Overview

overview

10

Static

static

10

53d3b6cc06...bd.exe

windows7-x64

10

53d3b6cc06...bd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-11-2024 22:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe

  • Size

    5.4MB

  • MD5

    4db70309f142abf1c95862ce47770e84

  • SHA1

    8fa99d3efa3a61541e6bebccc8ad654b4c2c0f0b

  • SHA256

    53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd

  • SHA512

    f7a8df39a4e41eeb375081783826e083e0e6992189eb7a4d40bd89adcb7d0de96b0e42925b1b52df8cfb55880e375d234786049812c235634170d13374416390

  • SSDEEP

    98304:onsmtk2aHlEG8zU9zHsuWTTsAQ4t0/AH3V3SYlpVoyS+fW9eo+tXVe/PMMsFK:2L56TiTsAQ+0gBdlrrfW0o+dVeHMMsFK

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 35 IoCs
  • Drops file in Program Files directory 21 IoCs
  • Drops file in Windows directory 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • NSIS installer 3 IoCs
    installer
  • Checks SCSI registry key(s) 3 TTPs 42 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe
    "C:\Users\Admin\AppData\Local\Temp\53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1596
    • C:\Users\Admin\AppData\Local\Temp\._cache_53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe"
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:3888
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:2012
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in Program Files directory
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3412
        • C:\Program Files (x86)\GS-911\GS911USBDrv\DPInstx64.exe
          "C:\Program Files (x86)\GS-911\GS911USBDrv\DPInstx64.exe" /S
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Checks SCSI registry key(s)
          PID:628
        • C:\Program Files (x86)\GS-911\GS-911.exe
          "C:\Program Files (x86)\GS-911\GS-911.exe"
          4⤵
          • Executes dropped EXE
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of SetWindowsHookEx
          PID:2300
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4892
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
    1⤵
    • Drops file in Windows directory
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3516
    • C:\Windows\system32\DrvInst.exe
      DrvInst.exe "4" "8" "C:\Users\Admin\AppData\Local\Temp\{5a4d5fa7-2b6a-b64d-9459-81957212bada}\gs911usb.inf" "9" "492de6ad3" "0000000000000154" "WinSta0\Default" "00000000000000BC" "208" "c:\program files (x86)\gs-911\gs911usbdrv"
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Modifies data under HKEY_USERS
      PID:1092

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\GS-911\GS-911.exe
    Filesize

    221KB

    MD5

    932c49e7a84c37a9191212489e037126

    SHA1

    865940ad4792d0715fe87a42dce20589a768db5b

    SHA256

    c80c16c3278973566efafb2ebe8102d9adfaf6cbebed28d4a1d3abc72043c7fa

    SHA512

    45c2c1b25eba58421de61b1fda53379cd730baeaf365bac2dd89f49853933e21512f9c09e0377c42bf50371ea64989fae2060f3401ec9369452b10baf77bc5f9

    Download Submit

  • C:\Program Files (x86)\GS-911\GS-911.exe
    Filesize

    3.6MB

    MD5

    aba145d1de91ab1e0ba679410e353ff2

    SHA1

    1f539de1f809327ea24c57234daffb1f0b4605ee

    SHA256

    e52d79d132e87de8a49a7ea21e1263fc70a36f885ea5ddbd0965853791fab76a

    SHA512

    4c00dc2d6795af7acfcbecf32222c04711db68aa4a1ea10c8092f3621c97f24128987fd78f554dc515f82b764e9cf4b0aec3ac6750b630d8b395d606b26e1302

    Download Submit

  • C:\Program Files (x86)\GS-911\GS911USBDrv\DPInstx64.exe
    Filesize

    913KB

    MD5

    e90140ff5f5ff7521ea52f94bec29f8c

    SHA1

    a3aaf4d6705984d2f0b97d277766ebc82a26011f

    SHA256

    0e25afc6f2c17e08afc91f7717b3669cb4de6f77dd62b78674b09e0d59e4aa3c

    SHA512

    f644e4c22be81aeddf380ec8b550c3774a6c8678b9ad4cb210235ae440bd9f1e16df84832babac21672b69a57ebd779bbfb562dd6158f91cc48367ef3e383a3e

    Download Submit

  • C:\Program Files (x86)\GS-911\License.txt
    Filesize

    13KB

    MD5

    2ce15983845fc5b5c53ae69f21d2baa6

    SHA1

    6866742752b1f8ecf274c82b1930ed716301284e

    SHA256

    f88031b99044ec310c196d773560a056fe4edcbda07cddd0d6e32722e783d162

    SHA512

    a07b5b21fe7508ba463994d7690f080751dd54100e1f22ef49c532e0de1a30a456043347f403369a7bf713d5f9a266bc9ed9f9ea17f715e7648936e13611feb5

    Download Submit

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    5.4MB

    MD5

    4db70309f142abf1c95862ce47770e84

    SHA1

    8fa99d3efa3a61541e6bebccc8ad654b4c2c0f0b

    SHA256

    53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd

    SHA512

    f7a8df39a4e41eeb375081783826e083e0e6992189eb7a4d40bd89adcb7d0de96b0e42925b1b52df8cfb55880e375d234786049812c235634170d13374416390

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_53d3b6cc06ee113cbd59a565031adfed27d71b5bae796b8cd3eb576f7ec240bd.exe
    Filesize

    4.7MB

    MD5

    4170a6583b6a182f9c2f4295574fc171

    SHA1

    e61f16339ca634759113142f0fddb4012afaf41b

    SHA256

    033e46c4e8a5c135e610db0d7617f19aa3926f974b7157be3a27e4082e5bf33b

    SHA512

    8bd7d2bfeef83221606075d16d5b1cf82919409c1e4c8edf5417a63373109a591ebbceb0ee827f9666c9dc341dd13226f525c4013008b621c0e5857164a7bc0f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\A0A75E00
    Filesize

    20KB

    MD5

    2bbd5f6a58b704e3e0ca28e07fbb1715

    SHA1

    457ef6084c5e27abbb0c65e46eedfdca5e520491

    SHA256

    6dc523021b2f15619327d12903489d7a7e358cbbf1c665ba9dacd2e338afe9e4

    SHA512

    e5ee38933588cbbf023f2a0d4b5452620a46ea1a5584ccc72cc42e7341d4a31784439b57fb2aa9a9f90fbdc454b97ee42557ac9f39d501f35b94541e222bb88a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Uyt548E6.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsn9B56.tmp\System.dll
    Filesize

    11KB

    MD5

    c17103ae9072a06da581dec998343fc1

    SHA1

    b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

    SHA256

    dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

    SHA512

    d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsn9B56.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    c10e04dd4ad4277d5adc951bb331c777

    SHA1

    b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

    SHA256

    e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

    SHA512

    853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GS-911\data.dat
    Filesize

    59KB

    MD5

    08843db87aa2c66a11ac2b9c8df5d56b

    SHA1

    8a62cf7547eb01fa673d9e3bb7d099fa977c7fa1

    SHA256

    f0ac28d6b30826a2fc5b818ba0841feb0888a12e5c6016f02d2b904f104a1f63

    SHA512

    43e7181e0ece1b8d2454a6ac782c43c514009ccab842c85dd736e7294124c405ffab98d72ca66ba9719c086f037b33e1767ea6cb7fde25de28daa829ab2e9bda

    Download Submit

  • C:\Users\Admin\AppData\Roaming\GS-911\data.sig
    Filesize

    74B

    MD5

    2acc664fa9af6908f9565738ff68d856

    SHA1

    b4a4047727f172b01da40d76bc19330b36787a82

    SHA256

    989f2b445ea52a202f38144a45c2726951a831962b635347f915d5e145244ff0

    SHA512

    aa3b768579b7e054fb55eca36d177043fe2704ba66e6ebfa8837511e06371a9694b1308d02c6801c81084ac43b03970fcce6a515bdaac957f42d488619971521

    Download Submit

  • C:\Windows\System32\CatRoot2\dberr.txt
    Filesize

    37KB

    MD5

    5cfe52f8a433eff33c5bef8c35ab5c8a

    SHA1

    a159278fcaf66f8e8ccf846010cbde509bbcb592

    SHA256

    330e333035cf4a07b97a5a4d86e0547fce56df7bf0ba195153ab3766e430be84

    SHA512

    c8a71acd0c8b252eb5e8b3915e5d63143d89ab2d820879945787aa1ee167cc91fdf66d6d7cb56c7d74b1aaf56bf2ae4c1f553c333eb34659a951359eed141338

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\gs911usb.sys
    Filesize

    67KB

    MD5

    0f210048c6bfbfbc0f50816bce40b575

    SHA1

    2fd94cfbfd8dd4a2edd004f1c6cc50b926529258

    SHA256

    73c015b6ee647a875bd124254542ff8759264d51f331ff95d14675c1599fad94

    SHA512

    9d37b1cdf2a39fdd6a9215839d1a7b4e538b31ae7f8f0c2e0de39434f337ea8f440112e8d8198d93f53602a7d9260d9eb41ecacf91aa38feba1c360b17a945a8

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\gs911usb64.dll
    Filesize

    313KB

    MD5

    e2df9664d8e158efffc4f3cd0fde15e8

    SHA1

    54352e4470af8756b1c0a222cbf7e48264ac1920

    SHA256

    40b71c4eab9b8b6801bab4575a64fea73961471aa8bdfc11083a3890f9bc7c30

    SHA512

    d4f939caedd5c81732f9317c90acba9d7562205c293ebb22f9569f87e4486189a52bb1bd455896db611ec665701a104a63ac1a8d3f856854fc008f2923678d02

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\gs911usbui.dll
    Filesize

    140KB

    MD5

    aa15b12108b05f07669a2bc6e7c6365c

    SHA1

    9cb7482822e50ed233613678efa7a8ca9bd7b377

    SHA256

    ef32ba13d527d5f52c9196b6c48fe7af8592837f3424ebe47450a2c62bd7a6e7

    SHA512

    69cfaecdd7f007f60ca26cd53c0f191582845f6340c85bdc5961786fde22ef09c1d55335246961d4522d30b00119de1f2e6548126bbc1f16efe863cc9076a06a

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\amd64\hc-lang.dll
    Filesize

    263KB

    MD5

    63c18cc6ff6130215d14c8212b1bd450

    SHA1

    2d9c88113da0090b96549f49e2341e18c85d80c5

    SHA256

    a68ed4225cde423e8d2f2774ff26986b1b2e8b2c5b05412f95f5319cb5bf78e2

    SHA512

    b8ee9e5b9d3fd14717c60f671da16c6bef4bfa7e018e483d45cac9cbd28de9d958fa2fad90b417b825b3fd438d76a67fcf9a16bcc281bdd64c2ab858b9233ff8

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\hc-bus.cat
    Filesize

    11KB

    MD5

    20a4a148648f75704c7fdbeb03aa0eab

    SHA1

    83d4f551a90ea691f9add59bc8f19968051c8f85

    SHA256

    67515f99ce3bff25d560d3bdc8b4cdf16d06e96a8eb31f36c2cb49a54355246f

    SHA512

    e8ffa41747c04de1cc3d8406c29298fd4e80b40e8de818dafac2a3676ee0877f7c6e5a33e4d958f377f62c45f80c57eda368dcb55c4173d5ee24ab6cf98a0413

    Download Submit

  • \??\c:\PROGRA~2\gs-911\GS911U~1\i386\gs911usb.dll
    Filesize

    197KB

    MD5

    9adbed60e17690bd72e3ab134cc97bbd

    SHA1

    d9a7e8b8f162ecc459b2c2f6c3f68baed5e7814a

    SHA256

    b052d6dcf61b864e948743cd02c29f0bf80f94e6c705bc4dbe858b55eeabbbb2

    SHA512

    80cbee076552dcb4d49eaa355d96e9a81d475c85b3a5b1fe561e3e0eda9ee0400c9fc2c9eadba8d8a4edb0156a5a4213fc34043e72a4930e107108a8989b83ea

    Download Submit

  • \??\c:\program files (x86)\gs-911\gs911usbdrv\gs911usb.inf
    Filesize

    2KB

    MD5

    76a15fb2488648bd174d900dd6a9778c

    SHA1

    af3ba36231290959b70f0ccfb2c4cd2708efb384

    SHA256

    8e05016985541fa9fc702b7bc586fc6e183167a6ef37693d80885c2e2c6550e1

    SHA512

    010c9cdf7524f0467c96ba59a03da4f6e70e35a6361b0d28d268638d9487e6a1d3cbaab46d3e2e732c676ec2e9d0901e57bb436a11593f4a854ed746b34ab063

    Download Submit

  • memory/1596-129-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/1596-0-0x0000000000B50000-0x0000000000B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2012-256-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2012-428-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2012-466-0x0000000000400000-0x000000000096B000-memory.dmp

    Filesize

    5.4MB

    Download

  • memory/2300-477-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2300-447-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2300-444-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2300-442-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/2300-430-0x0000000000400000-0x00000000007C8000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/4892-252-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-255-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-192-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-253-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-190-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-196-0x00007FFD75310000-0x00007FFD75320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-254-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-194-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-197-0x00007FFD75310000-0x00007FFD75320000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-191-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4892-193-0x00007FFD77C70000-0x00007FFD77C80000-memory.dmp

    Filesize

    64KB

    Download