Overview

overview

10

Static

static

10

1ce6e133b0...37.exe

windows10-2004-x64

10

1ce6e133b0...37.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    144s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21-11-2024 05:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe

  • Size

    5.7MB

  • MD5

    6ef27d77f5e163e63bcef83aad488dac

  • SHA1

    e58d1eea2b997c9c57ed917002aa3f180258283d

  • SHA256

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

  • SHA512

    73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

  • SSDEEP

    98304:snsmtk2a1oiKjvpG51TDyWAYAZkEIVGzUihpHQSUggLFsXmL+uEqZEJh9bkUDRpp:CLO+jvIALYih2SUgpXa+jKEJh9b/9D

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Manipulates Digital Signatures 1 TTPs 5 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 25 IoCs
  • UPX packed file 13 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 42 IoCs
  • Modifies system certificate store 2 TTPs 11 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1608
    • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
      2⤵
      • Manipulates Digital Signatures
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3644
      • C:\Users\Admin\usb_driver\installer_x64.exe
        "C:\Users\Admin\usb_driver\installer_x64.exe" "WinUSB_Generic_Device.inf"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:2588
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4516
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2812
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2228
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4996
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{f88e4dd5-514c-c147-bdc8-10aed22ad8e3}\WinUSB_Generic_Device.inf" "9" "494de428f" "0000000000000148" "WinSta0\Default" "0000000000000158" "208" "C:\Users\Admin\usb_driver"
      2⤵
      • Manipulates Digital Signatures
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:3112
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:4068
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:1184
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
        1⤵
          PID:2696

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Synaptics\Synaptics.exe
          Filesize

          5.7MB

          MD5

          6ef27d77f5e163e63bcef83aad488dac

          SHA1

          e58d1eea2b997c9c57ed917002aa3f180258283d

          SHA256

          1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

          SHA512

          73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
          Filesize

          4.9MB

          MD5

          8364578c40b5a7f379adba1bad2521ec

          SHA1

          7e2bac877385ef86efd9d54d1b89ff4e9e18243a

          SHA256

          4b7c58696b7a809525f6abcea9b3e9c1bf91518ebdc0d19af31e219654074342

          SHA512

          034093ece4f6020e6dee686ebd7e197ba4bdcf10c96f5c1934cd0c8120c1e229b7832d26421802c2d572b322e7ed3fa00d495c7dbf1bad73d70d22aa7e71219c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Z4L5TNan.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\winusbcoinstaller2.dll
          Filesize

          831KB

          MD5

          8e7b9f81e8823fee2d82f7de3a44300b

          SHA1

          1633b3715014c90d1c552cd757ef5de33c161dee

          SHA256

          ebe3b7708dd974ee87efed3113028d266af87ca8dbae77c47c6f7612824d3d6c

          SHA512

          9ae37b2747589a0eb312473d895ef87404f4a395a27e15855826a75b4711ea934ca9a2b289df0abe0a8825dec2d5654a0b1603cf0b039fe25662359b730ce1a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{f88e4dd5-514c-c147-bdc8-10aed22ad8e3}\amd64\WinUSBCoInstaller2.dll
          Filesize

          979KB

          MD5

          246900ce6474718730ecd4f873234cf5

          SHA1

          0c84b56c82e4624824154d27926ded1c45f4b331

          SHA256

          981a17effddbc20377512ddaec9f22c2b7067e17a3e2a8ccf82bb7bb7b2420b6

          SHA512

          6a9e305bfbfb57d8f8fd16edabef9291a8a97e4b9c2ae90622f6c056e518a0a731fbb3e33a2591d87c8e4293d0f983ec515e6a241792962257b82401a8811d5c

          Download Submit

        • C:\Users\Admin\USB_DR~1\WINUSB~1.CAT
          Filesize

          4KB

          MD5

          a15572671faf3a6bccf4e2927e3c2142

          SHA1

          288aca80b42ad8d3af80ecfcfb0e4458c26a46d2

          SHA256

          ce82b1904ccea1953f336cb7fa334ed5afdcaf7cf346f9bd60130c87b382724f

          SHA512

          1b2b716cd51b624d8b6d916e3f721083d88270ef693cf59bf0ae93dfba699d48d82d8d2b8c4c521aa0e4904514acac2841d663a7809b35135f3d2a4599001651

          Download Submit

        • C:\Users\Admin\USB_DR~1\amd64\WdfCoInstaller01011.dll
          Filesize

          1.7MB

          MD5

          d10864c1730172780c2d4be633b9220a

          SHA1

          b85d02ba0e8de4aeded1a2f5679505cd403bd201

          SHA256

          f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

          SHA512

          c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

          Download Submit

        • C:\Users\Admin\usb_driver\WinUSB_Generic_Device.inf
          Filesize

          4KB

          MD5

          c7973895547877629e6651a693699dc8

          SHA1

          a6d023050e00cd171cb54b57605ac078488d8875

          SHA256

          2e2ceb01dd904b8103b9ec84d5169a9f491492b3ed9c8954cd302feef14eca5e

          SHA512

          d15c13155a38e25b6b99feb85d16313955b6869aed3d42d2985f5532f52bc2b90e13d67a895cf2bc175b0d3590690c1e337812f04b4596077b91189894d33e62

          Download Submit

        • C:\Users\Admin\usb_driver\installer_x64.exe
          Filesize

          129KB

          MD5

          5de36bf46030e08135bd9fbddca7613c

          SHA1

          8b0c6f66fc3a7eb151bf2f52b27557d02e6c6d69

          SHA256

          25e24cf299644001835fad6125562cd0054d1acce412505b0cc3b82444c0efb2

          SHA512

          a35cc0341660af29c3c803d5d3a4520e3032febc3178abacf4dc108bc1679d79e50a7015fcc5cd9956b7a2bc04736fae6d0f791da45d122adee352df6af4d1b8

          Download Submit

        • C:\Windows\System32\GroupPolicy\gpt.ini
          Filesize

          127B

          MD5

          f9a49a3e2415016fa85ddff0b8b38419

          SHA1

          f8c987119269e58d22a6b17ae2e8eca7744fb385

          SHA256

          14694dbee3897b6bd5aa596ebfd893e727179b67811920c174dc70e6eee8e579

          SHA512

          91ea129a51d2c3b342287c1250f5b0da6ba2a61eff11791d1cfae1f5c6dd2654c935be1452f4a681e794fd723a3c295e9bc9e59b9005aa4d8bd55ed36c9ad91c

          Download Submit

        • memory/1608-128-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/1608-0-0x0000000002820000-0x0000000002821000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2228-193-0x00007FF85B370000-0x00007FF85B380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2228-195-0x00007FF858CB0000-0x00007FF858CC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2228-194-0x00007FF858CB0000-0x00007FF858CC0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2228-192-0x00007FF85B370000-0x00007FF85B380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2228-189-0x00007FF85B370000-0x00007FF85B380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2228-190-0x00007FF85B370000-0x00007FF85B380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2228-191-0x00007FF85B370000-0x00007FF85B380000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2812-205-0x00000000009F0000-0x0000000001064000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2812-188-0x00000000009F0000-0x0000000001064000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-250-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-370-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-399-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-351-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-397-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-354-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-356-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-70-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-249-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/3644-365-0x00000000009D0000-0x0000000001044000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/4516-366-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4516-352-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4516-398-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/4516-281-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download