Overview

overview

10

Static

static

10

RUN ME FIRST.exe

windows10-ltsc_2021-x64

10

Analysis

  • max time kernel
    17s
  • max time network
    19s
  • platform
    windows10-ltsc_2021_x64
  • resource
    win10ltsc2021-20250314-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20250314-enlocale:en-usos:windows10-ltsc_2021-x64system
  • submitted
    11/04/2025, 09:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RUN ME FIRST.exe

  • Size

    25.0MB

  • MD5

    702fe0f78a8710721d8b2e19b9eacffd

  • SHA1

    526188c754dbbabf43b1b33a37578496a5b5e859

  • SHA256

    c5a2b12a61b5e60516640b7a465013bce5507dbfb84269775ca899ebb1fde6ac

  • SHA512

    c14623467ce8c4ab857f3239d29780c58daea9f866f124f6adb5013738411841d250c94141908e96d466fe866372706696eac9d8493ec6ba72af771d7ad20927

  • SSDEEP

    786432:mrp+Ty2SfUfnbu+zMFy/7zYgWXRLTArzttOaaFL:ap+Ty2SfWnPzMFO7zYgWBLbFL

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe
    "C:\Users\Admin\AppData\Local\Temp\RUN ME FIRST.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1712
    • C:\Users\Admin\AppData\Local\Temp\._cache_RUN ME FIRST.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_RUN ME FIRST.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4868
      • C:\Windows\Temp\{758D7847-8D15-4465-818C-8916E84074CA}\.cr\._cache_RUN ME FIRST.exe
        "C:\Windows\Temp\{758D7847-8D15-4465-818C-8916E84074CA}\.cr\._cache_RUN ME FIRST.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_RUN ME FIRST.exe" -burn.filehandle.attached=540 -burn.filehandle.self=552
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of WriteProcessMemory
        PID:6020
        • C:\Windows\Temp\{59687471-53FE-448C-ABEA-D04913A430D0}\.be\VC_redist.x64.exe
          "C:\Windows\Temp\{59687471-53FE-448C-ABEA-D04913A430D0}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{A9E46163-4AB7-4B8C-BABE-9CC089BEDE6A} {04091C14-FBF4-4AD6-808A-25B4747D70BE} 6020
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:5304
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4716
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\ProgramData\Synaptics\Synaptics.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\ProgramData\Synaptics\Synaptics.exe
      C:\ProgramData\Synaptics\Synaptics.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4864
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2264
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    1⤵
    • Checks SCSI registry key(s)
    • Suspicious use of AdjustPrivilegeToken
    PID:896

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    753KB

    MD5

    b753207b14c635f29b2abf64f603570a

    SHA1

    8a40e828224f22361b09494a556a20db82fc97b9

    SHA256

    7f16106f3354a65fc749737905b77df7bbefa28bf8bbc966dc1f8c53fa4660f2

    SHA512

    0dd32803b95d53badd33c0c84df1002451090ff5f74736680e3a53a0bfc0e723eee7d795626bc10a1fb431de7e6e276c5a66349ef385a8b92b48425b0bdd036f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_RUN ME FIRST.exe
    Filesize

    24.2MB

    MD5

    101b0b9f74cdc6cdbd2570bfe92e302c

    SHA1

    2e6bae42c2842b4f558bd68099479b929bb7d910

    SHA256

    4dfe83c91124cd542f4222fe2c396cabeac617bb6f59bdcbdf89fd6f0df0a32f

    SHA512

    ccf4fd7da2c3440f1bc7fcac67c8a12599eab8d5c015affdc2e439fa30f5c7868ef5f52ede058361faae37ccc4af2c17c0adf30b8e1f852bb7106d0ec7162506

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\BD675E00
    Filesize

    25KB

    MD5

    1d2cbd7dee66432d48c4b6969cb6bd63

    SHA1

    8776e06400e0e7616d8d26a9499d024df6716e92

    SHA256

    7c7abb5eae70c2e6b4c37340b6462fe197608b8a73d6f0b76f5392c3e24200f3

    SHA512

    d984dd8c2a28585dd41420a5543cb879a3bda8147c5b4d9fee10e5e3b993cf7ffd1e3f40c1ed6448a0fca3e91294497b17fc3a2e57d7f73c2667ca487ecbdbf4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\n5Fuai9O.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\Temp\{59687471-53FE-448C-ABEA-D04913A430D0}\.ba\logo.png
    Filesize

    1KB

    MD5

    d6bd210f227442b3362493d046cea233

    SHA1

    ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

    SHA256

    335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

    SHA512

    464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

    Download Submit

  • C:\Windows\Temp\{59687471-53FE-448C-ABEA-D04913A430D0}\.ba\wixstdba.dll
    Filesize

    191KB

    MD5

    eab9caf4277829abdf6223ec1efa0edd

    SHA1

    74862ecf349a9bedd32699f2a7a4e00b4727543d

    SHA256

    a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

    SHA512

    45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

    Download Submit

  • C:\Windows\Temp\{758D7847-8D15-4465-818C-8916E84074CA}\.cr\._cache_RUN ME FIRST.exe
    Filesize

    635KB

    MD5

    53e9222bc438cbd8b7320f800bef2e78

    SHA1

    c4f295d8855b4b16c7450a4a9150eb95046f6390

    SHA256

    0e49026767420229afd23b1352cf9f97f24e0768c3d527000d449ffdb4ca6888

    SHA512

    7533f9791e1807072a4dbb6ca03c696b12dfa5337678fab53aceea0e4b7e5ffefb90c9b450ac80878e1e9a4bce549f619da4cd2d06eb2554c9add5b4ec838b4a

    Download Submit

  • memory/1712-132-0x0000000000400000-0x0000000001D01000-memory.dmp

    Filesize

    25.0MB

    Download

  • memory/1712-0-0x0000000003AA0000-0x0000000003AA1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2264-179-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-175-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-178-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-182-0x00007FFD96AC0000-0x00007FFD96AD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-184-0x00007FFD96AC0000-0x00007FFD96AD0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-176-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2264-177-0x00007FFD98C50000-0x00007FFD98C60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4716-239-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download

  • memory/4864-183-0x0000000000400000-0x00000000004C2000-memory.dmp

    Filesize

    776KB

    Download