Overview

overview

10

Static

static

1

xyxmml.msi

windows7-x64

10

xyxmml.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-12-2024 10:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    xyxmml.msi

  • Size

    1.7MB

  • MD5

    51dd5767de678bb6359cbb175319f0ec

  • SHA1

    76ae487dda6cf3651a9b2b30614c0fefd1f3149c

  • SHA256

    5a49f64634ac29f37b3e53f5a1e37b90e8f3a385683f24083c68aee092408314

  • SHA512

    ffb798290e2f6840eb8f0587dc675e8654589bfd070b1c54e49c7984272aa94da3a493cbd28b1dddef1f6a44b09ad9fd8a14ec0d77b90f948dc85089f91cc8a0

  • SSDEEP

    49152:+EJnsHyjtk2MYC5GDChloJfWJ255hpB14Rd:1nsmtk2arhlTJ23h

Score
10/10
xredbackdoordiscoverypersistenceprivilege_escalationupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 16 IoCs

    AutoIT scripts compiled to PE executables.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in System32 directory 5 IoCs
  • UPX packed file 19 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 8 IoCs
  • Executes dropped EXE 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 55 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\xyxmml.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:2304
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3876
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4364
    • C:\Windows\Installer\MSICF86.tmp
      "C:\Windows\Installer\MSICF86.tmp"
      2⤵
      • Adds Run key to start application
      • Checks computer location settings
      • Drops file in System32 directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1748
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Drops file in System32 directory
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4164
        • C:\Windows\SysWOW64\._cache_Synaptics.exe
          "C:\Windows\system32\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Drops file in System32 directory
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:3596
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn MRIYKG.exe /tr C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe /sc minute /mo 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:5064
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn MRIYKG.exe /tr C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe /sc minute /mo 1
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:5024
          • C:\Windows\SysWOW64\WSCript.exe
            WSCript C:\Users\Admin\AppData\Local\Temp\MRIYKG.vbs
            5⤵
            • System Location Discovery: System Language Discovery
            PID:3168
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:4840
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4316
  • C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
    C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:2612
  • C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
    C:\Users\Admin\AppData\Roaming\Windata\CHVALO.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Installer Packages

1
T1546.016

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

System Binary Proxy Execution

1
T1218

Msiexec

1
T1218.007

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Config.Msi\e57ce8e.rbs
    Filesize

    623B

    MD5

    5c456ba15ea928aa777acd11bd3b7e10

    SHA1

    028220c7e9f5b0b4d05f0887caec6582af63c0b9

    SHA256

    4994014aaa86fb580dcc46396ac16902dedd3aad91059e0efd64833e4643c862

    SHA512

    89bcb67e3e42d4974d0b8ec70d37e897b6b3fecadc02f6fe7d8bc4e7c90c641348c18435a219be18acc913a0c65998c8130bac8747837e4e7cff3882497dccae

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\1EE75E00
    Filesize

    22KB

    MD5

    8b7740b12b85c5fbdcc6e3dfe14ea665

    SHA1

    746ff68c47d6f43215d024917e8de5e021bc657e

    SHA256

    509bf1bd56ed591ffca858907dc369abebe0446c5bcd8b0b7d699877e603edbe

    SHA512

    11bb8a954b5e73efab2c289ac5aa8c93c0d4ce7aaa1b7ade3e5c650dcecfdf49ace3f0b27c78727a2b395dd54ea9d1fecb9d364e3fc0e698299ae41dada41d62

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\8nrk3MnM.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MRIYKG.vbs
    Filesize

    840B

    MD5

    89137407cd4107effa2ff9f29a2a99ad

    SHA1

    99814ebc80118160841a2cf0f29eb578b57e4ac6

    SHA256

    cbee270ed61982f063979c013888bb288d5db2720d2d69f86ee13263a26ffe36

    SHA512

    d7f64023ef44e2f91195bd8950f211110f530ec751c39b4122925993e8da7c11e0c8bcd6b4286f67efb6df20cc1cde08ededbc241a8ddbde934b58a75592684b

    Download Submit

  • C:\Windows\Installer\MSICF86.tmp
    Filesize

    1.6MB

    MD5

    1d2237faf8e6198625010cb580280901

    SHA1

    592449bddf763bb63c22f638cb42f71484f87f06

    SHA256

    78643b903379276085c5ef0092afc5c10dee821c5754e01bc8ef835907b16ac4

    SHA512

    8abe1ff967d92c663080caf54f315e534ea296c91474d66cd327dccc38a3aa8685101649bb120e28f1438011596dde4f2f83e8150c90d51529efce9906a5aa0b

    Download Submit

  • C:\Windows\SysWOW64\._cache_Synaptics.exe
    Filesize

    935KB

    MD5

    a1d37a2a0a4cd5038e129946ee935868

    SHA1

    87042fbecf1558a2e974c6ad045584f23e1ac7c9

    SHA256

    9988b0297ad8be4bd3c559437176eaca54cdc36593728967395c4dee21fc898c

    SHA512

    eb6cfcc7b1c526c06737dc6187af4f65bdd178ffc951cf8bb13571b44cc2c3c0cd051c6e9b4930433f8e6830420a04e0b538d353dd86a1fefb0663032c37c03c

    Download Submit

  • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
    Filesize

    24.1MB

    MD5

    e9c54f1be6565b2fd4369f05e1e9203e

    SHA1

    9b216e8ac83a0ff746bcac7a818c2025e996638b

    SHA256

    f0dd3bbe8e41aa81064418e8c59d9b125c38a43d95f5a1c9369fbcdd8bf68608

    SHA512

    f1e32583a1b5b96d61c2544dbbb9aa56b469ea72e9bfc7d6c7906ddfbc64ad81f77d888c2023e4eeee2c9922808f73fb9a6292ea75205c1dba8ef77e2085e420

    Download Submit

  • \??\Volume{62c5c1e3-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{aae5e8c9-e621-4caa-ab1b-27f1908a1799}_OnDiskSnapshotProp
    Filesize

    6KB

    MD5

    87361c84655642355838d53a27af410f

    SHA1

    5fd102769f11e07acb72bc9c6463dd43a8dec53b

    SHA256

    ed414d8e3a82af8128ee952b7625a2f58b3bafb6bab8a4a2411543fc55147759

    SHA512

    15d31d304f4b0b125b50b29d73d6693f776996329287c557e7625f8dd7b6ede20cfb8713c2120857269a5f79f4bc6b429ab9be36a875bc39705feb57f681f39d

    Download Submit

  • memory/1748-81-0x0000000000400000-0x00000000005AC000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1924-268-0x0000000000590000-0x0000000000794000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2612-226-0x0000000000590000-0x0000000000794000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2612-228-0x0000000000590000-0x0000000000794000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-276-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-216-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-266-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-270-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-272-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-274-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-217-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-264-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-260-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-222-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-224-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-239-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-152-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-230-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/3596-235-0x0000000000240000-0x0000000000444000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/4164-215-0x0000000000400000-0x00000000005AC000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4164-259-0x0000000000400000-0x00000000005AC000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4164-221-0x0000000000400000-0x00000000005AC000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/4316-166-0x00007FFF731C0000-0x00007FFF731D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4316-165-0x00007FFF731C0000-0x00007FFF731D0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4316-164-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4316-163-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4316-160-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4316-161-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4316-162-0x00007FFF75250000-0x00007FFF75260000-memory.dmp

    Filesize

    64KB

    Download