xred | 2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e

Analysis

max time kernel
112s
max time network
102s
platform
windows7_x64
resource
win7-20241010-en
submitted
15/10/2024, 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
Size

1.5MB
MD5

9f7a3c3256e066947edd71c6abf7b700
SHA1

a297cfefa3b4d541d2a6e3ed8f8424e3bb2642f4
SHA256

2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e
SHA512

4c799f788a811b8b16b8cebb5de740d5853e58f05b0b7115cd5ae5547797de805df8d335ea3c18442a4a5509a20048c91f43ff15a78d7747a30f848f95d80c40
SSDEEP

24576:UnsJ39LyjbJkQFMhmC+6GD94vd6CY55xx1rhaWXET2Tr+uf3EKmnx:UnsHyjtk2MYC5GD7xO72TF3EKmnx

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0006000000019515-83.dat

Executes dropped EXE 3 IoCs

pid	Process
2532	._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
2952	Synaptics.exe
2224	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
2952	Synaptics.exe
2952	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2712	EXCEL.EXE

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2532	._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
2224	._cache_Synaptics.exe
2712	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 2532	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	29
PID 2104 wrote to memory of 2532	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	29
PID 2104 wrote to memory of 2532	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	29
PID 2104 wrote to memory of 2532	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	29
PID 2104 wrote to memory of 2952	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	30
PID 2104 wrote to memory of 2952	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	30
PID 2104 wrote to memory of 2952	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	30
PID 2104 wrote to memory of 2952	2104	2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe	30
PID 2952 wrote to memory of 2224	2952	Synaptics.exe	31
PID 2952 wrote to memory of 2224	2952	Synaptics.exe	31
PID 2952 wrote to memory of 2224	2952	Synaptics.exe	31
PID 2952 wrote to memory of 2224	2952	Synaptics.exe	31

C:\Users\Admin\AppData\Local\Temp\2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
"C:\Users\Admin\AppData\Local\Temp\2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2532
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2224

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.5MB

MD5
9f7a3c3256e066947edd71c6abf7b700

SHA1
a297cfefa3b4d541d2a6e3ed8f8424e3bb2642f4

SHA256
2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0e

SHA512
4c799f788a811b8b16b8cebb5de740d5853e58f05b0b7115cd5ae5547797de805df8d335ea3c18442a4a5509a20048c91f43ff15a78d7747a30f848f95d80c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

Filesize
25KB

MD5
b3c9162c2f96b23a18d3affd701fcdff

SHA1
462bdb0cba00867b30b42443c2a28b206178e611

SHA256
48319e699d7c258812263f0a967f843fcaa73c706e6493a816b4c180bd6e8b1b

SHA512
52284f679ca1e2f9e36ffc9e75f335841cde704e229c8989d1cf5659883b27f2c93d282b59472b0a77dbad016985bb432f453ff03bfe0d631d4aaba448a650d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

Filesize
28KB

MD5
03d35873d1eea73777654453031c23c5

SHA1
6801964b2db5de9d8f392c77d4e6aa2956f3ea10

SHA256
3e5e9eb84d4f97eddc777bb221566feaa1ee9cc8136a8d9c3d0939b6c3d6ca50

SHA512
46b71fe48875d328bd380f6558f47e9da1b689f469e548675c27bc36ab86c2a194525b7ccb29827ff35aca32a63cc35bdf9562547f2954e688c438d6cbc81e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

Filesize
28KB

MD5
f1725c0d786133248310a47c6d0a79c7

SHA1
b6c8dfcafa8efc80c5b5bad59ccce99e2293c14a

SHA256
43e9d4ea01a9efd8a1f33c969c0d9dc5a8cd6ec46b59346f0542fb8c73c740be

SHA512
de99a436e775732acb21eb907f2be8733e530037b210ed01a857901baa2609d758f24edf6a8459976b1d4bd09eea9a24a6741b88bccb7144b67c79518ee922b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

Filesize
30KB

MD5
7dd5d9edc5f9e5eee315d272e8941208

SHA1
1c247b3d4cc11cd989b5ffe658ce01ea68e9bafe

SHA256
34f10f419ddb7b4891cba60e3dcaee8c645cfd3b7a4452ab3f9d32eb45f053ac

SHA512
4e296c1fb1e3609435b0c40ced7dfd928ab8f2cdcc18f09849c1602a20f62f234a6f1401b615f6f442f2ce4be1c070a02951fe7503d7ff400f0ea9343360bdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

Filesize
27KB

MD5
50b7bfbd247f19a47a166d97ae12b16a

SHA1
76cc7ebc80f7b8634990bb56c0f491057ce6618c

SHA256
b0216b70ab5ae233df843d3da7f8e88639c4d571a6ffca558d843ac8885eab18

SHA512
ab2bc2ae57e0f6e208f78bcd7ded3f150b7d10451f0f4e3dc3a1e28a4867fa9e913d2251aa014f25b5e6b7fb8bd48c6b6fc58591d419ebfef23f6fc90adbbc3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\5HGZGzfr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Desktop\~$GrantSync.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2ddea998a8849db9d7b61f7b9bf65f154bd350f4c779a2710b3bd75f3976cf0eN.exe

Filesize
819KB

MD5
34b9d1b339abb10378640ed848577b08

SHA1
42614668fe79692789338895df82721fbbeac376

SHA256
3f08a7361b2d7964392f23a7d40fdda17aa525ad3d0f1bf68a4906a0fcb451c7

SHA512
9e5a6a2be9c31984a08c83bbe0ba71bc70a2321a7c1e69432cdb695c46a62d7180dcf4aa92622d74cb1a7684259ffb5c77f2b5212a0187a03531c86fadfa0446

Download Submit
memory/2104-25-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2104-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2712-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2952-124-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2952-125-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2952-147-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download
memory/2952-155-0x0000000000400000-0x000000000058F000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads