Overview

overview

10

Static

static

1

valyzt.msi

windows7-x64

10

valyzt.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30/12/2024, 10:26

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    valyzt.msi

  • Size

    1.7MB

  • MD5

    53614b87538306b4f7437db8be2a0e47

  • SHA1

    a6a777b24bb64067738386caa66787b8ed225726

  • SHA256

    e86d059bd44bc6e4252972320cb811497ea87f3b0ef10eed5edfcd7acf44a3d8

  • SHA512

    cfed71c6b9eb55b3ebfb53cbdb1611e8921a6dbe7b7efc5456cebb9bfb3d6a64f23a97c63415d61c38c4e3b540a79fd50cb2a080220bf3ea32edc98f85e6ecc1

  • SSDEEP

    49152:PElnsHyjtk2MYC5GD8hloJfCAh9RMUBrNUFqtBZl:Gnsmtk2a1hlPERBsiT

Score
10/10
xredbackdoordiscoverypersistenceprivilege_escalationupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 15 IoCs

    AutoIT scripts compiled to PE executables.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • UPX packed file 18 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\valyzt.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:4272
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:640
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2888
    • C:\Windows\Installer\MSIB6FD.tmp
      "C:\Windows\Installer\MSIB6FD.tmp"
      2⤵
      • Adds Run key to start application
      • Checks computer location settings
      • Drops file in System32 directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:3064
        • C:\Windows\SysWOW64\._cache_Synaptics.exe
          "C:\Windows\system32\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Drops file in System32 directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn HBMQLS.exe /tr C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe /sc minute /mo 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:1488
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn HBMQLS.exe /tr C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe /sc minute /mo 1
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:3868
          • C:\Windows\SysWOW64\WSCript.exe
            WSCript C:\Users\Admin\AppData\Local\Temp\HBMQLS.vbs
            5⤵
            • System Location Discovery: System Language Discovery
            PID:4420
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:3068
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4848
  • C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
    C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:3628
  • C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
    C:\Users\Admin\AppData\Roaming\Windata\EWZJGF.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2888

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Installer Packages

        1
        T1546.016

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Installer Packages

        1
        T1546.016

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        System Binary Proxy Execution

        1
        T1218

        Msiexec

        1
        T1218.007

        Credential Access

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        5
        T1012

        System Information Discovery

        6
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\e57b5d6.rbs
          Filesize

          623B

          MD5

          76839dcde87f7213ca06ca590df2907a

          SHA1

          61a5239feb50aa07988b13963c077001d764a2cd

          SHA256

          b0c97db66441eb34b30c9b00c55d7d10d03381d12007eecba7cf07c76fd3814a

          SHA512

          d796018817f02cd95e14fbe3e14f39416b57e621d71dd73d517deba2a141550b59bc2314439b5535b715ef523bcdd9d7af0ccc6e8eb5cea71df2fcb1846cab3f

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\AGtj4oCB.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\B8C75E00
          Filesize

          24KB

          MD5

          1b8ceabeb10594a23b0e52bb0b8017b9

          SHA1

          930af4b30961cf50bd80e5d64ae9397073e33a47

          SHA256

          bfb237e0aa7a09817f50e24477f338f1c6330e1f5f49234213c85cd3800895de

          SHA512

          f749ca4d3c4e3755176e6a26a28bb1e43a2ea7ba6940aba2976a8250bf98a59f3f5b0cb19fe9bd64a7cfcc6afe24fb5813a34b551f8c9624a0ed6750cef9b4af

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\HBMQLS.vbs
          Filesize

          840B

          MD5

          89137407cd4107effa2ff9f29a2a99ad

          SHA1

          99814ebc80118160841a2cf0f29eb578b57e4ac6

          SHA256

          cbee270ed61982f063979c013888bb288d5db2720d2d69f86ee13263a26ffe36

          SHA512

          d7f64023ef44e2f91195bd8950f211110f530ec751c39b4122925993e8da7c11e0c8bcd6b4286f67efb6df20cc1cde08ededbc241a8ddbde934b58a75592684b

          Download Submit

        • C:\Windows\Installer\MSIB6FD.tmp
          Filesize

          1.6MB

          MD5

          71386f37f17778126296ca734975db6d

          SHA1

          353818dcd74d06565fc0e8ac4416e594d29ecd0b

          SHA256

          c1317da0fd0dc3d73b38634ea586016f6f651f52acc576fbae8b82721c83e9ae

          SHA512

          e5e0d87f91611bccfea16222c9afb7ac7b949f1762244ced01f9d8a78e2c992cfe8c1faaf1391f4cf107604a0e9f7a64fa4adda1c339d8dc85b27e7be610b83c

          Download Submit

        • C:\Windows\SysWOW64\._cache_Synaptics.exe
          Filesize

          930KB

          MD5

          36f4c5372c6391f782c2db490081746f

          SHA1

          a0b1ec84b0a2db8f801981e247578217b71b38da

          SHA256

          1fe023f69f42fcd4be4baa180bbff00b7ffe51c553211dd0df45fb7ff71148b8

          SHA512

          111c1915d81141398b6bb7a0aa0e98896fb05d5548ace8fd1e0e23343eae60ea1e3d6617d3f5f883b96c8e05f5f868a280683341810896c00fa6ef1f68338992

          Download Submit

        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
          Filesize

          24.1MB

          MD5

          a06b03f9bf3d22ea2f06bcfc841fb6d0

          SHA1

          b83d5a21697438b7287cf5fecd2cb1655e52d36c

          SHA256

          5e3fd7d6c69f7019571b3e1a0f18274dcf5a0df3f2e8cee90a7c39fc3c6183f9

          SHA512

          8452f1d1b5a1007bce2ea151441909a6fcaf26d155c5c20806a856d5b04f6dff93e30ba1bd7dbc6f568f15f1961eb41ac94c44b6691a4cb94d1466f80ed74895

          Download Submit

        • \??\Volume{fb297ba4-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dd7dc004-2a4a-4adf-b6c7-32d66f11cac7}_OnDiskSnapshotProp
          Filesize

          6KB

          MD5

          6efee53892be0a56c677a10c7e976c50

          SHA1

          2b4634560211515572ac3ecd703fcc51101d99ac

          SHA256

          5a462a79b8322a2bd2c5aef7c6d5de230e4e3ba70a82296e947e4bcfcc6375ef

          SHA512

          18bec997881e9cd17c9a5b19b8dfb1d8ff3e47ae70cb71e13bb95df30f48ca92f6cf12c9dce71dafb223337aeda61c54c7d8972bf97bcd6df76056e741aaf7bd

          Download Submit

        • memory/1020-83-0x0000000000400000-0x00000000005AB000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2232-235-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-216-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-276-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-274-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-272-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-270-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-268-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-238-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-153-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-230-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-215-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-223-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-264-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2232-262-0x0000000000ED0000-0x00000000010D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2888-267-0x00000000005D0000-0x00000000007D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3064-261-0x0000000000400000-0x00000000005AB000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3064-214-0x0000000000400000-0x00000000005AB000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3628-228-0x00000000005D0000-0x00000000007D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/3628-225-0x00000000005D0000-0x00000000007D0000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/4848-158-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4848-155-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4848-157-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4848-159-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4848-165-0x00007FFDDD530000-0x00007FFDDD540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4848-161-0x00007FFDDD530000-0x00007FFDDD540000-memory.dmp

          Filesize

          64KB

          Download

        • memory/4848-156-0x00007FFDDF650000-0x00007FFDDF660000-memory.dmp

          Filesize

          64KB

          Download