Overview

overview

10

Static

static

10

Debug.zip

windows7-x64

1

Debug.zip

windows10-2004-x64

10

Analysis

  • max time kernel
    72s
  • max time network
    72s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27/11/2024, 08:21

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Debug.zip

  • Size

    57.0MB

  • MD5

    15bdb40346ff9a47a75370457117a2e9

  • SHA1

    ebe296a8fae5cf76d4f0555b0b18ff9740aa983b

  • SHA256

    3f0aa24c90dbe0ef9a695236b99dd02b51f8c44a83d3ab490a09577e1a9a74dc

  • SHA512

    766cac1ddb392f67cc0d9d4ba8fb4719b8895d59775e32b9c215b83cd7f3f9a2673257fe50a42995622bca348d10d47f3aea1940e682321df8adcad428012f72

  • SSDEEP

    1572864:KcAHw9DccPnFJT9hVPkuPIpI8gqEEsP9ZjsVjS4CRiGnia2716TW:Kc1IqZhhdQpOlEsPbIEiGiU6

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Modifies WinLogon for persistence 2 TTPs 1 IoCs
    persistence
  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\7-Zip\7zFM.exe
    "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Debug.zip"
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2460
  • C:\Windows\System32\rundll32.exe
    C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
    1⤵
      PID:3604
    • C:\Users\Admin\Desktop\Debug\QRC1.exe
      "C:\Users\Admin\Desktop\Debug\QRC1.exe"
      1⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:5104
      • C:\Users\Admin\Desktop\Debug\._cache_QRC1.exe
        "C:\Users\Admin\Desktop\Debug\._cache_QRC1.exe"
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2824
        • C:\Users\Admin\AppData\Roaming\Client.exe
          "C:\Users\Admin\AppData\Roaming\Client.exe"
          3⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1620
        • C:\Users\Admin\AppData\Roaming\QRC.exe
          "C:\Users\Admin\AppData\Roaming\QRC.exe"
          3⤵
          • Executes dropped EXE
          PID:4616
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        2⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4920
        • C:\Users\Admin\Desktop\Debug\._cache_Synaptics.exe
          "C:\Users\Admin\Desktop\Debug\._cache_Synaptics.exe" InjUpdate
          3⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:4712
          • C:\Users\Admin\AppData\Roaming\Client.exe
            "C:\Users\Admin\AppData\Roaming\Client.exe"
            4⤵
            • Modifies WinLogon for persistence
            • Executes dropped EXE
            • Adds Run key to start application
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4492
            • C:\Windows\SYSTEM32\CMD.exe
              "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "WIndows Defender" /tr "C:\Windows\Registry" & exit
              5⤵
              • Suspicious use of WriteProcessMemory
              PID:1104
              • C:\Windows\system32\schtasks.exe
                SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "WIndows Defender" /tr "C:\Windows\Registry"
                6⤵
                • Scheduled Task/Job: Scheduled Task
                PID:3556
          • C:\Users\Admin\AppData\Roaming\QRC.exe
            "C:\Users\Admin\AppData\Roaming\QRC.exe"
            4⤵
            • Executes dropped EXE
            PID:3396
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2512
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3204
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1692
    • C:\Windows\system32\OpenWith.exe
      C:\Windows\system32\OpenWith.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:3440
    • C:\Windows\system32\wbem\WmiApSrv.exe
      C:\Windows\system32\wbem\WmiApSrv.exe
      1⤵
        PID:3436
      • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
        "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
        1⤵
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious use of SetWindowsHookEx
        PID:2664

      Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\1ju4ujLU.xlsm
              Filesize

              17KB

              MD5

              e566fc53051035e1e6fd0ed1823de0f9

              SHA1

              00bc96c48b98676ecd67e81a6f1d7754e4156044

              SHA256

              8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

              SHA512

              a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\40A85E00
              Filesize

              23KB

              MD5

              44703d9b40e6dc03fbc9c18cf510a4b0

              SHA1

              442b3c6a4deec9612ade283ba48cb6e1ae9ee14c

              SHA256

              886d6a8dd31954b5f11f0138a903e108d9e92f6c7b9419711c8c0d7207bb321d

              SHA512

              bca7b85fcfb250bd3b52a569ac20c00715c12835bb6b20fe8a12798c671fed53f3fe5c40cb123c49bb80e998e68b413ee238996151f7f5449b0231ea90bcdd7c

              Download Submit

            • C:\Users\Admin\AppData\Roaming\Client.exe
              Filesize

              310KB

              MD5

              fd412b660c26d804e660005125e346da

              SHA1

              3edeaad658da5a16132d1133993190bacc2f98be

              SHA256

              12096a9395d928f432f47231e2f55bf8bfd63874fa08af22996823573474bbcc

              SHA512

              a8ffd4f9d624a6629199433f1a6fb63ab4e57805a3f7ffd9d761c307aebea45e325ae002644936ca24b9122db7c533c4d3ac05c6a86f3f4676ffe2f4a4e6000d

              Download Submit

            • C:\Users\Admin\AppData\Roaming\QRC.exe
              Filesize

              398KB

              MD5

              aa4918bc0364408e874954683fb6f604

              SHA1

              4651620e2a746afc4cadb557c1d1417810574514

              SHA256

              8c9f375fdf3f850900b0b47800db4b565f569cd38b842a5483abbc447b125fe8

              SHA512

              e692d633f99af9511326dc933ebf19d4bad7965c678b9c220fe08778bfc0a926ba3704f52fd1aa2ee8f9a9536b0dcbc8121aacb2148d8128528659c0a6378bb9

              Download Submit

            • C:\Users\Admin\AppData\Roaming\QRC.exe.config
              Filesize

              189B

              MD5

              9dbad5517b46f41dbb0d8780b20ab87e

              SHA1

              ef6aef0b1ea5d01b6e088a8bf2f429773c04ba5e

              SHA256

              47e5a0f101af4151d7f13d2d6bfa9b847d5b5e4a98d1f4674b7c015772746cdf

              SHA512

              43825f5c26c54e1fc5bffcce30caad1449a28c0c9a9432e9ce17d255f8bf6057c1a1002d9471e5b654ab1de08fb6eabf96302cdb3e0fb4b63ba0ff186e903be8

              Download Submit

            • C:\Users\Admin\AppData\Roaming\QRC.pdb
              Filesize

              61KB

              MD5

              870c721ed1bc879611f874d7ee780831

              SHA1

              61e14c842fbc33291b9c0b309232a78e5069c155

              SHA256

              5681d4d7476ae73768d2424dd3db06ec87a5c80bfa1b569eb1b209c504873722

              SHA512

              4e536305982bec0062276dd5602e7fae4f2b35a26cbb90673c184a939d444efdcd9b630dd0b6871a2db8675572912b21fe22a6bf0a453e17920ab61ca562eb14

              Download Submit

            • C:\Users\Admin\Desktop\Debug\._cache_QRC1.exe
              Filesize

              780KB

              MD5

              a205304c2df0a22f39371f7493490d82

              SHA1

              2b028886d31eebd7088eafe93c5d3c8c8ec65042

              SHA256

              fe296086bf6eda7cf7f40256f06a3560260633a50ecf3b08b57751a809dab2de

              SHA512

              949f6ce59447862e3aa4320d32ab296d4b95ff0c547d125efae70fcc9965df5d692a9a779a82e52f4cfc9911256c708bcf6934d7328bbebc4b6bdabccfffea77

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000040
              Filesize

              67KB

              MD5

              ce58019b091dbdb1895be63d765b1177

              SHA1

              37a38458a92835c43b270069c0629c6975b2ba69

              SHA256

              8defb86fd585d1e578370bac22698f0de49d509d7398a0e83fbae7a9d11e0fcf

              SHA512

              36be843dd5630cf0c76219459b2ff946fa91ab90be31e3ac62452642a79a062b9d7aaae14a0ad8fd92b1a6d468394f1aa8bfe45f262f33e34048b46e046a1b27

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\Default\Cache\Cache_Data\f_000094
              Filesize

              20KB

              MD5

              df00d41fbb198afcf991bc550c5be489

              SHA1

              fb720be7767d4f9eccf5cd7b9c6d808418beb613

              SHA256

              4d7a6468af73f3156f1d39d9c67d97a582f2ed7c6b890fc6c34a887c90bcc544

              SHA512

              cf065b7587df37028c3c4eb027609c8465955e1f3bd4ce54998e348043202fc573475a13bcc7e4e3511967aa1561f8c3c3fe56b5accb88bbc026a25c5eea7c92

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\Default\Extension State\CURRENT
              Filesize

              16B

              MD5

              46295cac801e5d4857d09837238a6394

              SHA1

              44e0fa1b517dbf802b18faf0785eeea6ac51594b

              SHA256

              0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

              SHA512

              8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\Default\Extension State\MANIFEST-000001
              Filesize

              41B

              MD5

              5af87dfd673ba2115e2fcf5cfdb727ab

              SHA1

              d5b5bbf396dc291274584ef71f444f420b6056f1

              SHA256

              f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

              SHA512

              de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\Default\GPUCache\data_3
              Filesize

              8KB

              MD5

              41876349cb12d6db992f1309f22df3f0

              SHA1

              5cf26b3420fc0302cd0a71e8d029739b8765be27

              SHA256

              e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

              SHA512

              e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\Default\Shared Dictionary\cache\index
              Filesize

              24B

              MD5

              54cb446f628b2ea4a5bce5769910512e

              SHA1

              c27ca848427fe87f5cf4d0e0e3cd57151b0d820d

              SHA256

              fbcfe23a2ecb82b7100c50811691dde0a33aa3da8d176be9882a9db485dc0f2d

              SHA512

              8f6ed2e91aed9bd415789b1dbe591e7eab29f3f1b48fdfa5e864d7bf4ae554acc5d82b4097a770dabc228523253623e4296c5023cf48252e1b94382c43123cb0

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\GraphiteDawnCache\data_0
              Filesize

              8KB

              MD5

              cf89d16bb9107c631daabf0c0ee58efb

              SHA1

              3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

              SHA256

              d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

              SHA512

              8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\GraphiteDawnCache\data_1
              Filesize

              264KB

              MD5

              bcbe815e20c3dc7d2af3cb2d0d6985ae

              SHA1

              c35798ed922877845d900444e635e76a92617879

              SHA256

              e40101d83ad3712121d5c032ef408534bfe8574a240b430e0f97ce16650bc151

              SHA512

              6e61000520cb8d5008aa2807ee83eccf2dd946aabc9a6b65de70d3c4d0f12804d610eee681ce24039c0fe549e6853ffb245d4711731901f2ceab470a29a72905

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC.exe.WebView2\EBWebView\GraphiteDawnCache\data_2
              Filesize

              8KB

              MD5

              0962291d6d367570bee5454721c17e11

              SHA1

              59d10a893ef321a706a9255176761366115bedcb

              SHA256

              ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

              SHA512

              f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

              Download Submit

            • C:\Users\Admin\Desktop\Debug\QRC1.exe
              Filesize

              1.5MB

              MD5

              2a8f48fdae7c4f798a27963f5cc0908a

              SHA1

              6fc4de19ce7c846b0422404460ad62746e033474

              SHA256

              0846b29c62383a17d485ca9102d306632184969b798cc4d9b0990758998631ef

              SHA512

              df9e3fd244600df41ff24e6eb256a9004115c758bc2e8e87af58886233db0fb03a21e840b9409b284874127f2fcf9a687fb2b68fc8760dac83e64fd984d57408

              Download Submit

            • memory/1620-2553-0x0000000000B70000-0x0000000000BC4000-memory.dmp

              Filesize

              336KB

              Download

            • memory/2664-2680-0x00007FFA87C70000-0x00007FFA87C80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2664-2675-0x00007FFA8A310000-0x00007FFA8A320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2664-2678-0x00007FFA8A310000-0x00007FFA8A320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2664-2679-0x00007FFA87C70000-0x00007FFA87C80000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2664-2674-0x00007FFA8A310000-0x00007FFA8A320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2664-2677-0x00007FFA8A310000-0x00007FFA8A320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2664-2676-0x00007FFA8A310000-0x00007FFA8A320000-memory.dmp

              Filesize

              64KB

              Download

            • memory/2824-2519-0x0000000000A70000-0x0000000000B3A000-memory.dmp

              Filesize

              808KB

              Download

            • memory/4492-2673-0x0000000002DA0000-0x0000000002DBE000-memory.dmp

              Filesize

              120KB

              Download

            • memory/4492-2672-0x0000000001410000-0x000000000141C000-memory.dmp

              Filesize

              48KB

              Download

            • memory/4492-2671-0x000000001C720000-0x000000001C796000-memory.dmp

              Filesize

              472KB

              Download

            • memory/4616-2557-0x0000022486AA0000-0x0000022486B08000-memory.dmp

              Filesize

              416KB

              Download

            • memory/4920-2639-0x0000000000400000-0x0000000000585000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4920-2684-0x0000000000400000-0x0000000000585000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/4920-2731-0x0000000000400000-0x0000000000585000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/5104-2530-0x0000000000400000-0x0000000000585000-memory.dmp

              Filesize

              1.5MB

              Download

            • memory/5104-2400-0x00000000006B0000-0x00000000006B1000-memory.dmp

              Filesize

              4KB

              Download