xred | dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06

Analysis

max time kernel
117s
max time network
105s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-11-2024 23:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
Size

1.3MB
MD5

0a4fa68b65129d54274032ef78bcee90
SHA1

ae9f495dda5b693c5941510a5ce5dbec9aa7c605
SHA256

dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06
SHA512

716e78782f31d1bb99c5eae1af575a4f28c9bf34ab6b447c5e5291ef1cd04f309c504658b3fbdd7d3ed7fc90cb5c8446c75e312351978831fd95cf3e04130387
SSDEEP

24576:5nsJ39LyjbJkQFMhmC+6GD9v20DvYefzxB0YAEFgXC75ld1qSVpcqE:5nsHyjtk2MYC5GDB24fJd1qapcqE

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 6 IoCs

pid	Process
2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
2716	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
2888	Synaptics.exe
2624	._cache_Synaptics.exe
3068	._cache_Synaptics.tmp
1288	ChecksumCalculator.exe

Loads dropped DLL 14 IoCs

pid	Process
3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
2716	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
2716	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
2888	Synaptics.exe
2888	Synaptics.exe
2624	._cache_Synaptics.exe
3068	._cache_Synaptics.tmp
3068	._cache_Synaptics.tmp
3068	._cache_Synaptics.tmp
3068	._cache_Synaptics.tmp
3068	._cache_Synaptics.tmp

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Checksum Calculator\unins000.dat	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\Checksum Calculator\is-HTVOL.tmp	._cache_Synaptics.tmp
File created	C:\Program Files (x86)\Checksum Calculator\is-QF32O.tmp	._cache_Synaptics.tmp
File opened for modification	C:\Program Files (x86)\Checksum Calculator\unins000.dat	._cache_Synaptics.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ChecksumCalculator.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1852	EXCEL.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3068	._cache_Synaptics.tmp
2716	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1852	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 3044 wrote to memory of 2388	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	30
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 2388 wrote to memory of 2716	2388	._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	31
PID 3044 wrote to memory of 2888	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	32
PID 3044 wrote to memory of 2888	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	32
PID 3044 wrote to memory of 2888	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	32
PID 3044 wrote to memory of 2888	3044	dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe	32
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2888 wrote to memory of 2624	2888	Synaptics.exe	33
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 2624 wrote to memory of 3068	2624	._cache_Synaptics.exe	35
PID 3068 wrote to memory of 1288	3068	._cache_Synaptics.tmp	38
PID 3068 wrote to memory of 1288	3068	._cache_Synaptics.tmp	38
PID 3068 wrote to memory of 1288	3068	._cache_Synaptics.tmp	38
PID 3068 wrote to memory of 1288	3068	._cache_Synaptics.tmp	38

C:\Users\Admin\AppData\Local\Temp\dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
"C:\Users\Admin\AppData\Local\Temp\dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Users\Admin\AppData\Local\Temp\is-3VSCK.tmp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-3VSCK.tmp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp" /SL5="$7011C,337902,54272,C:\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:2716
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\Users\Admin\AppData\Local\Temp\is-B0O6S.tmp\._cache_Synaptics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-B0O6S.tmp\._cache_Synaptics.tmp" /SL5="$40188,337902,54272,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:3068
    - - C:\Program Files (x86)\Checksum Calculator\ChecksumCalculator.exe
        
        "C:\Program Files (x86)\Checksum Calculator\ChecksumCalculator.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1288

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
0a4fa68b65129d54274032ef78bcee90

SHA1
ae9f495dda5b693c5941510a5ce5dbec9aa7c605

SHA256
dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06

SHA512
716e78782f31d1bb99c5eae1af575a4f28c9bf34ab6b447c5e5291ef1cd04f309c504658b3fbdd7d3ed7fc90cb5c8446c75e312351978831fd95cf3e04130387

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZaeDMjF5.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
\Program Files (x86)\Checksum Calculator\ChecksumCalculator.exe

Filesize
894KB

MD5
57dea2fb7ccdeb6acf05d55c5ac051d3

SHA1
72b643e0463e79ee9795a4ba450bc6dadb6a6e17

SHA256
57fb00a72c2791f3b9711d032710f851b4b7b33349939d958b1e03e5a727d821

SHA512
8260a8abe4b5dfba230bd7c14ff4181c9e26f1dd1d39636ab424ea652b2089b732b0ab099478354bfe40457f9cdc3974c24ea50492c667c903baf162e0c34cb2

Download Submit
\Program Files (x86)\Checksum Calculator\unins000.exe

Filesize
705KB

MD5
f67c139adf91e12fd1af5fc775b31e42

SHA1
d6dd484ea381972c275f9a119743af563cc526c3

SHA256
c86e42c056af7aa54245260e83b9ea6a3a28c87a95edce681f001769bf10ccde

SHA512
a2cb1253d9e034b0f78d2068c843df3cb47da7a7f9f6371f93846c842b338e22c8e1454cbc3246f5ad874ef166b06ca25d4c6839af1b918d3a5815fb36a869a1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.exe

Filesize
568KB

MD5
bdee7c2788baebdf4c5a217d5c388732

SHA1
753b24b1557e53cfe3ccf4b4c8adb72c30ac1aca

SHA256
6b3b44ee73983bf60a66c82d0f274002708a99abd9cdb23a9d237c03b5e711d1

SHA512
342af8a8273a629d51255d98a3cbd39cb5aa8bd590d77f44c491b084b1ebd7d2cf011e0184f8eefa6b6bdcfcf25e6c99effca42e687ccf3c028b875aa0fd7c52

Download Submit
\Users\Admin\AppData\Local\Temp\is-3VSCK.tmp\._cache_dd09ce363101ef13dc72fe7ae9d5731eed2777f248eec37d87bd1efbd3c91a06N.tmp

Filesize
695KB

MD5
620f32e56b46e90e8aee43febc59f6e3

SHA1
d5edd63dd1390a1420b85f746e12a66625ae9354

SHA256
bcc9d63213012bf25a37f48015e5f755d359f3b08d05d35319b03b4a72710730

SHA512
8a9d2a2eb3891265cec379978399ad6c9b4bf3e12e0f381946b4390621b943b97fa04fbb87ad628652bd765b706eb2ff56001f24de24e9bcc487a59ca2f07d9c

Download Submit
\Users\Admin\AppData\Local\Temp\is-MIT9D.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1288-113-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1288-152-0x0000000000400000-0x00000000004F2000-memory.dmp

Filesize
968KB

Download
memory/1852-66-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2388-119-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-17-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2388-20-0x0000000000401000-0x000000000040B000-memory.dmp

Filesize
40KB

Download
memory/2624-51-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2624-73-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2624-109-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/2716-99-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2716-111-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2716-76-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2716-117-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2716-71-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2888-77-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2888-151-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/2888-72-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3044-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3044-40-0x0000000000400000-0x0000000000550000-memory.dmp

Filesize
1.3MB

Download
memory/3068-74-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3068-108-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3068-102-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3068-79-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads