Overview

overview

10

Static

static

10

1ce6e133b0...37.exe

windows7-x64

10

1ce6e133b0...37.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2024 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe

  • Size

    5.7MB

  • MD5

    6ef27d77f5e163e63bcef83aad488dac

  • SHA1

    e58d1eea2b997c9c57ed917002aa3f180258283d

  • SHA256

    1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

  • SHA512

    73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

  • SSDEEP

    98304:snsmtk2a1oiKjvpG51TDyWAYAZkEIVGzUihpHQSUggLFsXmL+uEqZEJh9bkUDRpp:CLO+jvIALYih2SUgpXa+jKEJh9b/9D

Score
10/10
xredbackdoordiscoverymacropersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Manipulates Digital Signatures 1 TTPs 5 IoCs

    Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 3 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 25 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 26 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 41 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
    evasionspywaretrojan
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 19 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
    "C:\Users\Admin\AppData\Local\Temp\1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5040
    • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe"
      2⤵
      • Manipulates Digital Signatures
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Modifies system certificate store
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Users\Admin\usb_driver\installer_x64.exe
        "C:\Users\Admin\usb_driver\installer_x64.exe" "WinUSB_Generic_Device.inf"
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:5076
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:564
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
    1⤵
      PID:2676
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
      1⤵
        PID:2016
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
        1⤵
        • Drops file in Windows directory
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2992
        • C:\Windows\system32\DrvInst.exe
          DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{7c4b2610-a0e6-d348-9323-b094a45aa31d}\WinUSB_Generic_Device.inf" "9" "494de428f" "0000000000000140" "WinSta0\Default" "0000000000000150" "208" "C:\Users\Admin\usb_driver"
          2⤵
          • Manipulates Digital Signatures
          • Drops file in System32 directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          • Modifies data under HKEY_USERS
          PID:1160
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2140
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s fhsvc
        1⤵
          PID:4476

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\Synaptics\Synaptics.exe
          Filesize

          5.7MB

          MD5

          6ef27d77f5e163e63bcef83aad488dac

          SHA1

          e58d1eea2b997c9c57ed917002aa3f180258283d

          SHA256

          1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137

          SHA512

          73e29cdd50eea7d2dc9ac2fb9f34c030f45e89a45e2e6c9cc2cac027cd70bfb92dcfa2a7bd0db1980df46d3686c18d5105f6c4fc33560c42654ae0ce5e4b8d0a

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\._cache_1ce6e133b0aee819669af334b31e321a44f74020d2e36e43183f7aedd87cc137.exe
          Filesize

          4.9MB

          MD5

          8364578c40b5a7f379adba1bad2521ec

          SHA1

          7e2bac877385ef86efd9d54d1b89ff4e9e18243a

          SHA256

          4b7c58696b7a809525f6abcea9b3e9c1bf91518ebdc0d19af31e219654074342

          SHA512

          034093ece4f6020e6dee686ebd7e197ba4bdcf10c96f5c1934cd0c8120c1e229b7832d26421802c2d572b322e7ed3fa00d495c7dbf1bad73d70d22aa7e71219c

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7IuYTeZG.xlsm
          Filesize

          22KB

          MD5

          e03418d66312ad7216c4711ff53d70fd

          SHA1

          45fecd914f21fcc4d2f7ee4d5673257bceafd1bc

          SHA256

          3bd8c7c5eea9ae6e6f909286725836793654fea6b6193dcce1cfa55ed0abecf7

          SHA512

          a4758a913033dd8c02d76049ac316d907c1e8535410e70cd943549f43b008647e9b1956908fcfdf5ae6008f10c6191885c358d78d6ff06a8a6aa635995cce9b7

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\7IuYTeZG.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\Zadig.log
          Filesize

          14KB

          MD5

          636552e3cbca2c8baf6fa6c916149d70

          SHA1

          be00bba49768d4a42811b51b6740601b3ceff2fe

          SHA256

          b7a351b7f5c4d24a7c59d7f566ecbd3d752f0799d5dd778a30548f47642d3315

          SHA512

          cdd62e49b6230f95fb8dc9c73d6765ed4e29a39ed7c15971b748d918d9a90e1bf97dd7c5c7ed01d9d4dd3a83297634df5516bfbafa6ec7c01cbe1dbe8c6161f2

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\winusbcoinstaller2.dll
          Filesize

          831KB

          MD5

          8e7b9f81e8823fee2d82f7de3a44300b

          SHA1

          1633b3715014c90d1c552cd757ef5de33c161dee

          SHA256

          ebe3b7708dd974ee87efed3113028d266af87ca8dbae77c47c6f7612824d3d6c

          SHA512

          9ae37b2747589a0eb312473d895ef87404f4a395a27e15855826a75b4711ea934ca9a2b289df0abe0a8825dec2d5654a0b1603cf0b039fe25662359b730ce1a9

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\{7c4b2610-a0e6-d348-9323-b094a45aa31d}\amd64\WinUSBCoInstaller2.dll
          Filesize

          979KB

          MD5

          246900ce6474718730ecd4f873234cf5

          SHA1

          0c84b56c82e4624824154d27926ded1c45f4b331

          SHA256

          981a17effddbc20377512ddaec9f22c2b7067e17a3e2a8ccf82bb7bb7b2420b6

          SHA512

          6a9e305bfbfb57d8f8fd16edabef9291a8a97e4b9c2ae90622f6c056e518a0a731fbb3e33a2591d87c8e4293d0f983ec515e6a241792962257b82401a8811d5c

          Download Submit

        • C:\Users\Admin\USB_DR~1\WINUSB~1.CAT
          Filesize

          4KB

          MD5

          721c4177c21038e09329d8e30a36153a

          SHA1

          74687d524a5af5a0ec6645d4ccf8b6e203603adb

          SHA256

          b9b89e98bf543bb7b864b6802f3c524006d421c0818d0801046ceb517656d865

          SHA512

          956733d9dfbce367eaadb70d4cab0564dceb7267256df982552ac2e2f8cfc1cf83d663618a442804d3b032e4d7961f37c15fa1cf1cd1f71d44005d8d14286966

          Download Submit

        • C:\Users\Admin\USB_DR~1\amd64\WdfCoInstaller01011.dll
          Filesize

          1.7MB

          MD5

          d10864c1730172780c2d4be633b9220a

          SHA1

          b85d02ba0e8de4aeded1a2f5679505cd403bd201

          SHA256

          f6fb39a8578f19616570d5a3dc7212c84a9da232b30a03376bbf08f4264fedf2

          SHA512

          c161bfa9118e04eb60a885bf99758843c4b1349ac58d2e501dabbd7efc0480ec902ac9a2be16f850b218e97b022a90fcc44925d7b6e5113766621f7ade38b040

          Download Submit

        • C:\Users\Admin\usb_driver\WinUSB_Generic_Device.inf
          Filesize

          4KB

          MD5

          c7973895547877629e6651a693699dc8

          SHA1

          a6d023050e00cd171cb54b57605ac078488d8875

          SHA256

          2e2ceb01dd904b8103b9ec84d5169a9f491492b3ed9c8954cd302feef14eca5e

          SHA512

          d15c13155a38e25b6b99feb85d16313955b6869aed3d42d2985f5532f52bc2b90e13d67a895cf2bc175b0d3590690c1e337812f04b4596077b91189894d33e62

          Download Submit

        • C:\Users\Admin\usb_driver\installer_x64.exe
          Filesize

          129KB

          MD5

          5de36bf46030e08135bd9fbddca7613c

          SHA1

          8b0c6f66fc3a7eb151bf2f52b27557d02e6c6d69

          SHA256

          25e24cf299644001835fad6125562cd0054d1acce412505b0cc3b82444c0efb2

          SHA512

          a35cc0341660af29c3c803d5d3a4520e3032febc3178abacf4dc108bc1679d79e50a7015fcc5cd9956b7a2bc04736fae6d0f791da45d122adee352df6af4d1b8

          Download Submit

        • C:\Windows\System32\GroupPolicy\gpt.ini
          Filesize

          127B

          MD5

          cead048a81341e7f91c31f96a82e98e3

          SHA1

          32f24dda3c3774957c623df11c1237c36ded44fd

          SHA256

          07956deed8284ce2dc1ff98f4a0fc3776df4b2299f53fac42962fe6f8de39836

          SHA512

          34c2887a34a65befe377822c93c662f26ace734b74628c77334d019f22633ecde948ceba29dad5d2b38685bfd90bbdc9817887f1f5a7bd4d3d68fbde38611a7a

          Download Submit

        • memory/564-189-0x0000000000900000-0x0000000000F74000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/564-191-0x0000000000900000-0x0000000000F74000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-243-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-235-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-445-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-404-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-408-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-395-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-392-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-386-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/1136-69-0x0000000000D20000-0x0000000001394000-memory.dmp

          Filesize

          6.5MB

          Download

        • memory/2140-335-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-336-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-338-0x00007FFDCA9E0000-0x00007FFDCA9F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-337-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-339-0x00007FFDCA9E0000-0x00007FFDCA9F0000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-333-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2140-334-0x00007FFDCCE10000-0x00007FFDCCE20000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3584-387-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3584-393-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3584-406-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3584-244-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3584-129-0x0000000002510000-0x0000000002511000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3584-440-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/5040-0-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/5040-128-0x0000000000400000-0x00000000009AE000-memory.dmp

          Filesize

          5.7MB

          Download