Overview

overview

10

Static

static

1

0713f3f1c3...fd.msi

windows7-x64

10

0713f3f1c3...fd.msi

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    31/12/2024, 02:08

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd.msi

  • Size

    1.7MB

  • MD5

    251eff52580900a708bc33aa5ac20707

  • SHA1

    ff2848350a329b3fd9d460e40d898962899e5b4d

  • SHA256

    0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd

  • SHA512

    f0d4501af1d323347aab94eb35c94980fdbade725e7f3e061835cd322ae6333877fb6e0d0ecf73cdebeab40c4fdf1e9acf0c6b5ce85afd51d0a37ddcaf4c7d94

  • SSDEEP

    49152:xERnsHyjtk2MYC5GDIhloJfAAR/sTEsiwg6gpWacS:knsmtk2aFhlZUETE9wg5

Score
10/10
xredbackdoordiscoverypersistenceprivilege_escalationupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • AutoIT Executable 11 IoCs

    AutoIT scripts compiled to PE executables.

  • Drops file in System32 directory 5 IoCs
  • UPX packed file 15 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 10 IoCs
  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
    persistenceprivilege_escalation
  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies data under HKEY_USERS 43 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 61 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\msiexec.exe
    msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\0713f3f1c34297d9689ff5b5202c2f37e385109ce493005eb1128ec180d03afd.msi
    1⤵
    • Enumerates connected drives
    • Event Triggered Execution: Installer Packages
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1732
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1720
    • C:\Windows\Installer\MSIC055.tmp
      "C:\Windows\Installer\MSIC055.tmp"
      2⤵
      • Adds Run key to start application
      • Drops file in System32 directory
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2676
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Drops file in System32 directory
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1316
        • C:\Windows\SysWOW64\._cache_Synaptics.exe
          "C:\Windows\system32\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Drops startup file
          • Adds Run key to start application
          • Drops file in System32 directory
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of WriteProcessMemory
          PID:1564
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c schtasks /create /tn VAIVZU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe /sc minute /mo 1
            5⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2076
            • C:\Windows\SysWOW64\schtasks.exe
              schtasks /create /tn VAIVZU.exe /tr C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe /sc minute /mo 1
              6⤵
              • System Location Discovery: System Language Discovery
              • Scheduled Task/Job: Scheduled Task
              PID:1940
          • C:\Windows\SysWOW64\WSCript.exe
            WSCript C:\Users\Admin\AppData\Local\Temp\VAIVZU.vbs
            5⤵
            • System Location Discovery: System Language Discovery
            PID:1592
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:2256
  • C:\Windows\system32\DrvInst.exe
    DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000590" "00000000000003C0"
    1⤵
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    PID:2892
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:1124
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {D6424E16-1A5C-4926-BD57-BD43135CC52C} S-1-5-21-3533259084-2542256011-65585152-1000:XPAJOTIY\Admin:Interactive:[1]
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2600
    • C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe
      C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2032
    • C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe
      C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:1472
    • C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe
      C:\Users\Admin\AppData\Roaming\Windata\HWCCVS.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2472

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Installer Packages

        1
        T1546.016

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Event Triggered Execution

        1
        T1546

        Installer Packages

        1
        T1546.016

        Scheduled Task/Job

        1
        T1053

        Scheduled Task

        1
        T1053.005

        Defense Evasion

        Modify Registry

        1
        T1112

        System Binary Proxy Execution

        1
        T1218

        Msiexec

        1
        T1218.007

        Credential Access

        Discovery

        Peripheral Device Discovery

        1
        T1120

        Query Registry

        2
        T1012

        System Information Discovery

        3
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Config.Msi\f76be44.rbs
          Filesize

          681B

          MD5

          d39a489fdae93377f723e360bf8f62bf

          SHA1

          9598f91ac52412ce049cc98dbd7315677f874c7d

          SHA256

          1279355fdd6cd330d55cd1d554208e4fe7d63ef7994770b2cd500cea1bbc552e

          SHA512

          0213346bdcc7d337b70e2775a77738747f2c5fc2fae7f739239379db504c0191b403ee348adeff7319e974a34fa915bf14f1b3e94e7da1e092bb646962f8674d

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SxolE2pl.xlsm
          Filesize

          25KB

          MD5

          ba0bfa247b157b4fedbb823d6e3cf531

          SHA1

          326bc83f81fb3d3cf88ac278f319780732288348

          SHA256

          2bb92b5292d0f3ade7e8f17c93a58200b3bf3d969ac5a9b7e01c2064e67c26d0

          SHA512

          34b144f846525e168bbd28a58be605e6d2934bc5f7fdcc4de00b2d80a7e3972d41dc920f6cfad389c5f85567b5b33ad2bf89d245b98f416d02f2aec286536770

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\SxolE2pl.xlsm
          Filesize

          17KB

          MD5

          e566fc53051035e1e6fd0ed1823de0f9

          SHA1

          00bc96c48b98676ecd67e81a6f1d7754e4156044

          SHA256

          8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

          SHA512

          a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

          Download Submit

        • C:\Users\Admin\AppData\Local\Temp\VAIVZU.vbs
          Filesize

          840B

          MD5

          89137407cd4107effa2ff9f29a2a99ad

          SHA1

          99814ebc80118160841a2cf0f29eb578b57e4ac6

          SHA256

          cbee270ed61982f063979c013888bb288d5db2720d2d69f86ee13263a26ffe36

          SHA512

          d7f64023ef44e2f91195bd8950f211110f530ec751c39b4122925993e8da7c11e0c8bcd6b4286f67efb6df20cc1cde08ededbc241a8ddbde934b58a75592684b

          Download Submit

        • C:\Windows\Installer\MSIC055.tmp
          Filesize

          1.6MB

          MD5

          6ae1479d38c7cb94c69b68d6f8678129

          SHA1

          0be3abad5d5f32440715b33052ce7df3059c5281

          SHA256

          87e0b788c004b6a9c0796fc7d60c61f10070025440e34725d1519e6b76a99f1f

          SHA512

          e55d621b2c49333cf980764c5d03c50d7cb9af3742b4f7b6801240461c275988ac4e9815c9ccd8606364de5d8efd94c08f9da6f6cb182955dda3ff49a21d31e3

          Download Submit

        • C:\Windows\SysWOW64\._cache_Synaptics.exe
          Filesize

          922KB

          MD5

          e759447d66ae14246646cf49367e7c49

          SHA1

          0cd114480c8cced2b3f4c94fe8379e2a80c0159e

          SHA256

          bfe82a1cab90661d6074e52f9600e1940259be463c0b4510ae065093bc9892a9

          SHA512

          f3ee228c6bdbbcfcc9f827000c259dc8dce9832b7f8bf02d2cef1d3260de235900fa05d62b53049f50fea3fda163f36d6d92d22965be665420ec2ffc511254ea

          Download Submit

        • memory/1124-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1316-113-0x0000000005B10000-0x0000000005D0E000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1316-115-0x0000000000400000-0x00000000005A9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1316-52-0x0000000005B10000-0x0000000005D0E000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1316-167-0x0000000000400000-0x00000000005A9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1316-118-0x0000000000400000-0x00000000005A9000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1472-166-0x0000000000B20000-0x0000000000D1E000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1472-164-0x0000000000B20000-0x0000000000D1E000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-168-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-54-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-114-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-116-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-183-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-121-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-123-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-117-0x0000000000E40000-0x0000000000E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/1564-174-0x0000000000EB0000-0x00000000010AE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/1564-76-0x0000000000E40000-0x0000000000E50000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2032-112-0x0000000000AE0000-0x0000000000CDE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2032-110-0x0000000000AE0000-0x0000000000CDE000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2472-180-0x0000000000E50000-0x000000000104E000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2472-181-0x0000000000E50000-0x000000000104E000-memory.dmp

          Filesize

          2.0MB

          Download

        • memory/2676-33-0x0000000000400000-0x00000000005A9000-memory.dmp

          Filesize

          1.7MB

          Download