xred | 10416b8b2519ca56e4d81576f492dae3b670fbb1e54ead4234b5415c5e0dcc35

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Spotify.exe
Size

8.6MB
MD5

1ea664910e4d4231ed21f59af15bea5f
SHA1

563660e175cf56eaeeb34bb723a7f1b0297aa4b2
SHA256

10416b8b2519ca56e4d81576f492dae3b670fbb1e54ead4234b5415c5e0dcc35
SHA512

636b9cb78ff616159fb74084e9d0af29a2660465faf4901954b72fb3c9f950567b8adc0e6aca78c510a03793b3b1d4fa31c7e2ea5ce517c1981016f6d4a5a298
SSDEEP

196608:iLGgQdj4O9LgRRHG94UEbrURbsvnEJlQ9aNx1pLrB:iCdX2RRmqUEbwRbsvnIG92x1B1

Score

10^/10

xred backdoor discovery macro persistence upx

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\r354FYpZ.xlsm

Executes dropped EXE 9 IoCs

Processes:

._cache_Spotify.exeSynaptics.exe._cache_Synaptics.exeBuilt.exeSteam.exeBuilt.exeBuilt.exeSteam.exeBuilt.exe

pid	process
2820	._cache_Spotify.exe
2680	Synaptics.exe
2196	._cache_Synaptics.exe
1528	Built.exe
2184	Steam.exe
2776	Built.exe
3020	Built.exe
844	Steam.exe
828	Built.exe

Loads dropped DLL 16 IoCs

Processes:

Spotify.exeSynaptics.exe._cache_Spotify.exeBuilt.exeBuilt.exe._cache_Synaptics.exeBuilt.exeBuilt.exe

pid	process
2128	Spotify.exe
2128	Spotify.exe
2128	Spotify.exe
2680	Synaptics.exe
2680	Synaptics.exe
2820	._cache_Spotify.exe
2820	._cache_Spotify.exe
2144
1528	Built.exe
2776	Built.exe
2196	._cache_Synaptics.exe
2196	._cache_Synaptics.exe
2468
3020	Built.exe
828	Built.exe
1252

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Spotify.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Spotify.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\_MEI15282\python311.dll	upx
behavioral1/memory/2776-77-0x000007FEF2420000-0x000007FEF2A08000-memory.dmp	upx
behavioral1/memory/828-172-0x000007FEF11F0000-0x000007FEF17D8000-memory.dmp	upx
behavioral1/memory/2776-175-0x000007FEF2420000-0x000007FEF2A08000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Spotify.exeSynaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Spotify.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1988 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1988 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1988	EXCEL.EXE

pid	process
1988	EXCEL.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

Spotify.exeSynaptics.exe._cache_Spotify.exeBuilt.exe._cache_Synaptics.exeBuilt.exe

description	pid	process	target process
PID 2128 wrote to memory of 2820	2128	Spotify.exe	._cache_Spotify.exe
PID 2128 wrote to memory of 2820	2128	Spotify.exe	._cache_Spotify.exe
PID 2128 wrote to memory of 2820	2128	Spotify.exe	._cache_Spotify.exe
PID 2128 wrote to memory of 2820	2128	Spotify.exe	._cache_Spotify.exe
PID 2128 wrote to memory of 2680	2128	Spotify.exe	Synaptics.exe
PID 2128 wrote to memory of 2680	2128	Spotify.exe	Synaptics.exe
PID 2128 wrote to memory of 2680	2128	Spotify.exe	Synaptics.exe
PID 2128 wrote to memory of 2680	2128	Spotify.exe	Synaptics.exe
PID 2680 wrote to memory of 2196	2680	Synaptics.exe	._cache_Synaptics.exe
PID 2680 wrote to memory of 2196	2680	Synaptics.exe	._cache_Synaptics.exe
PID 2680 wrote to memory of 2196	2680	Synaptics.exe	._cache_Synaptics.exe
PID 2680 wrote to memory of 2196	2680	Synaptics.exe	._cache_Synaptics.exe
PID 2820 wrote to memory of 1528	2820	._cache_Spotify.exe	Built.exe
PID 2820 wrote to memory of 1528	2820	._cache_Spotify.exe	Built.exe
PID 2820 wrote to memory of 1528	2820	._cache_Spotify.exe	Built.exe
PID 2820 wrote to memory of 2184	2820	._cache_Spotify.exe	Steam.exe
PID 2820 wrote to memory of 2184	2820	._cache_Spotify.exe	Steam.exe
PID 2820 wrote to memory of 2184	2820	._cache_Spotify.exe	Steam.exe
PID 1528 wrote to memory of 2776	1528	Built.exe	Built.exe
PID 1528 wrote to memory of 2776	1528	Built.exe	Built.exe
PID 1528 wrote to memory of 2776	1528	Built.exe	Built.exe
PID 2196 wrote to memory of 3020	2196	._cache_Synaptics.exe	Built.exe
PID 2196 wrote to memory of 3020	2196	._cache_Synaptics.exe	Built.exe
PID 2196 wrote to memory of 3020	2196	._cache_Synaptics.exe	Built.exe
PID 2196 wrote to memory of 844	2196	._cache_Synaptics.exe	Steam.exe
PID 2196 wrote to memory of 844	2196	._cache_Synaptics.exe	Steam.exe
PID 2196 wrote to memory of 844	2196	._cache_Synaptics.exe	Steam.exe
PID 3020 wrote to memory of 828	3020	Built.exe	Built.exe
PID 3020 wrote to memory of 828	3020	Built.exe	Built.exe
PID 3020 wrote to memory of 828	3020	Built.exe	Built.exe

C:\Users\Admin\AppData\Local\Temp\Spotify.exe
"C:\Users\Admin\AppData\Local\Temp\Spotify.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\Users\Admin\AppData\Local\Temp\._cache_Spotify.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Spotify.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Users\Admin\AppData\Local\Temp\Built.exe
    "C:\Users\Admin\AppData\Local\Temp\Built.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2776
- - C:\Users\Admin\AppData\Local\Temp\Steam.exe
    "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
    3⤵
    - Executes dropped EXE
    PID:2184
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\Built.exe
      "C:\Users\Admin\AppData\Local\Temp\Built.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:3020
    - - C:\Users\Admin\AppData\Local\Temp\Built.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Built.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:828
  - - C:\Users\Admin\AppData\Local\Temp\Steam.exe
      "C:\Users\Admin\AppData\Local\Temp\Steam.exe"
      4⤵
      Executes dropped EXE
      PID:844

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.6MB

MD5
1ea664910e4d4231ed21f59af15bea5f

SHA1
563660e175cf56eaeeb34bb723a7f1b0297aa4b2

SHA256
10416b8b2519ca56e4d81576f492dae3b670fbb1e54ead4234b5415c5e0dcc35

SHA512
636b9cb78ff616159fb74084e9d0af29a2660465faf4901954b72fb3c9f950567b8adc0e6aca78c510a03793b3b1d4fa31c7e2ea5ce517c1981016f6d4a5a298

Download Submit
C:\Users\Admin\AppData\Local\Temp\Built.exe

Filesize
7.0MB

MD5
94673f653706da9ebbd93580d287cc80

SHA1
9bfb2607d5da3d14b3b56c1aa2a7b65e1940dfa7

SHA256
8f41839c2a8a80984e95a7d8dd037f777aeebc72fc134ce4eb487b909f501603

SHA512
3a09df96d6434c53e925f9fc667ea896b49664c7e44e7b76a88460953b011450d3ebe3144296dac0f86412bbcdfbdc011178abf193c5f0b3524c1860b8a878ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15282\python311.dll

Filesize
1.6MB

MD5
bb46b85029b543b70276ad8e4c238799

SHA1
123bdcd9eebcac1ec0fd2764a37e5e5476bb0c1c

SHA256
72c24e1db1ba4df791720a93ca9502d77c3738eebf8b9092a5d82aa8d80121d0

SHA512
5e993617509c1cf434938d6a467eb0494e04580ad242535a04937f7c174d429da70a6e71792fc3de69e103ffc5d9de51d29001a4df528cfffefdaa2cef4eaf31

Download Submit
C:\Users\Admin\AppData\Local\Temp\r354FYpZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\r354FYpZ.xlsm

Filesize
23KB

MD5
eb90a517d74c6f90d09f773de4b30f28

SHA1
5846522c1d0535f6b937de050ab03cc864f144be

SHA256
9636c8932c8f1cbc53f29d054c7ce9be290c0ac5a0f5cc940c1314577a7f5c8c

SHA512
2f58bc7766774d1986d444fb7fdafb3fcee8347108e2f881c191905f0997ecf2f656cbf02989db6404db784a1e6041f49694baf35964fbab0b42879c8c33135a

Download Submit
C:\Users\Admin\AppData\Local\Temp\r354FYpZ.xlsm

Filesize
26KB

MD5
7e4e432defc4379da2d1aa382081cabe

SHA1
eef1182f9752f2629d4d4af023e95b0b7da1c232

SHA256
eb082386061217d2e9435b66b90464b058a511832047b0e48b4a1fc8a6ab507b

SHA512
32b0d8999f93877fb12ebcf260f7f494f85081c22aed39320dada1c10ef2b2e9cbdabe050ddc64b96c5d5e412e77f3656b3a952dd0e847cfb2fbdaeff1cc14b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\r354FYpZ.xlsm

Filesize
24KB

MD5
d3c4bdf19cd3e482c860bdf89a302644

SHA1
28d91ede89b4bf5fb02aab1f3230d22e8ad993c3

SHA256
68fd7d529795bdf76a9fcfc74d4f3194b891b17b0d6336f6dbd8105510f91ef4

SHA512
2ced859768317737a0e3bd377b88fd3d4dd5ae19e183004dd83b24a67453a95a57f572dbd3d55896d609c1f7296a9c0284bc57811a65ac75768c33110cde7973

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Spotify.exe

Filesize
7.9MB

MD5
d875b17674953b2d6fc177f79b78d69a

SHA1
9479d37846ed4e878fcae093f3ff49f251851170

SHA256
d4053edc79ee84fe374bb91a8a1333f3c9a820d99fad6ca8cb1cf20d32992417

SHA512
49bff4e09f92ecca0aeefe58475e14a4b2a316efb74e66bda3902b3a642dc286f76fdc7a7bd06914833887f2559ba38e5f9390fc6c35542219b7cd021f92c378

Download Submit
\Users\Admin\AppData\Local\Temp\Steam.exe

Filesize
1.9MB

MD5
291b959ce9e5db92aa7d05058250973b

SHA1
f05b3a703f927c223c855ce77c54ebf710aaaafa

SHA256
3adf610438ab160f3fdceb70deb6c0806855cc99a8e5c5c525151b5638f0b066

SHA512
8880846d6b9b67201daca9ecee98f4c9c05d12c1f90a7e409dc6057898aaf8a99391cb9a2024e2384ac77ece54d85f84d549bde82770924f733a24c64969d752

Download Submit
memory/828-172-0x000007FEF11F0000-0x000007FEF17D8000-memory.dmp

Filesize
5.9MB

Download
memory/1988-140-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1988-67-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2128-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2128-26-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2196-38-0x00000000011F0000-0x00000000019DC000-memory.dmp

Filesize
7.9MB

Download
memory/2680-173-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2680-216-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2680-250-0x0000000000400000-0x0000000000CA9000-memory.dmp

Filesize
8.7MB

Download
memory/2776-77-0x000007FEF2420000-0x000007FEF2A08000-memory.dmp

Filesize
5.9MB

Download
memory/2776-175-0x000007FEF2420000-0x000007FEF2A08000-memory.dmp

Filesize
5.9MB

Download
memory/2820-17-0x00000000009A0000-0x000000000118C000-memory.dmp

Filesize
7.9MB

Download