Overview

overview

10

Static

static

10

windows in...ew.exe

windows7-x64

10

windows in...ew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20241023-en
  • resource tags

    arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
  • submitted
    23/12/2024, 05:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    windows instantview.exe

  • Size

    46.7MB

  • MD5

    8fe9734738d9851113a7ac5f8f484d29

  • SHA1

    5934059ccb49608d816b447510f3ded1b9deb513

  • SHA256

    2d3f94e3f5cebbda9289782f84575cf2aed8caed8b79a8145d32a7ec30828b6a

  • SHA512

    c9177c5c9e318da2a2e34e4535b8213b11ba6bb1f509f3fa179690b9712ad15f832a045a4ae483d47b46c135bef19f8b4bbd926f4075bb02f6ca7304b251d7db

  • SSDEEP

    393216:C2LA+n+w4BZFThUFEFwyiHnIgPn6Q+GW4wyi2v97H9Wmw4/w4qw4E9v8H6Gcr+zI:pp8UFXHnDwreHElaG2+zR1no

Score
10/10
xredbackdoordiscoverymacropersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Suspicious Office macro 5 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 9 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 20 IoCs
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 14 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\windows instantview.exe
    "C:\Users\Admin\AppData\Local\Temp\windows instantview.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2628
    • C:\Users\Admin\AppData\Local\Temp\._cache_windows instantview.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_windows instantview.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1912
      • C:\Users\Admin\AppData\Local\SMI InstantView\Windows InstantView.exe
        "C:\Users\Admin\AppData\Local\SMI InstantView\Windows InstantView.exe" "SETAUTORUN_RESTART" "2628"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2840
        • C:\Users\Admin\AppData\Local\Temp\smiusbdrv\DriverInstall_64.exe
          "C:\Users\Admin\AppData\Local\Temp\smiusbdrv\DriverInstall_64.exe" C:\Users\Admin\AppData\Local\Temp\smiusbdrv\WinUSBdriver.inf
          4⤵
          • Executes dropped EXE
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:1580
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:2328
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{2c51ee12-658f-025f-8aa2-586fa940c25d}\WinUSBdriver.inf" "9" "603729d2f" "00000000000005C4" "WinSta0\Default" "0000000000000540" "208" "C:\Users\Admin\AppData\Local\Temp\smiusbdrv"
    1⤵
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:380
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{2c3f09e6-82e9-4e68-110e-cc39486e0339} Global\{12e872c3-0fa1-6c1b-7254-cb58c244da26} C:\Windows\System32\DriverStore\Temp\{421adc81-7ea8-5a1c-637c-02767a2eff2b}\WinUSBdriver.inf C:\Windows\System32\DriverStore\Temp\{421adc81-7ea8-5a1c-637c-02767a2eff2b}\WinUSBdriver.cat
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1244
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:844
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2664
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B8" "00000000000003C4"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:468

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
    Filesize

    776B

    MD5

    c6767fbec334cba733d0563fb1216fbb

    SHA1

    f64d93a07d50cb4a4037e8f662f4290c08bfd9b9

    SHA256

    19fba76b8ea5b38236edb6d35e1b1fa20be38be172d68a551c11157af6846365

    SHA512

    0c3ed939b53781c7b7588f17f323b423d826f826e7c49089bb15cf7c96a7aa71df08d33166c1b374289d605783754ed3cea42bd7ff8abeff1f0c9a0aca9939e6

    Download Submit

  • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
    Filesize

    4KB

    MD5

    a12bcebcb852b109c05d5aba6330f0e7

    SHA1

    9a0b111d7393f0a5b4638190551b0f12db4ca652

    SHA256

    7f98728f0da448ab779aacfd73a8f7df87387c4a7b8123ae7872911c977742ed

    SHA512

    bb46e561741d19c1ba3e18f3102751c88424eaf6e972c0df515642bd7116d4165bdebfb99bae7ebf2ca5e93c571c6db77d3b0d26c3fc552da9f62c99df00c03f

    Download Submit

  • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
    Filesize

    1KB

    MD5

    1965123ed8bfca9d24ca3c17527f7237

    SHA1

    676aa4a33f7f8a1d95729114119a4a31e63fda9c

    SHA256

    a7193a160e24671ce55d9e28c38f81f9ec8c7fef8421d7094b6d99cbdfaf376b

    SHA512

    3b3998d4307832071365ec4f3c1a4d5ba3f69d387b348834dc6f0fc8600a33f85edbb76c5d62d7c3526bb7b775975b040f6bc8d2bca199b4171028d46cd03f75

    Download Submit

  • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
    Filesize

    1KB

    MD5

    70c469eaad0aff641d5039d533d4c692

    SHA1

    d375f92840e9411c8c9e94d9368dd90567eaf8b3

    SHA256

    8a3f3cf041459514ff1dd4f52dd452fc53c5e0be14407786ce756d7f71beeded

    SHA512

    70091666ece1e36cb8c277196e2072245dd205eac58b6f4a7be99a9a938e794800adc371f8149278f7b33937aa528478936de8616eeac91fed896d1ee5449ee4

    Download Submit

  • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
    Filesize

    2KB

    MD5

    8db1ce5959f272586a91f22eaba82355

    SHA1

    b58bc4f648faf8ce912186ac580b551ed13a5d00

    SHA256

    09e60e59561b3a009a11099ee539213469bdde1f40d39f0723f35afb10dfb1f4

    SHA512

    dee10678622d2b4911ebd4e0d7ca2e8d93b1b2ac1e82d0105fb7d0eb46fb9c656920c5418462d5ff9d11f5e20b5d1cf937f26ec8a3c74ef2596e8f578926b5d0

    Download Submit

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    46.7MB

    MD5

    8fe9734738d9851113a7ac5f8f484d29

    SHA1

    5934059ccb49608d816b447510f3ded1b9deb513

    SHA256

    2d3f94e3f5cebbda9289782f84575cf2aed8caed8b79a8145d32a7ec30828b6a

    SHA512

    c9177c5c9e318da2a2e34e4535b8213b11ba6bb1f509f3fa179690b9712ad15f832a045a4ae483d47b46c135bef19f8b4bbd926f4075bb02f6ca7304b251d7db

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\CabB7EC.tmp
    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\TarB7FE.tmp
    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dUA8xEjO.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dUA8xEjO.xlsm
    Filesize

    21KB

    MD5

    cb6e9ee6acd93da81ddc6ef3518d7b9a

    SHA1

    3ccd782100a0af475bb07a157fe248e300d27386

    SHA256

    c398112cd0aff59725abaf68d36d1685fe52c748347a03556e5ca2d1ca65ad42

    SHA512

    9f7cd58bce1c86866357cdbf4c596e4035cc34c39d2727f378228fb7c88c6d67968882ad3e58a77c893c8612c0d51a8b17243b32dd8f8c05adbbf0ba81814f37

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dUA8xEjO.xlsm
    Filesize

    25KB

    MD5

    be34c1ead3e2e1c712031cd2bf71cd27

    SHA1

    9761e8fd5f68e2d8d0ee390300308b8024d697bf

    SHA256

    0c4101292998e067a695f6886a958c258801762611e72fc775783f3b26af8c54

    SHA512

    539d5a15f24eda8e8b4fa9b419d05a835b6290be41191d5c5fb29dc19f2a9891e5b62de70bb83833ee7a100e9f84af23ce257fa1967662cff203e4c83f9d5fae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dUA8xEjO.xlsm
    Filesize

    23KB

    MD5

    4298fd808a7298dc2e57c92cce7f9385

    SHA1

    b7b6416a6d17ae9b9be2f6f2086707a5e953acac

    SHA256

    8a752a68e69197c9ebd3974c8893656b905a87a67f32d56a02f3a2a83134e5f6

    SHA512

    964975360b27d7711f363c5750ca70ca1955a0b4ecdceb7076aafc310d8dac0395b4246f00251dc2fc945f981312385a2f78e226ec0eaac1eaf62c5772fb317a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dUA8xEjO.xlsm
    Filesize

    21KB

    MD5

    a89937f4c014d8581243c7ce434c6612

    SHA1

    19ad4d9e093a91b30739397be36d3f572c843453

    SHA256

    d80732d1806eef54afa3ab870321fe306f97ea3125a049afea400a70bc8c37af

    SHA512

    7ecc73f336e6d7d9c7d301d1cb20dc88bad8b2518df0b111e762126a543d89220a76344aabf58b14ef016ab256082b3ceb15a63d774507efb42244e976edfe14

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\dUA8xEjO.xlsm
    Filesize

    26KB

    MD5

    ad14976ba0c7438c9bfaaa763ff8c224

    SHA1

    a2012e0b241eaf039ccab649fd0a9de7957a05c3

    SHA256

    73254e5ab90e097b3143fbccdde668280ecd0d4f53faa67cf5f0606939a05a13

    SHA512

    3cfb4a9809e0b3f215ecafe67a44361deea5a03e30c464b69e6445b75d9726843221bbc34689baa06fa89472247decc504fd050ad5baca830dc46f5dd2f5e348

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smiusbdrv\DriverInstall_64.exe
    Filesize

    95KB

    MD5

    6a3b256670033a2bb94cc9f450b58e23

    SHA1

    ce460726fe2ff03aff2d50c88bb5d58ca4824547

    SHA256

    d6535879435b77ca3f87e8ce4619211a59c16233e4327589e4acba3fbea1be09

    SHA512

    0341ebc69318169d2c598f449994b1ae1ac24f9b83bcce85fad0aec4e3abdf282f09cbbb909562d864cf8e82af4e8c27713a7ab42ec6a005c459f9954c6e982d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smiusbdrv\WinUSBdriver.cat
    Filesize

    9KB

    MD5

    b20462a17b3cd652000cff05ddc89644

    SHA1

    70412cba82b69a34ad7ac3e668cea22a65981231

    SHA256

    69a9678cbfa903410c7142e5e6e7befa83735f61300b6eca772fb320853afdc8

    SHA512

    4ccb3c2da91c2646b603b714abf9a764b9a8b0f8d55627d7bba71ff67a07fc41405cc5cefcd6647e3ec705cb7e1d6396f833e588bd100d9c6ad029ab348169e4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\smiusbdrv\WinUSBdriver.inf
    Filesize

    6KB

    MD5

    60607bc2da6f4e039603069b0556e8c7

    SHA1

    50dec2d7f90b7d6947c5d020451ff32ef5d57004

    SHA256

    9ba0df0f4bf212f5e6272185dbaa59b46184b4f87e93266a5bd5d4839f2dfffe

    SHA512

    e1a40b8b0b1811190890010049c709c08daa2598f36912351bff6741a33508bd6753acb3da96407c9872aefcb03741d2aa3a0b8935b323dbc28c6754ad3db0fa

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{2C51E~1\WdfCoInstaller01009.dll
    Filesize

    1.6MB

    MD5

    dfcb433d7b920ac976f1a9c002e3c6dd

    SHA1

    ee2ca2588b0666ad7e0b76cd7fe74c9b8562c573

    SHA256

    b7481369b558b7bba2330840ceb6bb9756c4c37e77940e44d8d1214ba5b770e2

    SHA512

    d7ce35fc9eb0f0e9c702f1c1dc7e692babdd9d5fb5335da194781d22fc18f2b29f642edcb0d59d7800b02565c0872cd130a969ff1e4832a4472863507f677cde

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{2c51ee12-658f-025f-8aa2-586fa940c25d}\WinUsbCoInstaller2.dll
    Filesize

    980KB

    MD5

    808e0d338ec8bee4e8f7e3c09f46e0dc

    SHA1

    9b8024f368a46dd8822e83868c2e46dae7012701

    SHA256

    9351b675ebd60b249cbda5010713ddbf45c202387270ac4806663279dc4f0f5e

    SHA512

    a57b7e9e74e043d3489186ee6e1525db7da51e162e6725cc947386bbf084fbcfc3430ec57f7f3c3954c1d909396dc65757400359ef9fb9cddbafdc69d7dd15c5

    Download Submit

  • C:\Users\Admin\Desktop\~$OpenBackup.xlsx
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • C:\Windows\Temp\CabB711.tmp
    Filesize

    29KB

    MD5

    d59a6b36c5a94916241a3ead50222b6f

    SHA1

    e274e9486d318c383bc4b9812844ba56f0cff3c6

    SHA256

    a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

    SHA512

    17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

    Download Submit

  • C:\Windows\Temp\TarB714.tmp
    Filesize

    81KB

    MD5

    b13f51572f55a2d31ed9f266d581e9ea

    SHA1

    7eef3111b878e159e520f34410ad87adecf0ca92

    SHA256

    725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

    SHA512

    f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_windows instantview.exe
    Filesize

    46.0MB

    MD5

    d5265dc7f2a5f34e484f6128a60b0fce

    SHA1

    a9dc69ec11ae28474902d0e021a42e83618ce01d

    SHA256

    ef0847b65d6b2e0f64621c2cfa6d186263588a57ee910071ff20ef0a9c1c2d2e

    SHA512

    b6ec0d1f478a6cce03b21f305c7bf03f9b7216a685f599ea3c97bfb2ddde9d4c9f14b8550cd632ed4f138ca39c205cd54075c56adb9039ae09a7f2ae3dc42468

    Download Submit

  • memory/844-341-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/844-428-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1580-303-0x000000013FB20000-0x000000013FB3A000-memory.dmp

    Filesize

    104KB

    Download

  • memory/2628-36-0x0000000000400000-0x00000000032BD000-memory.dmp

    Filesize

    46.7MB

    Download

  • memory/2628-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2916-295-0x0000000000400000-0x00000000032BD000-memory.dmp

    Filesize

    46.7MB

    Download

  • memory/2916-429-0x0000000000400000-0x00000000032BD000-memory.dmp

    Filesize

    46.7MB

    Download

  • memory/2916-446-0x0000000000400000-0x00000000032BD000-memory.dmp

    Filesize

    46.7MB

    Download

  • memory/2916-481-0x0000000000400000-0x00000000032BD000-memory.dmp

    Filesize

    46.7MB

    Download