signatures
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:2776
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:2612
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:4812
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
        1⤵
          PID:3032

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Synaptics\Synaptics.exe
          Filesize

          5.7MB

          MD5

          6ef27d77f5e163e63bcef83aad488dac

          SHA1

          e58d1eea2b997c9c57ed917002aa3f180258283d

          SHA256

          1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

          SHA512

          73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
          Filesize

          4.9MB

          MD5

          8364578c40b5a7f379adba1bad2521ec

          SHA1

          7e2bac877385ef86efd9d54d1b89ff4e9e18243a

          SHA256

          4b7c58696b7a809525f6abcea9b3e9c1bf91518ebdc0d19af31e219654074342

          SHA512

          034093ece4f6020e6dee686ebd7e197ba4bdcf10c96f5c1934cd0c8120c1e229b7832d26421802c2d572b322e7ed3fa00d495c7dbf1bad73d70d22aa7e71219c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\C5C75E00
          Filesize

          24KB

          MD5

          79198b194111677f5cc1c513de2da755

          SHA1

          a34ec312442b01312222962e4d971d5124df263a

          SHA256

          714bc23683550ca50c85101c30e0260d2c23c4ef76c86565c7e03564313f8990

          SHA512

          f94358a91decc44bfe3bf4d288c97d09598e9ad7d1fc1921e03910cda08515500a2898a818281357eca51af58bb3dbdec8bc6d5fa73e7bfb141345e66011469a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\E2t7ecZe.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\winusbcoinstaller2.dll
          Filesize

          831KB

          MD5

          8e7b9f81e8823fee2d82f7de3a44300b

          SHA1

          1633b3715014c90d1c552cd757ef5de33c161dee

          SHA256

          ebe3b7708dd974ee87efed3113028d266af87ca8dbae77c47c6f7612824d3d6c

          SHA512

          9ae37b2747589a0eb312473d895ef87404f4a395a27e15855826a75b4711ea934ca9a2b289df0abe0a8825dec2d5654a0b1603cf0b039fe25662359b730ce1a9

          Download Submit

        • C:\Users\Admin\USB_DR~1\WINUSB~1.CAT
          Filesize

          4KB

          MD5

          85f222fcef1a37ffcc47adfdad6649ea

          SHA1

          d66bfbed331d50813831589b4cff5ea5559816ae

          SHA256

          f7e71a8d196436fea2aae235070fc98b7a1372b5b27b5ba16d302a7e42d2770b

          SHA512

          87ae523154b6a3e180c817ac91cb73a25fe88cad3fec0fd64484450574dda55c93947ecb5f01a77c068f12ebded6c298a2814f73a27ff1899ab164bb674b1b0f

          Download Submit

        • C:\Users\Admin\USB_DR~1\amd64\WdfCoInstaller01011.dll
          Filesize

          1.7MB

          MD5

          d10864c1730172780c2d4be633b9220a

          SHA1

          b85d02ba0e8de4aeded1a2f5679505cd403bd201

          SHA256

          f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

          SHA512

          c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

          Download Submit

        • C:\Users\Admin\USB_DR~1\amd64\WinUSBCoInstaller2.dll
          Filesize

          979KB

          MD5

          246900ce6474718730ecd4f873234cf5

          SHA1

          0c84b56c82e4624824154d27926ded1c45f4b331

          SHA256

          981a17effddbc20377512ddaec9f22c2b7067e17a3e2a8ccf82bb7bb7b2420b6

          SHA512

          6a9e305bfbfb57d8f8fd16edabef9291a8a97e4b9c2ae90622f6c056e518a0a731fbb3e33a2591d87c8e4293d0f983ec515e6a241792962257b82401a8811d5c

          Download Submit

        • C:\Users\Admin\usb_driver\WinUSB_Generic_Device.inf
          Filesize

          4KB

          MD5

          c7973895547877629e6651a693699dc8

          SHA1

          a6d023050e00cd171cb54b57605ac078488d8875

          SHA256

          2e2ceb01dd904b8103b9ec84d5169a9f491492b3ed9c8954cd302feef14eca5e

          SHA512

          d15c13155a38e25b6b99feb85d16313955b6869aed3d42d2985f5532f52bc2b90e13d67a895cf2bc175b0d3590690c1e337812f04b4596077b91189894d33e62

          Download Submit

        • C:\Users\Admin\usb_driver\installer_x64.exe
          Filesize

          129KB

          MD5

          5de36bf46030e08135bd9fbddca7613c

          SHA1

          8b0c6f66fc3a7eb151bf2f52b27557d02e6c6d69

          SHA256

          25e24cf299644001835fad6125562cd0054d1acce412505b0cc3b82444c0efb2

          SHA512

          a35cc0341660af29c3c803d5d3a4520e3032febc3178abacf4dc108bc1679d79e50a7015fcc5cd9956b7a2bc04736fae6d0f791da45d122adee352df6af4d1b8

          Download Submit

        • memory/2660-193-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2660-194-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2660-195-0x00007FFF076C0000-0x00007FFF076D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2660-196-0x00007FFF076C0000-0x00007FFF076D0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2660-191-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2660-190-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2660-192-0x00007FFF098B0000-0x00007FFF098C0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3164-0-0x0000000002850000-0x0000000002851000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3164-128-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4596-247-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-429-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-266-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-268-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-446-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-258-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-442-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-60-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-403-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-431-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4596-406-0x0000000000A50000-0x00000000010C4000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4644-189-0x00000000001E0000-0x0000000000854000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4644-246-0x00000000001E0000-0x0000000000854000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/5096-249-0x0000000000B70000-0x0000000000B71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5096-430-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5096-404-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5096-129-0x0000000000B70000-0x0000000000B71000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5096-443-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5096-250-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download