Analysis

  • max time kernel
    144s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-11-2024 05:18

General

  • Target

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe

  • Size

    5.7MB

  • MD5

    6ef27d77f5e163e63bcef83aad488dac

  • SHA1

    e58d1eea2b997c9c57ed917002aa3f180258283d

  • SHA256

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

  • SHA512

    73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

  • SSDEEP

    98304:snsmtk2a1oiKjvpG51TDyWAYAZkEIVGzUihpHQSUggLFsXmL+uEqZEJh9bkUDRpp:CLO+jvIALYih2SUgpXa+jKEJh9b/9D

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

  • Xred family
  • Manipulates Digital Signatures 1 TTPs 4 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in System32 directory 27 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 2 IoCs
  • Modifies registry class 38 IoCs
  • Modifies system certificate store 2 TTPs 15 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 40 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2856
    • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
      2⤵
      • Manipulates Digital Signatures
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\usb_driver\installer_x64.exe
        "C:\Users\Admin\usb_driver\installer_x64.exe" "WinUSB_Generic_Device.inf"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1736
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies system certificate store
      • Suspicious use of WriteProcessMemory
      PID:2896
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2708
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:944
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{0674ed6e-05ec-2068-e952-9369edecba5f}\WinUSB_Generic_Device.inf" "9" "694de428f" "0000000000000570" "WinSta0\Default" "00000000000002DC" "208" "C:\Users\Admin\usb_driver"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:556
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 10 Global\{05c8ceb9-fd86-4c5b-edca-4f296095cc57} Global\{7fd66cd8-a860-004b-4e16-df3f62aacb00} C:\Windows\System32\DriverStore\Temp\{19ce77ec-282b-54b4-68ab-5e39c4155870}\WinUSB_Generic_Device.inf C:\Windows\System32\DriverStore\Temp\{19ce77ec-282b-54b4-68ab-5e39c4155870}\WinUSB_Generic_Device.cat
      2⤵
        PID:2560
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "1" "200" "ACPI\QEMU0002\3&11583659&0" "" "" "66f22ec5b" "00000000000002DC" "0000000000000568" "0000000000000564"
      1⤵
      • Drops file in Windows directory
      • Suspicious use of AdjustPrivilegeToken
      PID:2060
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\newdev.dll,pDiDeviceInstallNotification \\.\pipe\PNP_Device_Install_Pipe_1.{a2d91a8b-c069-4e23-918a-0b499fb2fa6b} "(null)"
      1⤵
        PID:2908

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Synaptics\Synaptics.exe

        Filesize

        5.7MB

        MD5

        6ef27d77f5e163e63bcef83aad488dac

        SHA1

        e58d1eea2b997c9c57ed917002aa3f180258283d

        SHA256

        1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

        SHA512

        73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

      • C:\Users\Admin\AppData\Local\Temp\TKCLC8dk.xlsm

        Filesize

        17KB

        MD5

        e566fc53051035e1e6fd0ed1823de0f9

        SHA1

        00bc96c48b98676ecd67e81a6f1d7754e4156044

        SHA256

        8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

        SHA512

        a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      • C:\Users\Admin\AppData\Local\Temp\TKCLC8dk.xlsm

        Filesize

        22KB

        MD5

        01700c4ca08e4c6ce265624a7ab32fff

        SHA1

        ebc60b1ddaeaa25c1702b8c9a8155107bde50991

        SHA256

        d9b0b74fec3713dcd5e97bac60e56871fc4cf27a784ebf6247da0fe51e23db75

        SHA512

        7ae7716c062382042a83936e9e74ba7a8470cd2d03b520ec245f05f5625b33c68ee4a0af44b64ad136d5ac85fc8fc1c354179d6ee7d31ba9a6233a157e27dda6

      • C:\Users\Admin\AppData\Local\Temp\TKCLC8dk.xlsm

        Filesize

        26KB

        MD5

        8699852c98344607c4f919c4c610bf98

        SHA1

        29f0a05b27e9b8d51805989a97307649db069342

        SHA256

        108ba4cd854933d14f23ee4fdd58f0d3ef8f4d95c15b4386f1c496371fcbe0e3

        SHA512

        933428c75668a298b67adcce3944e601fb3c6270e95d9638e2ca41b9549d6cb5d32aa66aa9bdc7722cd1ea9ec13df9c1d6119e49c50f5456bb784715497a9cf4

      • C:\Users\Admin\AppData\Local\Temp\Zadig.log

        Filesize

        27KB

        MD5

        0cd26489b9125f5414633e5b9b1662d3

        SHA1

        2e7ee70d1957518afd7826f8f000a0e7e9cd8577

        SHA256

        0de6f6c1023c649240673adae2ceca497c114aff2dbe3bfd0876c5acbf2b879d

        SHA512

        5682027a0087c12daf49b905d4992e0878b033bb4cd4ab35f1723e3130111983560258a834405522b79959bacff25114dfb19f36556a52c154c9a0a28ef46204

      • C:\Users\Admin\USB_DR~1\amd64\WdfCoInstaller01011.dll

        Filesize

        1.7MB

        MD5

        d10864c1730172780c2d4be633b9220a

        SHA1

        b85d02ba0e8de4aeded1a2f5679505cd403bd201

        SHA256

        f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

        SHA512

        c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

      • C:\Users\Admin\USB_DR~1\amd64\WinUSBCoInstaller2.dll

        Filesize

        979KB

        MD5

        246900ce6474718730ecd4f873234cf5

        SHA1

        0c84b56c82e4624824154d27926ded1c45f4b331

        SHA256

        981a17effddbc20377512ddaec9f22c2b7067e17a3e2a8ccf82bb7bb7b2420b6

        SHA512

        6a9e305bfbfb57d8f8fd16edabef9291a8a97e4b9c2ae90622f6c056e518a0a731fbb3e33a2591d87c8e4293d0f983ec515e6a241792962257b82401a8811d5c

      • C:\Users\Admin\usb_driver\WinUSB_Generic_Device.cat

        Filesize

        2KB

        MD5

        94d953ef3b41346d07c9ad8fd6975c37

        SHA1

        6fcfa67934a2b72666ff50277ffd94555c7e0beb

        SHA256

        ef3c6b5069e92e85a69c5cd6bf60a9353c91a4a7ef3053b70ca03f9317c96e9a

        SHA512

        2b1bcc9b7aff9b5204919fec754e0825d3313e46b14748a0bfe3ab4e5ef18757bf7bc6a72cdc1bfb4f826186ebaded5297ab2862d230aaf18143a320fc082231

      • C:\Users\Admin\usb_driver\WinUSB_Generic_Device.inf

        Filesize

        4KB

        MD5

        648000e167bc728604028ba803af94de

        SHA1

        f4cb1eac159efa1ccba8d6455ba8f60a931375a2

        SHA256

        962cf5d4496da86decdf4a85bad12067053b6757dbda2a1dc21411275599f3e1

        SHA512

        c3d0946df12f129d3a1afa7801a5191a23260893cf92fa0bbc3def8da84109f9311e9b092af1ccaa781fe146b2635a011b7af0cdd7175f5e439058eda7cd553f

      • C:\Windows\System32\DriverStore\INFCACHE.1

        Filesize

        1.4MB

        MD5

        93e178f2f1f5f0f3601f965ddbe48ab7

        SHA1

        020ec60ce6e7dec5b0da28a4a3a168ba90a176db

        SHA256

        98adb7ff16ddaab99cc9c73f3375dee46d17b38aaf6b9187519a7238c2411cc8

        SHA512

        58dcf4b465d33266f0ff253aa41a3093c26ac0daae0e1d48b81452c2bad98974772b119e62c6c9d39f1d4350a0f5ab0fafb4f6d922dac87428448a472cb717da

      • \Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

        Filesize

        4.9MB

        MD5

        8364578c40b5a7f379adba1bad2521ec

        SHA1

        7e2bac877385ef86efd9d54d1b89ff4e9e18243a

        SHA256

        4b7c58696b7a809525f6abcea9b3e9c1bf91518ebdc0d19af31e219654074342

        SHA512

        034093ece4f6020e6dee686ebd7e197ba4bdcf10c96f5c1934cd0c8120c1e229b7832d26421802c2d572b322e7ed3fa00d495c7dbf1bad73d70d22aa7e71219c

      • \Users\Admin\AppData\Local\Temp\winusbcoinstaller2.dll

        Filesize

        831KB

        MD5

        8e7b9f81e8823fee2d82f7de3a44300b

        SHA1

        1633b3715014c90d1c552cd757ef5de33c161dee

        SHA256

        ebe3b7708dd974ee87efed3113028d266af87ca8dbae77c47c6f7612824d3d6c

        SHA512

        9ae37b2747589a0eb312473d895ef87404f4a395a27e15855826a75b4711ea934ca9a2b289df0abe0a8825dec2d5654a0b1603cf0b039fe25662359b730ce1a9

      • \Users\Admin\usb_driver\installer_x64.exe

        Filesize

        129KB

        MD5

        5de36bf46030e08135bd9fbddca7613c

        SHA1

        8b0c6f66fc3a7eb151bf2f52b27557d02e6c6d69

        SHA256

        25e24cf299644001835fad6125562cd0054d1acce412505b0cc3b82444c0efb2

        SHA512

        a35cc0341660af29c3c803d5d3a4520e3032febc3178abacf4dc108bc1679d79e50a7015fcc5cd9956b7a2bc04736fae6d0f791da45d122adee352df6af4d1b8

      • memory/944-72-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/944-129-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2708-114-0x0000000001390000-0x0000000001A04000-memory.dmp

        Filesize

        6.5MB

      • memory/2708-39-0x0000000001390000-0x0000000001A04000-memory.dmp

        Filesize

        6.5MB

      • memory/2856-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

        Filesize

        4KB

      • memory/2856-29-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/2856-17-0x0000000005310000-0x0000000005984000-memory.dmp

        Filesize

        6.5MB

      • memory/2896-217-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/2896-115-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/2896-133-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/2896-131-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/2896-35-0x0000000005620000-0x0000000005C94000-memory.dmp

        Filesize

        6.5MB

      • memory/2896-277-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/2896-116-0x0000000005620000-0x0000000005C94000-memory.dmp

        Filesize

        6.5MB

      • memory/2896-244-0x0000000000400000-0x00000000009AE000-memory.dmp

        Filesize

        5.7MB

      • memory/3052-18-0x0000000001360000-0x00000000019D4000-memory.dmp

        Filesize

        6.5MB

      • memory/3052-242-0x0000000001360000-0x00000000019D4000-memory.dmp

        Filesize

        6.5MB

      • memory/3052-143-0x0000000005830000-0x0000000005832000-memory.dmp

        Filesize

        8KB

      • memory/3052-246-0x0000000001360000-0x00000000019D4000-memory.dmp

        Filesize

        6.5MB

      • memory/3052-199-0x0000000001360000-0x00000000019D4000-memory.dmp

        Filesize

        6.5MB

      • memory/3052-99-0x0000000001360000-0x00000000019D4000-memory.dmp

        Filesize

        6.5MB