xred | 60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3e

Analysis

max time kernel
111s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
submitted
02-10-2024 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
Size

3.8MB
MD5

b76ee79acb617308714ce10c9694aaf0
SHA1

96463bbfc64d062ae413944d54de71d032cfdb28
SHA256

60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3e
SHA512

0a1c786c5d89532378a74444c92cf30b3e9cdc2902d4a3db25a007f04c2a1ed5d2f8038fcf9ae44517035c94c09fbb039e86d5729e8f59e5fcbab3ad1ac77f04
SSDEEP

49152:RnsHyjtk2MYC5GDou5ThGzaxEueKvnGrskbj4Vp75Y:Rnsmtk2awTc8G3om

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2052	._cache_60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
2712	Synaptics.exe
2952	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
2712	Synaptics.exe
2712	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2500	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2500	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2052	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	30
PID 2384 wrote to memory of 2052	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	30
PID 2384 wrote to memory of 2052	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	30
PID 2384 wrote to memory of 2052	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	30
PID 2384 wrote to memory of 2712	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	31
PID 2384 wrote to memory of 2712	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	31
PID 2384 wrote to memory of 2712	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	31
PID 2384 wrote to memory of 2712	2384	60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe	31
PID 2712 wrote to memory of 2952	2712	Synaptics.exe	32
PID 2712 wrote to memory of 2952	2712	Synaptics.exe	32
PID 2712 wrote to memory of 2952	2712	Synaptics.exe	32
PID 2712 wrote to memory of 2952	2712	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
"C:\Users\Admin\AppData\Local\Temp\60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\._cache_60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2052
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2952

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.8MB

MD5
b76ee79acb617308714ce10c9694aaf0

SHA1
96463bbfc64d062ae413944d54de71d032cfdb28

SHA256
60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3e

SHA512
0a1c786c5d89532378a74444c92cf30b3e9cdc2902d4a3db25a007f04c2a1ed5d2f8038fcf9ae44517035c94c09fbb039e86d5729e8f59e5fcbab3ad1ac77f04

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_60e26db1295e76174_Url_3etqvddj31dkfvhpwqztan1krccnfjhm\1.2.1.0\0mdj3cgy.newcfg

Filesize
1KB

MD5
08db4071e3953bfed5cfe4775879f2f2

SHA1
838e599002ca3974c1f1b35daf5b58d18b5f419f

SHA256
6fe1f2c29e61ba25cbd59ffdd988a6f2a9c1a66de40be93bf32ae1d6be5b1919

SHA512
cba8ec11a755a97853b95b88d60b1488afd75012dd9d9971abbf816ae2d46b6f34b88394feb980f3067b5d2a8a50e597b6ec7f421823f1864144bad863c67486

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_60e26db1295e76174_Url_3etqvddj31dkfvhpwqztan1krccnfjhm\1.2.1.0\tg3qgio0.newcfg

Filesize
1KB

MD5
2c956fcc54c53d8406e46eb24755aa68

SHA1
27406ecb7bb1687c0584e2df958ec5bc809c0a31

SHA256
981b0d70904ecacd849a783b4a0d086186bd27c492d1866dd063773143dc37d6

SHA512
44fe228b4bd9a07661c8e18e5c7756641124ae68151230407e70fb64ca1190c5c3c388c826c1f5b71c34269b94fcf2b1aecd527b12338418e293d405dfa050b4

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_Synaptics.exe_Url_sb2tjvnwzjf0rfsnla5ifyr2upoucwrn\1.2.1.0\1ayj3hzs.newcfg

Filesize
1KB

MD5
3ea62c30c3928984b884572878793b79

SHA1
7affa7058101ba2a6f49bdfde7e822b08fc72bd6

SHA256
79e00e37d13bd0705ee72b44d8753e25673a9382443f6992ed2271d49771ff3f

SHA512
f28189829bd3c000bb0db66af98eafe03f99c7b3bf6ce70c4b84d1b5bdfafd3f90725e4fb17c91d3296237402bcbd6e9ab6a33e8637faf9342af20df948583c0

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_Synaptics.exe_Url_sb2tjvnwzjf0rfsnla5ifyr2upoucwrn\1.2.1.0\h1qskmvo.newcfg

Filesize
1KB

MD5
515a6495ab331fa1383ce7753c040988

SHA1
e55dc6f0b3666caafc8b6259ccb3381f3119aea7

SHA256
8841330a1bcbc4c413eb5ae8630f3be3eb92bc7dd38f4d5a21b0e086f5d037fd

SHA512
af138f9995f398da4ed05bbb92a1f043a19b60e2002860b6f34c701d788c36b3ccb35e8e6684fc7553c97f5f61529fd9651b6bea50411b97a89373b6e5dbcf7b

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_Synaptics.exe_Url_sb2tjvnwzjf0rfsnla5ifyr2upoucwrn\1.2.1.0\mpaqi1hc.newcfg

Filesize
943B

MD5
cfb32b6f8e8bb8381f0e3983c1dc0e38

SHA1
806770b83e32d682d6980b331666790b0a1732d4

SHA256
84a6fd1db7591dfdadcbf25bba043088be5077064d4e0f375769d38f2ad8d078

SHA512
a2722af3e4f6a92690a73e5e1a02445c84704d1db967ba1aa81a1b9ca77a25b9969b1d686fbb41c18330f4f568e2d7ab44d4af6890fd1385cbcf41ff1287c112

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_Synaptics.exe_Url_sb2tjvnwzjf0rfsnla5ifyr2upoucwrn\1.2.1.0\rsgzntwu.newcfg

Filesize
1KB

MD5
25f1c02a1633a51d564f4798f424748d

SHA1
356b9379a9ca7c7ca7b11bd8ec60c16127e4fd6e

SHA256
c94adb4d0178c01588106120c6d2fb320e6442490ec30c4e8da2eb69202da240

SHA512
95356a0b1d198456991bb80c1e9fb11f8e95ec794954a0c187af1036151be9a0d3911b9295c663bbc394541c53e60bc3862f41a702755b48ceef17ff597a5e2e

Download Submit
C:\Users\Admin\AppData\Local\StarJIeuSoft\._cache_Synaptics.exe_Url_sb2tjvnwzjf0rfsnla5ifyr2upoucwrn\1.2.1.0\user.config

Filesize
826B

MD5
1369b36b1e24dda53ab870bab91a9b7a

SHA1
94bbad89cabea6fd15a2152db076f03bc54c6c30

SHA256
105e6e88d2db4c7bcc084b871c03cf3fa8bbdc269a797b6c67cca65b2569fdee

SHA512
b4549c593051d0eaeb82b70ba21fbaf0b14b199148de8920d12efd2d395c5eac7a15fca0ff98f4e63a2da12cb4a52a7bebb4e182a0a2de6b72e2abeaebd86cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\evb9FCA.tmp

Filesize
1KB

MD5
548477e77506fedb57f141def1bcaaa1

SHA1
87653dd2952188b9aac16683e52bd9f8fca8374f

SHA256
3a6788e8d6124f16a3d0055a9ccbe4f1c9ff52521399a3353c62655a48a8f4ff

SHA512
ee4668ed7888b6d736a0b52f4af67a28466f479cc362284a395a11520f09063a1976e066bbc5be81a7687e2a461901f5e9a77e3d47961e517df9adff460d7513

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbA0A8.tmp

Filesize
1KB

MD5
b22174e3719df146c34a7f72b90e8a2c

SHA1
0d308a4b893d0cdfb9a69bcf4a34706d05099509

SHA256
8c1780596398390b142717b71cdf8876d316a714747fa97411d54a727360ea4a

SHA512
a82fb93fbdb6c4e48f667717af93e0bc71d33850e2721813ab39ab4795d0414efb89f28a01784611d693a085c2ceb3cb359182ce9aac053092162f2a2531d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbA0C9.tmp

Filesize
1KB

MD5
a00e689adbde24aeb5e7576664f99169

SHA1
84fd48e080e96f604e8c5f48bbea3536dc9b5ecb

SHA256
235dda27a44f482b2f045278bc40eb8abc07dc667b51b28991e97dc27c12a54d

SHA512
354743879e49ea223f423a846f86331bf58150f0b2f4408ccdd62b73dcec6bb5b2ac7a26c00cdf0dc5ed07d02b5dadb3f1c0430b5382e6b0943e44f44ceec129

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbA4A2.tmp

Filesize
1KB

MD5
085ab646e9983776b0f558885e4310ee

SHA1
b697c6620576e0d4d82f93c3baeeea39a10801f4

SHA256
c484f006e6ad0768d23bce6adf020c0ebf562bf4bb1a917de7ea5ad27a9fe6d5

SHA512
ef3ae2d29443aa419b71c64be1522f00bb87409483b60ff5dc39377e3237762c09b4feac6805e3249ffe895828cf79b0c316a17140e8eddaeb80b30dcf415d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lJIgfI8q.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\._cache_60e26db1295e761743202849b2fc4e658997e1d6e427336fcd2ebedb344f3c3eN.exe

Filesize
3.1MB

MD5
02512e38b0f784ebc127491794e6a238

SHA1
7a6e1e4c67cc88a36e6aec1cccd90d17d21be912

SHA256
5053526830ba1c5e84dda69646140fa85a293cd874c9c2f5ea13a31728ed29ab

SHA512
1515a51eef71814c0f7be05ee62b31734827fd28979eb9fd48f78b394bfc0df2e3d0a4ab5e472724111bc18a9cb0bf62ef7cb4f6346b85292e1e79ef980ebe75

Download Submit
memory/2052-111-0x0000000010000000-0x00000000100D0000-memory.dmp

Filesize
832KB

Download
memory/2052-120-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2052-90-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2052-293-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2052-292-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2052-117-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2052-290-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2052-112-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2052-18-0x0000000000400000-0x000000000047E000-memory.dmp

Filesize
504KB

Download
memory/2052-31-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2052-72-0x0000000010000000-0x00000000100D0000-memory.dmp

Filesize
832KB

Download
memory/2052-123-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/2052-77-0x0000000004BD0000-0x0000000004C16000-memory.dmp

Filesize
280KB

Download
memory/2384-0-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2384-28-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/2384-17-0x00000000041F0000-0x000000000426E000-memory.dmp

Filesize
504KB

Download
memory/2500-40-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2712-100-0x0000000004210000-0x000000000428E000-memory.dmp

Filesize
504KB

Download
memory/2712-310-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/2712-299-0x0000000000400000-0x00000000007DC000-memory.dmp

Filesize
3.9MB

Download
memory/2952-122-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download
memory/2952-118-0x0000000005710000-0x0000000005750000-memory.dmp

Filesize
256KB

Download
memory/2952-124-0x0000000005700000-0x0000000005746000-memory.dmp

Filesize
280KB

Download
memory/2952-64-0x0000000010000000-0x00000000100D0000-memory.dmp

Filesize
832KB

Download
memory/2952-94-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2952-291-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2952-113-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2952-114-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2952-206-0x0000000011000000-0x0000000011156000-memory.dmp

Filesize
1.3MB

Download
memory/2952-202-0x000000003B200000-0x000000003B210000-memory.dmp

Filesize
64KB

Download
memory/2952-121-0x00000000059F0000-0x00000000059FA000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads