Overview

overview

10

Static

static

10

53d3b6cc06...bd.exe

windows7-x64

10

53d3b6cc06...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    27-11-2024 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe

  • Size

    5.4MB

  • MD5

    4db70309f142abf1c95862ce47770e84

  • SHA1

    8fa99d3efa3a61541e6bebccc8ad654b4c2c0f0b

  • SHA256

    53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd

  • SHA512

    f7a8df39a4e41eeb375081783826e083e0e6992189eb7a4d40bd89adcb7d0de96b0e42925b1b52df8cfb55880e375d234786049812c235634170d13374416390

  • SSDEEP

    98304:onsmtk2aHlEG8zU9zHsuWTTsAQ4t0/AH3V3SYlpVoyS+fW9eo+tXVe/PMMsFK:2L56TiTsAQ+0gBdlrrfW0o+dVeHMMsFK

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 14 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 31 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 5 IoCs
    installer
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 26 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe
    "C:\Users\Admin\AppData\Local\Temp\53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2888
    • C:\Users\Admin\AppData\Local\Temp\._cache_53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Program Files (x86)\GS-911\GS911USBDrv\DPInstx64.exe
        "C:\Program Files (x86)\GS-911\GS911USBDrv\DPInstx64.exe" /S
        3⤵
        • Executes dropped EXE
        • Drops file in System32 directory
        • Drops file in Program Files directory
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1180
      • C:\Program Files (x86)\GS-911\GS-911.exe
        "C:\Program Files (x86)\GS-911\GS-911.exe"
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        PID:2884
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2868
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        PID:2476
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1952
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{7f4575a1-31c0-7697-0119-867b0324f00e}\gs911usb.inf" "9" "6e9943ea3" "000000000000058C" "WinSta0\Default" "000000000000059C" "208" "c:\program files (x86)\gs-911\gs911usbdrv"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:1960

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GS-911\License.txt
    Filesize

    13KB

    MD5

    2ce15983845fc5b5c53ae69f21d2baa6

    SHA1

    6866742752b1f8ecf274c82b1930ed716301284e

    SHA256

    f88031b99044ec310c196d773560a056fe4edcbda07cddd0d6e32722e783d162

    SHA512

    a07b5b21fe7508ba463994d7690f080751dd54100e1f22ef49c532e0de1a30a456043347f403369a7bf713d5f9a266bc9ed9f9ea17f715e7648936e13611feb5

    Download Submit

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    5.4MB

    MD5

    4db70309f142abf1c95862ce47770e84

    SHA1

    8fa99d3efa3a61541e6bebccc8ad654b4c2c0f0b

    SHA256

    53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd

    SHA512

    f7a8df39a4e41eeb375081783826e083e0e6992189eb7a4d40bd89adcb7d0de96b0e42925b1b52df8cfb55880e375d234786049812c235634170d13374416390

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lkXYEyix.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lkXYEyix.xlsm
    Filesize

    23KB

    MD5

    80f3b14add71db50bcd5a124843f7c6e

    SHA1

    7df894dfd8236839a52446401ce947706d37b4d3

    SHA256

    a49a3833e658b6eeae796407d58b0fda0f43253d508dfe1744e131da0dcc3f4e

    SHA512

    4b808fd56d91e16dfac85d3d54d79464b8d1eb52af82822d8551eb78c5c6a81b2f05f6a93d432d295a81998135bfb47de1710d18cec123d057d370dea0279cf8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lkXYEyix.xlsm
    Filesize

    29KB

    MD5

    1d72d973f0687d436a49db76dac4d687

    SHA1

    a90ef9e2a45658d27c4f16e2313cf337704322ee

    SHA256

    9ab22c8fb271d1d704934063140b56beeb64cbd581433c139cc7986193193976

    SHA512

    725b71993e83feb93a2a49233ddd084d950ca78493ba46a42a97998828a29ddeb9b76fc7f4777630342d9e4dd67739e7b493e739fd5a4aa5f6a9210b2e116d69

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GS-911\data.dat
    Filesize

    59KB

    MD5

    08843db87aa2c66a11ac2b9c8df5d56b

    SHA1

    8a62cf7547eb01fa673d9e3bb7d099fa977c7fa1

    SHA256

    f0ac28d6b30826a2fc5b818ba0841feb0888a12e5c6016f02d2b904f104a1f63

    SHA512

    43e7181e0ece1b8d2454a6ac782c43c514009ccab842c85dd736e7294124c405ffab98d72ca66ba9719c086f037b33e1767ea6cb7fde25de28daa829ab2e9bda

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GS-911\data.sig
    Filesize

    74B

    MD5

    2acc664fa9af6908f9565738ff68d856

    SHA1

    b4a4047727f172b01da40d76bc19330b36787a82

    SHA256

    989f2b445ea52a202f38144a45c2726951a831962b635347f915d5e145244ff0

    SHA512

    aa3b768579b7e054fb55eca36d177043fe2704ba66e6ebfa8837511e06371a9694b1308d02c6801c81084ac43b03970fcce6a515bdaac957f42d488619971521

    Download Submit

  • C:\Windows\System32\DriverStore\FileRepository\gs911usb.inf_amd64_neutral_8a9198a78ac8cd9f\gs911usb.PNF
    Filesize

    9KB

    MD5

    1febd2b2c7d161499efa4a4795e15eb5

    SHA1

    0c92f85f54f0a6eaf580780a4f7efa5fdf9d6b19

    SHA256

    f7a9ad9517e6c992fae1ef0d2f2db5fa2f4e5627f4ab329c9ebf02f053d656de

    SHA512

    5b95c4e856dbc75346603b26db074cca756c76dbce0a49e08b7bde0013d91dc7f8f9071911149ef17a49061788df031cbb76b8210835991a5043d6adb2554ad3

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\gs911usb.sys
    Filesize

    67KB

    MD5

    0f210048c6bfbfbc0f50816bce40b575

    SHA1

    2fd94cfbfd8dd4a2edd004f1c6cc50b926529258

    SHA256

    73c015b6ee647a875bd124254542ff8759264d51f331ff95d14675c1599fad94

    SHA512

    9d37b1cdf2a39fdd6a9215839d1a7b4e538b31ae7f8f0c2e0de39434f337ea8f440112e8d8198d93f53602a7d9260d9eb41ecacf91aa38feba1c360b17a945a8

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\gs911usb64.dll
    Filesize

    313KB

    MD5

    e2df9664d8e158efffc4f3cd0fde15e8

    SHA1

    54352e4470af8756b1c0a222cbf7e48264ac1920

    SHA256

    40b71c4eab9b8b6801bab4575a64fea73961471aa8bdfc11083a3890f9bc7c30

    SHA512

    d4f939caedd5c81732f9317c90acba9d7562205c293ebb22f9569f87e4486189a52bb1bd455896db611ec665701a104a63ac1a8d3f856854fc008f2923678d02

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\gs911usbui.dll
    Filesize

    140KB

    MD5

    aa15b12108b05f07669a2bc6e7c6365c

    SHA1

    9cb7482822e50ed233613678efa7a8ca9bd7b377

    SHA256

    ef32ba13d527d5f52c9196b6c48fe7af8592837f3424ebe47450a2c62bd7a6e7

    SHA512

    69cfaecdd7f007f60ca26cd53c0f191582845f6340c85bdc5961786fde22ef09c1d55335246961d4522d30b00119de1f2e6548126bbc1f16efe863cc9076a06a

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\hc-lang.dll
    Filesize

    263KB

    MD5

    63c18cc6ff6130215d14c8212b1bd450

    SHA1

    2d9c88113da0090b96549f49e2341e18c85d80c5

    SHA256

    a68ed4225cde423e8d2f2774ff26986b1b2e8b2c5b05412f95f5319cb5bf78e2

    SHA512

    b8ee9e5b9d3fd14717c60f671da16c6bef4bfa7e018e483d45cac9cbd28de9d958fa2fad90b417b825b3fd438d76a67fcf9a16bcc281bdd64c2ab858b9233ff8

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\i386\gs911usb.dll
    Filesize

    197KB

    MD5

    9adbed60e17690bd72e3ab134cc97bbd

    SHA1

    d9a7e8b8f162ecc459b2c2f6c3f68baed5e7814a

    SHA256

    b052d6dcf61b864e948743cd02c29f0bf80f94e6c705bc4dbe858b55eeabbbb2

    SHA512

    80cbee076552dcb4d49eaa355d96e9a81d475c85b3a5b1fe561e3e0eda9ee0400c9fc2c9eadba8d8a4edb0156a5a4213fc34043e72a4930e107108a8989b83ea

    Download Submit

  • \??\c:\program files (x86)\gs-911\gs911usbdrv\gs911usb.inf
    Filesize

    2KB

    MD5

    76a15fb2488648bd174d900dd6a9778c

    SHA1

    af3ba36231290959b70f0ccfb2c4cd2708efb384

    SHA256

    8e05016985541fa9fc702b7bc586fc6e183167a6ef37693d80885c2e2c6550e1

    SHA512

    010c9cdf7524f0467c96ba59a03da4f6e70e35a6361b0d28d268638d9487e6a1d3cbaab46d3e2e732c676ec2e9d0901e57bb436a11593f4a854ed746b34ab063

    Download Submit

  • \??\c:\program files (x86)\gs-911\gs911usbdrv\hc-bus.cat
    Filesize

    11KB

    MD5

    20a4a148648f75704c7fdbeb03aa0eab

    SHA1

    83d4f551a90ea691f9add59bc8f19968051c8f85

    SHA256

    67515f99ce3bff25d560d3bdc8b4cdf16d06e96a8eb31f36c2cb49a54355246f

    SHA512

    e8ffa41747c04de1cc3d8406c29298fd4e80b40e8de818dafac2a3676ee0877f7c6e5a33e4d958f377f62c45f80c57eda368dcb55c4173d5ee24ab6cf98a0413

    Download Submit

  • \Program Files (x86)\GS-911\GS-911.exe
    Filesize

    3.6MB

    MD5

    aba145d1de91ab1e0ba679410e353ff2

    SHA1

    1f539de1f809327ea24c57234daffb1f0b4605ee

    SHA256

    e52d79d132e87de8a49a7ea21e1263fc70a36f885ea5ddbd0965853791fab76a

    SHA512

    4c00dc2d6795af7acfcbecf32222c04711db68aa4a1ea10c8092f3621c97f24128987fd78f554dc515f82b764e9cf4b0aec3ac6750b630d8b395d606b26e1302

    Download Submit

  • \Program Files (x86)\GS-911\GS911USBDrv\DPInstx64.exe
    Filesize

    913KB

    MD5

    e90140ff5f5ff7521ea52f94bec29f8c

    SHA1

    a3aaf4d6705984d2f0b97d277766ebc82a26011f

    SHA256

    0e25afc6f2c17e08afc91f7717b3669cb4de6f77dd62b78674b09e0d59e4aa3c

    SHA512

    f644e4c22be81aeddf380ec8b550c3774a6c8678b9ad4cb210235ae440bd9f1e16df84832babac21672b69a57ebd779bbfb562dd6158f91cc48367ef3e383a3e

    Download Submit

  • \Program Files (x86)\GS-911\Uninstall.exe
    Filesize

    50KB

    MD5

    f83fafc26751c7ed368799b99bbe6f99

    SHA1

    93adee8e0e7cc7c1f53db34e66044e992e9d026a

    SHA256

    30ed9a9311c486a50bc80d6c2960ddad790b4560becd2ba1fdccbc14819346ba

    SHA512

    6bd40e235be110335779045d11685be442d3b9931b9e11c6a45fc34641d784bd2282349fd785a29b49fb1c4e52b92d14692a75c026316cd504ccc69cefc64e96

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe
    Filesize

    4.7MB

    MD5

    4170a6583b6a182f9c2f4295574fc171

    SHA1

    e61f16339ca634759113142f0fddb4012afaf41b

    SHA256

    033e46c4e8a5c135e610db0d7617f19aa3926f974b7157be3a27e4082e5bf33b

    SHA512

    8bd7d2bfeef83221606075d16d5b1cf82919409c1e4c8edf5417a63373109a591ebbceb0ee827f9666c9dc341dd13226f525c4013008b621c0e5857164a7bc0f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst6C6A.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nst6C6A.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    Download Submit

  • memory/1952-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1952-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-244-0x0000000002C70000-0x0000000002C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-253-0x0000000002C70000-0x0000000002C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2672-275-0x0000000003940000-0x0000000003D08000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2672-268-0x0000000003940000-0x0000000003D08000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2868-39-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2868-272-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2868-123-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2868-315-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2884-269-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2884-277-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2884-279-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2884-281-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2884-322-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2888-27-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2888-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download