Overview

overview

10

Static

static

10

windows in...ew.exe

windows7-x64

10

windows in...ew.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/12/2024, 05:09

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    windows instantview.exe

  • Size

    46.7MB

  • MD5

    8fe9734738d9851113a7ac5f8f484d29

  • SHA1

    5934059ccb49608d816b447510f3ded1b9deb513

  • SHA256

    2d3f94e3f5cebbda9289782f84575cf2aed8caed8b79a8145d32a7ec30828b6a

  • SHA512

    c9177c5c9e318da2a2e34e4535b8213b11ba6bb1f509f3fa179690b9712ad15f832a045a4ae483d47b46c135bef19f8b4bbd926f4075bb02f6ca7304b251d7db

  • SSDEEP

    393216:C2LA+n+w4BZFThUFEFwyiHnIgPn6Q+GW4wyi2v97H9Wmw4/w4qw4E9v8H6Gcr+zI:pp8UFXHnDwreHElaG2+zR1no

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 7 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 8 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 10 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 28 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\windows instantview.exe
    "C:\Users\Admin\AppData\Local\Temp\windows instantview.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\._cache_windows instantview.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_windows instantview.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2168
      • C:\Users\Admin\AppData\Local\SMI InstantView\Windows InstantView.exe
        "C:\Users\Admin\AppData\Local\SMI InstantView\Windows InstantView.exe" "SETAUTORUN_RESTART" "2304"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Checks SCSI registry key(s)
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2712
        • C:\Users\Admin\AppData\Local\Temp\InitQSProcess.exe
          "C:\Users\Admin\AppData\Local\Temp\InitQSProcess.exe"
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:632
        • C:\Users\Admin\AppData\Local\SMI InstantView\Windows InstantView.exe
          "C:\Users\Admin\AppData\Local\SMI InstantView\Windows InstantView.exe" "UPDATEONLINE_RESTART" "2712" "C:\Users\Admin\AppData\Local\SMI InstantView\Old_Windows InstantView.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Checks SCSI registry key(s)
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4896
          • C:\Users\Admin\AppData\Local\Temp\InitQSProcess.exe
            "C:\Users\Admin\AppData\Local\Temp\InitQSProcess.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            PID:2304
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4448
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:1528
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:884
  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    1⤵
      PID:2168

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      6KB

      MD5

      b1e47cd0b988e70d0a982bd36a25220b

      SHA1

      fc5e28e16d42f95c88b6d3a61bcc750f66c1fdc8

      SHA256

      ce290c53c9e59f38f4cf9e8973e4d17461381a32eba8823cdc072f41e21bed45

      SHA512

      560a018182fe96639e4cdf522006a9e20838312af41dd214d488b12ae9632ea6298ff0443e2989af311280a2f1e2a980dd598ac314a0c3fc5a676fd16028d3db

      Download Submit

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      7KB

      MD5

      9c78f9cd5781c11ec637d73ed5d6a08b

      SHA1

      18f8544b0e02b8dd6a1baaf2b6d6ba90885d6d10

      SHA256

      9a45c2c32b56f7f65d10994771b1bcf1fcb0adc1863fb4306dc5352219ceff32

      SHA512

      46690add5b9205d33b63c8387b7c8e793f5031e0a6f9343f32868e3f5c209bba1df4e6bd0dcb0d86ac56e712070b400cc665083ad1c602f9273520cce384172f

      Download Submit

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      7KB

      MD5

      dc7af1c349b674f6e3249a4d9c927a09

      SHA1

      6b759a95092dff867a9f12117e67c283cac824d3

      SHA256

      1657ff0b686a030b9fd20dd4801d53cadac111ed876fa9aa47b861378c04b258

      SHA512

      313f9eb2c50c1b3ec940c2a1abe477940036fc5a88cc9150ef32225419ee24c5684ff20b8615bd247b17ef666e260c1d1879a33221283a7953cf0814295d0eab

      Download Submit

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      1KB

      MD5

      071a698d7040a7021bf43b6f0fe612fa

      SHA1

      09b3970498597d821646f6b3b0e753e6bd846a18

      SHA256

      1cbf2a81c0e4c65a0294408c2ad0db06b3fb237cbf1788cb11d73f955c4afd6e

      SHA512

      f5bc9200866a5354616e4c9652628324f975409becef398fbf07710fca878fac4d7fd362ef87735580ae11d542cf975a775e5dcaf1f34bb462642194ac2c0eb2

      Download Submit

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      2KB

      MD5

      86d03d9c8afa330d9f41fd4d09b45d0e

      SHA1

      0aac9233c51c9341ab5327e34d626eac6441c2dc

      SHA256

      221eaf62efdb6160932f8bea80d1503bfba6bf7472f06c0cf1a10ced60383e7d

      SHA512

      4b645d90eaaae94988aedcac40cf09d2bbd15f9fb3f82c1cf315e16137c2642ffedb0bc85f95d2f208441cb5d2b63bf1dd6c474168f2a1ec319662ddcb094d66

      Download Submit

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      3KB

      MD5

      7d4d430c5d11d9da0192d6d17b1b2f90

      SHA1

      5175080daf5f7a535833c65853880abdec75fb80

      SHA256

      ade756be85e85751c4414b1a1b77f7868172ba7e944d2a74cb7fd9bd449d30dc

      SHA512

      41404510f6eca8144b9d42a2e27d3934345291adfcd17ff7461b30e8ead236e789024c7d7c3a2c598d40da174481acec67c55ccafac22888738f8b69e530300d

      Download Submit

    • C:\ProgramData\SMIDisplayLog\InstantViewlog.txt
      Filesize

      4KB

      MD5

      04dec98a92ddc1143c6d348e8aa0ead7

      SHA1

      5d670011bf28123fb8be1f6243cf820d5b770947

      SHA256

      f5351ade8081516d2ee9eb352948f407032fe6b1039d0000feba22d10168b6fa

      SHA512

      4eb567faf0a0fdcfa71c85f8c08faea782512ec78cc9d6511dc190fd0262fbbb8799151799fe671ece4e67542a5bbec38df6d8c136c848dcb5cb96db604514fe

      Download Submit

    • C:\ProgramData\Synaptics\Synaptics.exe
      Filesize

      46.7MB

      MD5

      8fe9734738d9851113a7ac5f8f484d29

      SHA1

      5934059ccb49608d816b447510f3ded1b9deb513

      SHA256

      2d3f94e3f5cebbda9289782f84575cf2aed8caed8b79a8145d32a7ec30828b6a

      SHA512

      c9177c5c9e318da2a2e34e4535b8213b11ba6bb1f509f3fa179690b9712ad15f832a045a4ae483d47b46c135bef19f8b4bbd926f4075bb02f6ca7304b251d7db

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\._cache_windows instantview.exe
      Filesize

      46.0MB

      MD5

      d5265dc7f2a5f34e484f6128a60b0fce

      SHA1

      a9dc69ec11ae28474902d0e021a42e83618ce01d

      SHA256

      ef0847b65d6b2e0f64621c2cfa6d186263588a57ee910071ff20ef0a9c1c2d2e

      SHA512

      b6ec0d1f478a6cce03b21f305c7bf03f9b7216a685f599ea3c97bfb2ddde9d4c9f14b8550cd632ed4f138ca39c205cd54075c56adb9039ae09a7f2ae3dc42468

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InitQSProcess.exe
      Filesize

      1.3MB

      MD5

      5e0c4eb55570931d25b176a23eb3539e

      SHA1

      3812aeb06f5d0afb3032e0373391f7f87baa720f

      SHA256

      d5148ceb3b9253cc440f0f20048612d345a40aaab007f5524a3124a8f4b7aa53

      SHA512

      7947a93196252c30330d89cccfc92531d4d1c06842923935b18ea8c280be457db121f8288268d222ae086689a332e44f64648821452595c7e5f6a77e3f4523ce

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\InitQSProcess.exe
      Filesize

      1.3MB

      MD5

      1e4935edae1be85e825795e4691da67b

      SHA1

      1078ebc2e059b30914123c7ba9c8270a9e6d0e17

      SHA256

      6ad80453cec5dc2a251da981a9c1e6149dd787b8ffe61c9e4f069e111809d804

      SHA512

      dcbdfdf75808d21f914e20f816d65c4754ebd49c4e2a9f13db5c37d95f1459102c698c06562fa1810feae01344f9d0eff5a5661f08f1f52c89476b5aaf6626fa

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JDfps2PG.xlsm
      Filesize

      17KB

      MD5

      e566fc53051035e1e6fd0ed1823de0f9

      SHA1

      00bc96c48b98676ecd67e81a6f1d7754e4156044

      SHA256

      8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

      SHA512

      a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Smi-Update-Windows InstantView\Windows InstantView.exe
      Filesize

      45.7MB

      MD5

      0236a6a386ad33308e9f5bc685117f43

      SHA1

      2e5377772304b98b2d5a7de398974d8a36f6593d

      SHA256

      a98b55e05e4dec0586c648a28ed69aa9480657f7cf5353fa60fd80b557dcad8a

      SHA512

      622b05e694bbcdca3eb9b8a5f7fee4443322e560cce7301c0406348cefdf03db7cda6133e06a2a43c3ee43ca424b65b5f1ff33ee48476d451feb10291ccf6e51

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\Smi-Update-Windows InstantView\Windows InstantView.zip
      Filesize

      16KB

      MD5

      29e8fd53b9a20aba8518b90f74201023

      SHA1

      0000a9836da8e1ea896e4486c0a65fdbdd4344a8

      SHA256

      26a0f4bd51003001890a72f33a364f26ffa7700f25b04e9a41506b1c5e7f4624

      SHA512

      8a9b23c8a356cd8ebec12f3787fef85194e1238b34d1adcf2d9dda547269a093d58dce3e22d2e7ffdae6f9648f52800bc7c452d010a3b482b4362c6eccc9b30b

      Download Submit

    • memory/632-238-0x0000000000490000-0x000000000065E000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/632-240-0x0000000000490000-0x000000000065E000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/884-249-0x00007FF969FB0000-0x00007FF969FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/884-251-0x00007FF969FB0000-0x00007FF969FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/884-254-0x00007FF967C60000-0x00007FF967C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/884-253-0x00007FF969FB0000-0x00007FF969FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/884-255-0x00007FF967C60000-0x00007FF967C70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/884-252-0x00007FF969FB0000-0x00007FF969FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/884-250-0x00007FF969FB0000-0x00007FF969FC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2304-0-0x0000000005130000-0x0000000005131000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2304-144-0x0000000000400000-0x00000000032BD000-memory.dmp

      Filesize

      46.7MB

      Download

    • memory/2304-12359-0x0000000000A40000-0x0000000000C0E000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2304-12361-0x0000000000A40000-0x0000000000C0E000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/2712-12317-0x0000000000990000-0x0000000005029000-memory.dmp

      Filesize

      70.6MB

      Download

    • memory/4448-7570-0x0000000000400000-0x00000000032BD000-memory.dmp

      Filesize

      46.7MB

      Download

    • memory/4448-283-0x0000000000400000-0x00000000032BD000-memory.dmp

      Filesize

      46.7MB

      Download