xred | f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125

Analysis

max time kernel
110s
max time network
114s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20/11/2024, 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
Size

833KB
MD5

d436555c9380439467ce75d4680c4c67
SHA1

080769a516e631aba3506982f9cf85c4a321eb52
SHA256

f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125
SHA512

f576fcb2c46c27144cf5d10d3577b28578f30f238315bef2cfa18d0dd2ca6c7972cc82e9f6833053a20e250c9f469b8af3d1e5545f5528265a8938d4cf3147a0
SSDEEP

12288:hMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9s4wavz:hnsJ39LyjbJkQFMhmC+6GD9nwaL

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2308	._cache_f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
2792	Synaptics.exe
2840	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
2792	Synaptics.exe
2792	Synaptics.exe
2792	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2640	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3000 wrote to memory of 2308	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	30
PID 3000 wrote to memory of 2308	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	30
PID 3000 wrote to memory of 2308	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	30
PID 3000 wrote to memory of 2308	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	30
PID 3000 wrote to memory of 2792	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	31
PID 3000 wrote to memory of 2792	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	31
PID 3000 wrote to memory of 2792	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	31
PID 3000 wrote to memory of 2792	3000	f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe	31
PID 2792 wrote to memory of 2840	2792	Synaptics.exe	32
PID 2792 wrote to memory of 2840	2792	Synaptics.exe	32
PID 2792 wrote to memory of 2840	2792	Synaptics.exe	32
PID 2792 wrote to memory of 2840	2792	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
"C:\Users\Admin\AppData\Local\Temp\f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3000
- C:\Users\Admin\AppData\Local\Temp\._cache_f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe"
  2⤵
  - Executes dropped EXE
  PID:2308
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2840

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
833KB

MD5
d436555c9380439467ce75d4680c4c67

SHA1
080769a516e631aba3506982f9cf85c4a321eb52

SHA256
f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125

SHA512
f576fcb2c46c27144cf5d10d3577b28578f30f238315bef2cfa18d0dd2ca6c7972cc82e9f6833053a20e250c9f469b8af3d1e5545f5528265a8938d4cf3147a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZ2dgxAH.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZ2dgxAH.xlsm

Filesize
25KB

MD5
2b8d56bf742ff3d8b81cf69340146dec

SHA1
b8a20c9c7bf274fa583245b7b96c8f749f710038

SHA256
be4ad4e6aeb2cc114caba17afae9f20d8462d607ae28816ef795510836fe4029

SHA512
f8e3b699adf4242efb6b5cec3cfd04ae3bf1adb51c9cba6cf5670ec40bbd03f438d1e12b891f2c4f4a58f556be5400d9f2e3c58c9d065625cb4ad6bebc80eb22

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZ2dgxAH.xlsm

Filesize
23KB

MD5
39458f013745592fe1e6d70430a030f6

SHA1
d5e416a6b9d55819274ced4afb156547bc32cbe2

SHA256
9bb59d269d68fc91bf8fa8f0d82e2398b09cc148a216ebd63a1ba7e24a24616f

SHA512
ebac8e853dfebd38a01c0b33de3925d347dd0a14630ab9b6fd5e3ea56c8dc857f99a3f041f1fcaf47424a9ce294ffbbe8bc5a989785b3c8bfaa0b42262c5fdf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZ2dgxAH.xlsm

Filesize
21KB

MD5
9a55f77c5f49a0ac5e9aaed481e82307

SHA1
fda87c77bdd4112c9557354e43aed2dda84fe535

SHA256
58a96c09232a5e873e1f86e9e07ddc831745700f7104fcd5e31d437527de30c6

SHA512
cb4b7b09c4df9701dff0577e34c2cb110fa0070c42851efe996b005c048c266d774c4b35b4210d3734bf2cff6644f53852b443a69eae308e6ade3fa36b7522cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZ2dgxAH.xlsm

Filesize
21KB

MD5
c7283ee84f88641d3159ffbfc55a30f2

SHA1
f56be981526fe1fe7c6e6719c8e72dc0ccf922a9

SHA256
91a6de36f61eeb2420f34ee80dd972f9450c5eedae7834b582a8604793144090

SHA512
2025db1200b2731782e678bae3acf030c9d60c6419994d3c1458f7e6ee6e8f7f0c10b479a73622165be6cf5178eb6e5c21bb5b454c5769ec701e2bbdcbc64211

Download Submit
C:\Users\Admin\AppData\Local\Temp\mZ2dgxAH.xlsm

Filesize
26KB

MD5
9ac3035b509b6a7fdc414bab44324235

SHA1
7da6ff354437cff4e51e6945ab4da52c750a3a94

SHA256
22190af24597ca6a128d580c9079faea4d3272b92f09402c0767205bde9fea52

SHA512
78682586ab6787890084be16e117df40552c23c519fa22899c0a3e59f2efa5b95a65d5d413616508ba473a9869855c3ffb92b674ff4b4b021b2b162eb7eb46fa

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_f41df3607435485a64b549c85d597f9b528986c6924bb4923e64e159cb354125.exe

Filesize
80KB

MD5
a087f01b97ea6321858980fe24abe57a

SHA1
ef35aeac260b667eafb3d77ed36cedbd230b5ae9

SHA256
4455d735c4ed7439a6633a3707ff2944c5c72f653f19fef2230e11b3391276d2

SHA512
9ea4727aa1a04a862ec45852f76bde6c28d45cd848f21a3583fec47d1294e584595dcb780572aed7ef09b97d2cee5b40e22a579e7aedf01e403f49138bf6d58e

Download Submit
memory/2640-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-129-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-41-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2792-130-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2792-131-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2792-163-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3000-28-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3000-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads