Overview

overview

10

Static

static

10

71ed567d69...1N.exe

windows7-x64

10

71ed567d69...1N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/11/2024, 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe

  • Size

    4.1MB

  • MD5

    87c85bf6a20d7dcc35b94983378f5280

  • SHA1

    2515d5eb4479d82338ac8b6da2d7f30a2c8c4f90

  • SHA256

    71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1

  • SHA512

    1e3b604f5273cd81eaaf827b605a3c919b154ef3986606b65c9c8a725d6be2b79b550c71d807979a56cc120d8ed3bdf231b9e7fdff7a09d9103b9031f3c5cde4

  • SSDEEP

    98304:Vnsmtk2aEXzhW148Pd+Tf1mpcOldJQ3/V11v3jypL:pLnFK4s0TfLOdo/HV3epL

Score
10/10
xredbackdoordiscoveryevasionpersistencethemidatrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
    evasion
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 7 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 14 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 11 IoCs
  • Themida packer 22 IoCs

    Detects Themida, an advanced Windows software protection system.

    themida
  • Adds Run key to start application 2 TTPs 5 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 7 IoCs
    evasiontrojan
  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 7 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe
    "C:\Users\Admin\AppData\Local\Temp\71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Users\Admin\AppData\Local\Temp\._cache_71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Checks whether UAC is enabled
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      PID:2024
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:616
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Checks whether UAC is enabled
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4944
        • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
          c:\users\admin\appdata\local\temp\._cache_synaptics.exe  InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4284
          • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
            "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " InjUpdate
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:1540
            • \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe 
              "c:\users\admin\appdata\local\temp\._cache_synaptics.exe " /TI/ InjUpdate
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Modifies data under HKEY_USERS
              PID:844
        • C:\Windows\Resources\Themes\icsys.icn.exe
          C:\Windows\Resources\Themes\icsys.icn.exe
          4⤵
          • Identifies VirtualBox via ACPI registry values (likely anti-VM)
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Checks whether UAC is enabled
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:916
          • \??\c:\windows\resources\themes\explorer.exe
            c:\windows\resources\themes\explorer.exe
            5⤵
            • Modifies visiblity of hidden/system files in Explorer
            • Identifies VirtualBox via ACPI registry values (likely anti-VM)
            • Checks BIOS information in registry
            • Executes dropped EXE
            • Adds Run key to start application
            • Checks whether UAC is enabled
            • Drops file in System32 directory
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • Drops file in Windows directory
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: GetForegroundWindowSpam
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:4564
            • \??\c:\windows\resources\spoolsv.exe
              c:\windows\resources\spoolsv.exe SE
              6⤵
              • Identifies VirtualBox via ACPI registry values (likely anti-VM)
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Checks whether UAC is enabled
              • Suspicious use of NtSetInformationThreadHideFromDebugger
              • Drops file in Windows directory
              • System Location Discovery: System Language Discovery
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:3056
              • \??\c:\windows\resources\svchost.exe
                c:\windows\resources\svchost.exe
                7⤵
                • Modifies visiblity of hidden/system files in Explorer
                • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                • Checks BIOS information in registry
                • Executes dropped EXE
                • Adds Run key to start application
                • Checks whether UAC is enabled
                • Drops file in System32 directory
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: GetForegroundWindowSpam
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:4324
                • \??\c:\windows\resources\spoolsv.exe
                  c:\windows\resources\spoolsv.exe PR
                  8⤵
                  • Identifies VirtualBox via ACPI registry values (likely anti-VM)
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Checks whether UAC is enabled
                  • Suspicious use of NtSetInformationThreadHideFromDebugger
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of SetWindowsHookEx
                  PID:2876
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1368

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    4.1MB

    MD5

    87c85bf6a20d7dcc35b94983378f5280

    SHA1

    2515d5eb4479d82338ac8b6da2d7f30a2c8c4f90

    SHA256

    71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1

    SHA512

    1e3b604f5273cd81eaaf827b605a3c919b154ef3986606b65c9c8a725d6be2b79b550c71d807979a56cc120d8ed3bdf231b9e7fdff7a09d9103b9031f3c5cde4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_71ed567d690dd83de676f2a897a362794642d64d7d3e06960f1d09d43f2a97e1N.exe
    Filesize

    3.3MB

    MD5

    923d00022b92bfbc27f875cf19f03e10

    SHA1

    5b015ccd1eaf741ef16dc1d7bc97d53dc8cfca98

    SHA256

    26902e46a1dda71d501c54d348dc242adf97032c630199307f8b432eed4afde6

    SHA512

    274011c0320b7f242a5e7aac066b7a8b10f4d08b657b4cc348630d7e84dc7e9c2fd260f6d1e818cdcb9eedb30ca374d8f0a6717b95e0388e12fdac96fd6dfb38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_synaptics.exe 
    Filesize

    771KB

    MD5

    fe260da05d0512b65eec3e4cec4ea17c

    SHA1

    8915d023e9a5dfbba722b6d9678cbafe6a3b3630

    SHA256

    9dd559318f745949f4b68015033866a5ff02afea3fce22fca28e5bc33de40fc8

    SHA512

    bf875821c7b4bd21b458e248d657a23378493066a77113786c67ac94d8632f90fcb2da183ab842c5fab1ecedb80e2b143c0ffb24dc864264f3386eff3f929f5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\15A75E00
    Filesize

    22KB

    MD5

    7bf106f9e2d81429554131b61cfdc48f

    SHA1

    d619960f9928380e95345882124985a4a9f6963a

    SHA256

    910f2330d627f876b2d04de4ddafc6039c33b2ac2faac879735ab294da261526

    SHA512

    0433c1387bc34dda6d33ceae5d280ce800705337ba0fb9933a98f02f0dec64e62e6ed1e0308d1dafd3a64d61f28c0c3d0e007e1cd68d80dcfa03065696a42ef2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\P2bsbrDH.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\Resources\Themes\icsys.icn.exe
    Filesize

    2.6MB

    MD5

    02da612c2a12a61524dd5b95f1ad1f0f

    SHA1

    672ef806475880f58483b111acc7cf8bfd77ce6c

    SHA256

    d3b0de7c01802869be2c1233a491a2b94945e2fc82a3c3719365a9746477a24d

    SHA512

    0a4c32617c2a94d7eba6435a72e0b718f2e37ac80b67414bec0d60f8a2df43fb902bc682aa585d03fa04cab145236fe42d541b7d60cee796619c9523fbb322d8

    Download Submit

  • C:\Windows\Resources\spoolsv.exe
    Filesize

    2.6MB

    MD5

    fef7f382642daa919a3a0209335d3702

    SHA1

    41d90d29b9cda9d417d8fbc0dbe7aa5584d22c7b

    SHA256

    a25cc547000d1dbd0ff9fc9b4aabdea190a0a987a37dcb95eb5d3f4f768f8502

    SHA512

    9addc4d73012ac931fbf74b58b901176deec8a3d0d78b009cb42d279529309b9bd20734fdf5c1dba3cdae6164f042ff180a3ffa6a33a3b1686cde98cd11eae23

    Download Submit

  • C:\Windows\Temp\aut9B17.tmp
    Filesize

    25KB

    MD5

    d5c0165d31fb3813f8646555a5758881

    SHA1

    f517870ae53ddc77512d36debb44468da3edbd8e

    SHA256

    6916a5d078c6daf3db977ae55853cc4eef93e24328c8e8ef955220d10c7052b9

    SHA512

    21fa61a736ce0dd802aae7c81efeb5ae2f2319f34aadee941ea87dfeda3431f36a278513fbab6e33a028e6b7ee024cd51333fd31ce645dd92598e078e3313219

    Download Submit

  • C:\Windows\Temp\otiibzy
    Filesize

    86KB

    MD5

    2cc29be38bd5a1e14386c7186a7f6959

    SHA1

    858df624a55d519b8f1e597850c867b97cbcbc7b

    SHA256

    1f8a85d2720b2cbeeadfb92ac471a3902c128f13cf04e0d59bbff54f786943a0

    SHA512

    0a39e8dbf9dad26e085de227679447586f3923fc3d2d3df219e9b837723cbc026af592d30ae25195338b627c1526b114f98527e37d51072a48083213915b0cbe

    Download Submit

  • \??\c:\windows\resources\svchost.exe
    Filesize

    2.6MB

    MD5

    a0903bd8e2f5ceb7ed026ff8cb991301

    SHA1

    1877e19490d2cd79dd2ae88cc2a0211710fdac93

    SHA256

    cac7d0a7de2590a99b987ab5a895fe3eb9c3154dc4e0e1d8c353747fe7a46ad5

    SHA512

    f56559596d5c905f058643d64882ea6a64b3f1a09884c1501f96abf7fa439713ec6ce6322da81d9317a6f43c92628eaf4e4b2fbaa47f8564969fcf40c952add7

    Download Submit

  • \??\c:\windows\resources\themes\explorer.exe
    Filesize

    2.6MB

    MD5

    4572a695cdb4a29a3a61bc36c40df75b

    SHA1

    1b1fee0b97cc9a651bb0a240b45fca1e05223389

    SHA256

    ef803b7e28295b9205f3e727bf41fca93a729d7abe82ee406c2b88a1342a4ba5

    SHA512

    76942f254c3cc67a3de7bd9830388d52b37bc80c2867447c4336c1f68474d540a3d674a6f0daafd704a1338676e21ba30d09575df79c894b9598b96b160df58a

    Download Submit

  • memory/616-376-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/616-133-0x00000000008E0000-0x00000000008E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/616-325-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/616-334-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/916-295-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/916-218-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/1036-0-0x0000000000B00000-0x0000000000B01000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1036-130-0x0000000000400000-0x0000000000819000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/1368-194-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1368-202-0x00007FFCAB180000-0x00007FFCAB190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1368-195-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1368-196-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1368-199-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1368-198-0x00007FFCAD6D0000-0x00007FFCAD6E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1368-207-0x00007FFCAB180000-0x00007FFCAB190000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2024-70-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2024-298-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2024-126-0x0000000077634000-0x0000000077636000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2876-292-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/2876-269-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3056-293-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/3056-245-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4324-256-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4324-331-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4324-348-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4564-326-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4564-347-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4564-227-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4564-377-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4944-297-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download

  • memory/4944-192-0x0000000000400000-0x0000000000A16000-memory.dmp

    Filesize

    6.1MB

    Download