Overview

overview

10

Static

static

10

mumu_setup...75.exe

windows7-x64

10

mumu_setup...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    145s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02-12-2024 00:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    mumu_setup/MuMuInstaller_1.1.0.4_nochannel_zh-Hans_1573633675.exe

  • Size

    8.1MB

  • MD5

    59fbad21d1876b0a47d918dafd4271b3

  • SHA1

    e7e889799306ee117b3d1e77b14df88508197ff9

  • SHA256

    b417c9ef633dcf57e16186ede03ef1636ac741e6b3f8fdcf73cec9755aed3426

  • SHA512

    581352e99aaa031a93dd64df62cf95f5f3d845a7945856ec435dc9b7e5746a4a81569db7ec9619f2dd5c2fb21b607e2db03471daf5d3909407f28b54c6d060c3

  • SSDEEP

    196608:xLCqHWw3BW8pAh4KPL+BObplNwgI5Jqz/8t:xV20BW8pWPMOdwj+8t

Score
10/10
xredbackdoordiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 4 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: LoadsDriver 4 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\mumu_setup\MuMuInstaller_1.1.0.4_nochannel_zh-Hans_1573633675.exe
    "C:\Users\Admin\AppData\Local\Temp\mumu_setup\MuMuInstaller_1.1.0.4_nochannel_zh-Hans_1573633675.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4236
    • C:\Users\Admin\AppData\Local\Temp\mumu_setup\._cache_MuMuInstaller_1.1.0.4_nochannel_zh-Hans_1573633675.exe
      "C:\Users\Admin\AppData\Local\Temp\mumu_setup\._cache_MuMuInstaller_1.1.0.4_nochannel_zh-Hans_1573633675.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Loads dropped DLL
      • Checks whether UAC is enabled
      • System Location Discovery: System Language Discovery
      PID:4008
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4376
      • C:\Users\Admin\AppData\Local\Temp\mumu_setup\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\mumu_setup\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        PID:4396
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2064

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    8.1MB

    MD5

    59fbad21d1876b0a47d918dafd4271b3

    SHA1

    e7e889799306ee117b3d1e77b14df88508197ff9

    SHA256

    b417c9ef633dcf57e16186ede03ef1636ac741e6b3f8fdcf73cec9755aed3426

    SHA512

    581352e99aaa031a93dd64df62cf95f5f3d845a7945856ec435dc9b7e5746a4a81569db7ec9619f2dd5c2fb21b607e2db03471daf5d3909407f28b54c6d060c3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\51185E00
    Filesize

    22KB

    MD5

    021247bd081ddf5d01b577080a3ec15d

    SHA1

    adb5b8ce06ea5fbb74f4fa029508cd30b6666e07

    SHA256

    efdbbbf8e5de0980cbd8b881e7e3b26f3583811e3be2aceceb02e900db599749

    SHA512

    c2de21b9e721ee456a6eddef4eebee5c120a9f730028e3021afe47d14bd1941b6b5195866520d6b488a42a3c18bf352137832d1a3c2b8f6abb50d7ffba65cc69

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CrashRpt1403.dll
    Filesize

    143KB

    MD5

    770d84e09190608189bd67d0d3d7d687

    SHA1

    c3d002e7dd2487b3229b0bf362f8e119ce1e9d07

    SHA256

    2056a9580ca9569e96634f33bdcce756bd3552c7e5e574e1833f9ac2aff1a249

    SHA512

    f560c587072a1b3f8a5dfb9c3fb2f0b42dce53be067c6944a022a62ce21fb15154fc9545febcca5178abf898e6825553265fb457bd953ad4765310cfe1c16c5d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CrashRptProbe1403.dll
    Filesize

    152KB

    MD5

    30a06b1ef5cee29f34e001083ffbbe02

    SHA1

    982a1639d2430a482f9948fa4e2cd3addfcb3f95

    SHA256

    73399bc22c93df125a5476dbd15b7d71e3126a1d8f88333a01871dceed9ba9d4

    SHA512

    edbd6d64b17945dfdcad2e057b577b7766781465eeb8143eabe589d9c95f53f1c9a7aa67437ff384767914ced7c352df289d2f6a727af8bdfeaa9b881de68cb8

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CrashSender1403.exe
    Filesize

    1021KB

    MD5

    fb69574820ba31ec67ee8ef1f13a07ca

    SHA1

    1a955d841bf3b73c360800cb96a918980aac6643

    SHA256

    e919757a721a2d2c057b0d43d795f68c0b5e3fbd3ae29e946ed374ebc80c223b

    SHA512

    7caec25c7b14b457084352a66da68e586d1e564da5caf00908546b97e7e9735989941483724e3b97702d870d00599e0e704f146643c3a055de678a2467ef616b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WinRing0.Inf
    Filesize

    2KB

    MD5

    f069f20871cb316bfb73c276393d1648

    SHA1

    44851e9f466f58dca883931b18687bfc4921551b

    SHA256

    07942017e8caaa1065867aecc561577199e53142545cb6fb41239ae4c607d46b

    SHA512

    72e60561daf384f7ba4003140d72f45ebec82d12c14bd00f4008f92be35a839666f3b24084ff842a0a023d3a595b70dd801f45b8695830bd800cf6862ba05fd1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WinRing0.Sys
    Filesize

    31KB

    MD5

    a73ee34a7a50be60e77cc277a96d7ba8

    SHA1

    b3a8e39cd99feb817ce799cce193a2fbb12cbec6

    SHA256

    4448beff8366e42e3393e8c7f8261aee0b0340356c31aa3b97de07452ae01888

    SHA512

    668806257d29f73315b26540f0453bd673901c25fb3f16cba942c2dcf2006be8777573efbd831fce2bc7f0111b44b31a06c812ed9b1f59d5be0eb0c3c5c9eff2

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WinRing0x64.Inf
    Filesize

    2KB

    MD5

    0f6d3047d1b670058d71c411707ef16e

    SHA1

    7e51d69b5f109ea6902232212fad28deb46f59ef

    SHA256

    3fded2f4457b0beb415b841b40f6ede5ed527dd537e53e2f70f2fb4a6e24ebfd

    SHA512

    6a749b4921f527c5af51ade76bfcef2446341b3e66de0d93deb95d26d31dfc357d392f6abdf877b756a7c0529112eba343a3c9926eba767b649d654e6d164280

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\WinRing0x64.Sys
    Filesize

    32KB

    MD5

    1c57d067b9fc5e9ef9aeb14223481243

    SHA1

    4ee59164d3259667d3cade58f4c93b4dddf5a92b

    SHA256

    d5bca2ca464a6cc91344bd85e812a7bac6e7c67038c4929a29e0bc60c7eabe4d

    SHA512

    a8de7ab7f67cbe2bf25fd772c24344031322dfab77d07fd835109530450683c158f37955982e875a3acbbfaea2e72c0ba5a52d85f3e1e58984ec63c96f6c0ccd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Xqy9kFZc.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\aria2c.exe
    Filesize

    4.9MB

    MD5

    21f6392c82e70a020960fa037bd2ce08

    SHA1

    274c6157dc86fd711cd1efbe5db5c0d9095eb268

    SHA256

    dd49b0849241a7d885b18780464fdbea2552595d4e0918acb59f18bf9bb9c588

    SHA512

    ccb48650e03678b0398a9f27ca00d91a5467c0f42adc67bbe98ae0804cff85509365086031d11dfecf888be770a0d31efa5dc76de77794391c6cf4a437dc6683

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\config.ini
    Filesize

    103B

    MD5

    f49443d4203d9aa06faa0af45a78f74d

    SHA1

    a1fca704c3fbbd83e2d5274b3a10a8a7998f617a

    SHA256

    4a7cad0cd567ece8a131d148c83861db8958d3a674af33fdf0b5721dd835654e

    SHA512

    aa308389e105a3ecf005940f0d452c376208c9f7ae783300eb6494c752112d7196dd97f7515698ace756f973576e4e1f42bb577604a84d28ca471f16bd182dbb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\crashrpt_lang.ini
    Filesize

    5KB

    MD5

    4ca209c131119e28c581447d10f5f9db

    SHA1

    9f49c9c89e0a7149a8f3a9451a58d6d5ebed05c4

    SHA256

    eb3dd1604138b82f9ba13a180d71e513599d201b4a6eaba814179d12bfe97abb

    SHA512

    cb0f404d8d9044fa92f15fcadbafcc3bde75c7ba33dd58e26b2fce7656847f757f7f2947f52d587205544ffcf0b29c05865350e98d4f6840a657b787d0e02701

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\mumu_setup\._cache_MuMuInstaller_1.1.0.4_nochannel_zh-Hans_1573633675.exe
    Filesize

    7.4MB

    MD5

    2be231bcad533bec4a527d6c3310e4a9

    SHA1

    03a0fbbea22ace75ec720d2a3b59ab18eb589732

    SHA256

    e087db78f034392efaa43ae62bf61650c8fbdd60965fac4bdc287a5a80c906c9

    SHA512

    ebd33e29df02123fa9b4ccc3dd538f30b9657c0852532b35dc8a61af4bbcaee4418adb47b78677bc4e8f4d4322536600cf3cf1bcdf7796f872e5323ec6c0a0ca

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\skin.zip
    Filesize

    482KB

    MD5

    7479864726e4e64cba8d80e99d430da1

    SHA1

    b19d5ae1667605ab2dc42180ef0394704ff83e17

    SHA256

    8dd9fd263183d7e6d200a943c1c54509b192661797286b27d5a82c592486896a

    SHA512

    3bb01e017a97e3d4a76c6d371146d734407901c2416227d28360c251f797d1d738380d38a359d0fbf4e4000e9f026992c822722b3f46b8204c32b5b1ba351f22

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winring0.cat
    Filesize

    10KB

    MD5

    5691a9b76c5b0bd1dd83687f5f0e87a1

    SHA1

    aa79bf0cc8dcc8c6abc6b85793655060f9cbf223

    SHA256

    784e031565c67f1d29640c62f0cc205d5b56c1f78be894252cce06474b64a618

    SHA512

    09cf42743b5d0304179838eadf195821f2f8183d6b8b175642f0b871386c3e2af0e5e59cfaf3f235c16583689b8ed06fc9703e29a6cf234398aaed04c7a9ff62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\winring0x64.cat
    Filesize

    11KB

    MD5

    e7cee7f541c057f490d486927d659122

    SHA1

    420888e25a44629c0b53450cc3a3ea9398b373c8

    SHA256

    317d01d9956f052d929fdbac258f1a2dc5163d3432fc488023a1f4d332ae3d45

    SHA512

    582cdb32a0e322e945a3ed6a144d21a3606d37e88fac73edc4129e4ee3dea66e5a9ebd8c803e07e59fa00cfc6d6f174a1cc8a947f167a100d4065a10c4615121

    Download Submit

  • memory/2064-241-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-237-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-242-0x00007FFA3A950000-0x00007FFA3A960000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-240-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-239-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-238-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2064-236-0x00007FFA3C9B0000-0x00007FFA3C9C0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4008-234-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-327-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-339-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-337-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-335-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-333-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-331-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-69-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-329-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-289-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-294-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-297-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-299-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-301-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4008-304-0x0000000000360000-0x0000000001584000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4236-0-0x0000000002AC0000-0x0000000002AC1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4236-128-0x0000000000400000-0x0000000000C1F000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/4376-328-0x0000000000400000-0x0000000000C1F000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/4376-290-0x0000000000400000-0x0000000000C1F000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/4376-129-0x0000000002770000-0x0000000002771000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4376-235-0x0000000000400000-0x0000000000C1F000-memory.dmp

    Filesize

    8.1MB

    Download

  • memory/4396-207-0x0000000000B40000-0x0000000001D64000-memory.dmp

    Filesize

    18.1MB

    Download

  • memory/4396-233-0x0000000000B40000-0x0000000001D64000-memory.dmp

    Filesize

    18.1MB

    Download