xred | 2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62

Analysis

max time kernel
112s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 06:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
Size

5.5MB
MD5

e58431edd035d2f5a786ec9993b8555c
SHA1

544393fa9d10a3193ddf5915db56ad30ed97b52d
SHA256

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62
SHA512

fa0664e986843854009fede33d9627914abb9fa6d78ca655b00f3004548da41cd4a9e3d09d54e1d9d916206d7be7c1db6f4d63c80d8744cc7d3e8d34b8730e2e
SSDEEP

98304:Ansmtk2aOJMasUKfDKGn/rhbyxZ2702rpA8h0N6Uabhtib7HOWXhXAz0GpEtS5dO:eL5Ca6PjgK1ATYkrRGX5dh8

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exeSynaptics.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2212	._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
4108	Synaptics.exe
5060	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 1 IoCs

Processes:

._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe

description	ioc	Process
File created	C:\Program Files (x86)\Mixesoft\FastSatfinder\2x\Uninstall.ini	._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exeSynaptics.exe._cache_Synaptics.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

Processes:

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exeSynaptics.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
872	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

EXCEL.EXE

pid	Process
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE
872	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exeSynaptics.exe

description	pid	Process	procid_target
PID 3372 wrote to memory of 2212	3372	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe	86
PID 3372 wrote to memory of 2212	3372	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe	86
PID 3372 wrote to memory of 2212	3372	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe	86
PID 3372 wrote to memory of 4108	3372	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe	87
PID 3372 wrote to memory of 4108	3372	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe	87
PID 3372 wrote to memory of 4108	3372	2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe	87
PID 4108 wrote to memory of 5060	4108	Synaptics.exe	89
PID 4108 wrote to memory of 5060	4108	Synaptics.exe	89
PID 4108 wrote to memory of 5060	4108	Synaptics.exe	89

C:\Users\Admin\AppData\Local\Temp\2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
"C:\Users\Admin\AppData\Local\Temp\2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3372
- C:\Users\Admin\AppData\Local\Temp\._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  PID:2212
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4108
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5060

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
5.5MB

MD5
e58431edd035d2f5a786ec9993b8555c

SHA1
544393fa9d10a3193ddf5915db56ad30ed97b52d

SHA256
2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62

SHA512
fa0664e986843854009fede33d9627914abb9fa6d78ca655b00f3004548da41cd4a9e3d09d54e1d9d916206d7be7c1db6f4d63c80d8744cc7d3e8d34b8730e2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\15.tmp

Filesize
2KB

MD5
7ba60a716ad440f34ae6a54f9b455e35

SHA1
228b983184e47f3a8ff2c3c584cdcc9ca50591a6

SHA256
8e8611b30d161a2144d510b352fd985d88681d70e3bf87a361769cd9c78df9f4

SHA512
93c63448d5c9c2ffd50e3c9ff8edfac9c5f90e34569e64343a3f5d45e57dcdfc4586643d0bfdf9310688ec39a433fc94dc77f7cd3792f2be538e2e625a21c207

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\2.tmp

Filesize
34KB

MD5
2e3f83afe22f699428a2d2ca1bb2b98b

SHA1
cfa105bb8302813adaa9b295594d85420ed970cb

SHA256
3e72408bf6ef7e58f29d1bcc7e319504afa67fa6c3e90591d2d8194b5f82cc6a

SHA512
0614755d2699bfde7fa62525b89a7b56048b55b28084278b4745b22c6c794417f5a776f81b4d1553d223fa14767153b9edbf1a71d7680c329da485752bc63189

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\4.tmp

Filesize
9KB

MD5
20c9f69bb44279a820e969c260437627

SHA1
c0f393858fe2b6d265bfef998cb3e4f45e5d794e

SHA256
62b312dc745cff4aa1ac8e267ee19c55540bed90d3a66901a8b621b11aec0858

SHA512
4887486c1f8949f3a0bacf27e4ce40d58a7c2d5e294a6a53326be71246df293c9bf5c902a28a199fe28ec699b87f068b77a7e6b3a2055c572a55c95965a337dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\5.tmp

Filesize
51KB

MD5
ab2021e67e0e08657288d880abfbaa72

SHA1
ffcf7956d5aaad47f4801b32b5fc893dc78a6dbc

SHA256
331d997e586cba40d4da0587887fc4caa4cc44e53421737dafa67e67445e6753

SHA512
e2975814169efe247b2f8954d60f331eea9340419f96255e4d0ce3c19ff9ddd3b98ec87f51d73ce3dae045142c2c40e600ad7d5dca3eeb156e038eba1a21bac9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\7.tmp

Filesize
6KB

MD5
420aee57b5e083d256d28e45ef887adb

SHA1
39f58e11b68f13932217b98672c4f33adc353be8

SHA256
1efb1a8831f68b443a3e3a06599e914162dc1a9b1b8f9ebc8020b40b72bbfb80

SHA512
76ae5dbb4aa3baf1df3e5684855ece03cd7693698b993a40da579c78c4cf9ba3dc4baaf699933d4bf56eca12ea2847b02f997d5d8ab8e5f267d5f4d6634a52cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\$inst\8.tmp

Filesize
6KB

MD5
cdfb00ba27ddc4f0649bb274bce55774

SHA1
ede9f6eaeb205e5cd184c0a99a551e77fd362da6

SHA256
00a49eebe20548de2aa3de3594b323d689e6467cbb63a4791604f4f82fe7360f

SHA512
3de2904239fa5223f9dd8ba98d01441e34d692e8706ddacca5d79e712948dccc2785a6326c3b4752357bb7d1852ecf60da4f981e0945c162f06801645a486570

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2449a3241263cfe54805680acbcd46933369ec2af7124a610aa2808967605c62.exe

Filesize
4.7MB

MD5
4fc62e075c53003feb22656b1ce11714

SHA1
c97a92a7bcf15571be8a0e6ef900f33627dd895e

SHA256
9663474b95fdb46ab5b809469443bb5068760b10e70d75cedddff26ec2ca88de

SHA512
ed81e35c2487cff9de23c9ae6628cb1f52948ad94e566ece8a7c067a8967dcb978d69baa0bc8e5b4a7098576cc5e847475c04202333bdb24ad1b73123d33b72b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rx8eM45c.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
memory/872-191-0x00007FF8C2310000-0x00007FF8C2320000-memory.dmp

Filesize
64KB

Download
memory/872-190-0x00007FF8C2310000-0x00007FF8C2320000-memory.dmp

Filesize
64KB

Download
memory/872-192-0x00007FF8C2310000-0x00007FF8C2320000-memory.dmp

Filesize
64KB

Download
memory/872-189-0x00007FF8C2310000-0x00007FF8C2320000-memory.dmp

Filesize
64KB

Download
memory/872-188-0x00007FF8C2310000-0x00007FF8C2320000-memory.dmp

Filesize
64KB

Download
memory/872-193-0x00007FF8BFE00000-0x00007FF8BFE10000-memory.dmp

Filesize
64KB

Download
memory/872-194-0x00007FF8BFE00000-0x00007FF8BFE10000-memory.dmp

Filesize
64KB

Download
memory/2212-210-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2212-220-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2212-214-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2212-212-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/2212-204-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download
memory/3372-0-0x0000000000B60000-0x0000000000B61000-memory.dmp

Filesize
4KB

Download
memory/3372-119-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/4108-205-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/4108-206-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4108-120-0x0000000000C30000-0x0000000000C31000-memory.dmp

Filesize
4KB

Download
memory/4108-221-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/4108-245-0x0000000000400000-0x0000000000980000-memory.dmp

Filesize
5.5MB

Download
memory/5060-187-0x0000000000400000-0x0000000000425000-memory.dmp

Filesize
148KB

Download