Overview

overview

10

Static

static

10

71ed567d69...1N.exe

windows7-x64

10

71ed567d69...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    104s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    26/11/2024, 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe

  • Size

    4.1MB

  • MD5

    87c85bf6a20d7dcc35b94983378f5280

  • SHA1

    2515d5eb4479d82338ac8b6da2d7f30a2c8c4f90

  • SHA256

    71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1

  • SHA512

    1e3b604f5273cd81eaaf827b605a3c919b154ef3986606b65c9c8a725d6be2b79b550c71d807979a56cc120d8ed3bdf231b9e7fdff7a09d9103b9031f3c5cde4

  • SSDEEP

    98304:Vnsmtk2aEXzhW148Pd+Tf1mpcOldJQ3/V11v3jypL:pLnFK4s0TfLOdo/HV3epL

Score
10/10
xredbackdoordiscoveryevasionpersistencethemidatrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 11 IoCs
  • Loads dropped DLL 11 IoCs
  • Themida packer 23 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 48 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe
    "C:\Users\Admin\AppData\Local\Temp\71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1088
    • C:\Users\Admin\AppData\Local\Temp\._cache_71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2324
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2800
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2564
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2584
          • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
            "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2304
            • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
              "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " /TI/ InjUpdate
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              PID:3020
        • C:\Windows\Resources\Themes\icsys.icn.exe
          C:\Windows\Resources\Themes\icsys.icn.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1476
          • \??\c:\windows\resources\themes\explorer.exe
            c:\windows\resources\themes\explorer.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Loads dropped DLL
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:744
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe SE
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1856
              • \??\c:\windows\resources\svchost.exe
                c:\windows\resources\svchost.exe
                7⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Loads dropped DLL
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in System32 directory
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2948
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe PR
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:960
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:32 /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2480
                • C:\Windows\SysWOW64\schtasks.exe
                  schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 23:33 /f
                  8⤵
                  • System Location Discovery: System Language Discovery
                  • Scheduled Task/Job: Scheduled Task
                  PID:2528
            • C:\Windows\Explorer.exe
              C:\Windows\Explorer.exe
              6⤵
                PID:880
    • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
      "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
      1⤵
      • System Location Discovery: System Language Discovery
      • Enumerates system info in registry
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious use of SetWindowsHookEx
      PID:2876
    • C:\Windows\system32\makecab.exe
      "C:\Windows\system32\makecab.exe" C:\Windows\Logs\CBS\CbsPersist_20241126233037.log C:\Windows\Logs\CBS\CbsPersist_20241126233037.cab
      1⤵
      • Drops file in Windows directory
      PID:1636

    Network

    MITRE ATT&CK Enterprise v15

    Reconnaissance

    Resource Development

    Initial Access

    Execution

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Scheduled Task/Job

    1
    T1053

    Scheduled Task

    1
    T1053.005

    Defense Evasion

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Modify Registry

    2
    T1112

    Virtualization/Sandbox Evasion

    1
    T1497

    Credential Access

    Discovery

    Query Registry

    3
    T1012

    System Information Discovery

    4
    T1082

    System Location Discovery

    1
    T1614

    System Language Discovery

    1
    T1614.001

    Virtualization/Sandbox Evasion

    1
    T1497

    Lateral Movement

    Collection

    Command and Control

    Exfiltration

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      4.1MB

      MD5

      87c85bf6a20d7dcc35b94983378f5280

      SHA1

      2515d5eb4479d82338ac8b6da2d7f30a2c8c4f90

      SHA256

      71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1

      SHA512

      1e3b604f5273cd81eaaf827b605a3c919b154ef3986606b65c9c8a725d6be2b79b550c71d807979a56cc120d8ed3bdf231b9e7fdff7a09d9103b9031f3c5cde4

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\9SYBwURI.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Windows\Temp\autFE1D.tmp
      Filesize

      25KB

      MD5

      d5c0165d31fb3813f8646555a5758881

      SHA1

      f517870ae53ddc77512d36debb44468da3edbd8e

      SHA256

      6916a5d078c6daf3db977ae55853cc4eef93e24328c8e8ef955220d10c7052b9

      SHA512

      21fa61a736ce0dd802aae7c81efeb5ae2f2319f34aadee941ea87dfeda3431f36a278513fbab6e33a028e6b7ee024cd51333fd31ce645dd92598e078e3313219

      Download Submit

    • C:\Windows\Temp\cawacvz
      Filesize

      86KB

      MD5

      2cc29be38bd5a1e14386c7186a7f6959

      SHA1

      858df624a55d519b8f1e597850c867b97cbcbc7b

      SHA256

      1f8a85d2720b2cbeeadfb92ac471a3902c128f13cf04e0d59bbff54f786943a0

      SHA512

      0a39e8dbf9dad26e085de227679447586f3923fc3d2d3df219e9b837723cbc026af592d30ae25195338b627c1526b114f98527e37d51072a48083213915b0cbe

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe
      Filesize

      3.3MB

      MD5

      923d00022b92bfbc27f875cf19f03e10

      SHA1

      5b015ccd1eaf741ef16dc1d7bc97d53dc8cfca98

      SHA256

      26902e46a1dda71d501c54d348dc242adf97032c630199307f8b432eed4afde6

      SHA512

      274011c0320b7f242a5e7aac066b7a8b10f4d08b657b4cc348630d7e84dc7e9c2fd260f6d1e818cdcb9eedb30ca374d8f0a6717b95e0388e12fdac96fd6dfb38

      Download Submit

    • \Users\Admin\AppData\Local\Temp\._cache_synaptics.exe 
      Filesize

      771KB

      MD5

      fe260da05d0512b65eec3e4cec4ea17c

      SHA1

      8915d023e9a5dfbba722b6d9678cbafe6a3b3630

      SHA256

      9dd559318f745949f4b68015033866a5ff02afea3fce22fca28e5bc33de40fc8

      SHA512

      bf875821c7b4bd21b458e248d657a23378493066a77113786c67ac94d8632f90fcb2da183ab842c5fab1ecedb80e2b143c0ffb24dc864264f3386eff3f929f5b

      Download Submit

    • \Windows\Resources\Themes\explorer.exe
      Filesize

      2.6MB

      MD5

      44315d1c5b56a9c8bc3adff6780edadd

      SHA1

      d1f0828e8dd35574f0bd23496c5b05163dd0f878

      SHA256

      5b8b5611997a19440bad55968879c33e00691e91721d6bada932ef3d98372476

      SHA512

      b1c7af94e11395ca1ebc6d83014c9ecaa655c90164f43cb1fb3c4b66b0aa393653549899535e7590def4fc4a73256ef002c3ecd043070faf42883eacccb01cce

      Download Submit

    • \Windows\Resources\Themes\icsys.icn.exe
      Filesize

      2.6MB

      MD5

      02da612c2a12a61524dd5b95f1ad1f0f

      SHA1

      672ef806475880f58483b111acc7cf8bfd77ce6c

      SHA256

      d3b0de7c01802869be2c1233a491a2b94945e2fc82a3c3719365a9746477a24d

      SHA512

      0a4c32617c2a94d7eba6435a72e0b718f2e37ac80b67414bec0d60f8a2df43fb902bc682aa585d03fa04cab145236fe42d541b7d60cee796619c9523fbb322d8

      Download Submit

    • \Windows\Resources\spoolsv.exe
      Filesize

      2.6MB

      MD5

      d8b5fc05dae4a7fb06e17a417218d66b

      SHA1

      4094289b5185681011aac0ac751480ec793045f7

      SHA256

      ab6134d8dd7103070cf395b6205a820ef93a70045700f7f0003c37c6eb8b0464

      SHA512

      c5303f2c3cde27acaa168b45b892576e7620b705a9136e3e0ee8d1c3446b7904dd1762b26ad378e34096afc4332e69fcb6dc17b17a89f44da4116ad70ac2ae95

      Download Submit

    • \Windows\Resources\svchost.exe
      Filesize

      2.6MB

      MD5

      a0903bd8e2f5ceb7ed026ff8cb991301

      SHA1

      1877e19490d2cd79dd2ae88cc2a0211710fdac93

      SHA256

      cac7d0a7de2590a99b987ab5a895fe3eb9c3154dc4e0e1d8c353747fe7a46ad5

      SHA512

      f56559596d5c905f058643d64882ea6a64b3f1a09884c1501f96abf7fa439713ec6ce6322da81d9317a6f43c92628eaf4e4b2fbaa47f8564969fcf40c952add7

      Download Submit

    • memory/744-161-0x00000000037F0000-0x0000000003E06000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/744-160-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/744-109-0x00000000037F0000-0x0000000003E06000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/744-196-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/744-84-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/744-226-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/960-149-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1088-0-0x0000000000230000-0x0000000000231000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1088-27-0x0000000000400000-0x0000000000819000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/1088-16-0x0000000005910000-0x0000000005F26000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1476-63-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1476-150-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1476-157-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1476-74-0x00000000038C0000-0x0000000003ED6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1856-134-0x0000000003630000-0x0000000003C46000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1856-153-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/1856-110-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2324-18-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2324-118-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2564-156-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2564-140-0x00000000034D0000-0x0000000003AE6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2564-61-0x00000000034D0000-0x0000000003AE6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2564-38-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2564-136-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2800-159-0x0000000000400000-0x0000000000819000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2800-135-0x00000000059E0000-0x0000000005FF6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2800-178-0x0000000000400000-0x0000000000819000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2800-182-0x0000000000400000-0x0000000000819000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2800-37-0x00000000059E0000-0x0000000005FF6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2800-199-0x0000000000400000-0x0000000000819000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2800-229-0x0000000000400000-0x0000000000819000-memory.dmp

      Filesize

      4.1MB

      Download

    • memory/2876-49-0x000000005FFF0000-0x0000000060000000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2948-151-0x00000000031B0000-0x00000000037C6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2948-163-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2948-165-0x00000000031B0000-0x00000000037C6000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2948-137-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/2948-227-0x0000000000400000-0x0000000000A16000-memory.dmp

      Filesize

      6.1MB

      Download