xred | 20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
23-11-2024 20:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
Size

8.0MB
MD5

4e331e676ff3c714a071c03a2900499c
SHA1

4da12120148f4f1c4f007391e1c23511dbace9e0
SHA256

20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267
SHA512

26a87acab7e15fd39f87def250b25f88bc27d9e18a1d71e36589614eb60ea9e74dc0f34b9ec4f9c6dc54e39611685d5ff1bf8955337281d62ecbbec8b3c6fc60
SSDEEP

196608:sLP8OU6EBTlYaphOIgJW1q1ANtR0h8K++K8XQGJP1j4caI6HMaJTtGb79:socEBpYcqER0h8dGJP94+9

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe._cache_Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Control Panel\International\Geo\Nation	._cache_Synaptics.exe

Executes dropped EXE 3 IoCs

Processes:

._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exeSynaptics.exe._cache_Synaptics.exe

pid process

2452 ._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
3024 Synaptics.exe
2756 ._cache_Synaptics.exe

pid	process
2452	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
3024	Synaptics.exe
2756	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

Processes:

20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exeWerFault.exeSynaptics.exeWerFault.exe

pid	process
1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
2972	WerFault.exe
3024	Synaptics.exe
2972	WerFault.exe
3024	Synaptics.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe
1912	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2972	2452	WerFault.exe	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
1912	2756	WerFault.exe	._cache_Synaptics.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exe._cache_Synaptics.exeEXCEL.EXE20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

744 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

744 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
744	EXCEL.EXE

pid	process
744	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exeSynaptics.exe._cache_Synaptics.exe

description	pid	process	target process
PID 1272 wrote to memory of 2452	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
PID 1272 wrote to memory of 2452	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
PID 1272 wrote to memory of 2452	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
PID 1272 wrote to memory of 2452	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
PID 1272 wrote to memory of 3024	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	Synaptics.exe
PID 1272 wrote to memory of 3024	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	Synaptics.exe
PID 1272 wrote to memory of 3024	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	Synaptics.exe
PID 1272 wrote to memory of 3024	1272	20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	Synaptics.exe
PID 2452 wrote to memory of 2972	2452	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	WerFault.exe
PID 2452 wrote to memory of 2972	2452	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	WerFault.exe
PID 2452 wrote to memory of 2972	2452	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	WerFault.exe
PID 2452 wrote to memory of 2972	2452	._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe	WerFault.exe
PID 3024 wrote to memory of 2756	3024	Synaptics.exe	._cache_Synaptics.exe
PID 3024 wrote to memory of 2756	3024	Synaptics.exe	._cache_Synaptics.exe
PID 3024 wrote to memory of 2756	3024	Synaptics.exe	._cache_Synaptics.exe
PID 3024 wrote to memory of 2756	3024	Synaptics.exe	._cache_Synaptics.exe
PID 2756 wrote to memory of 1912	2756	._cache_Synaptics.exe	WerFault.exe
PID 2756 wrote to memory of 1912	2756	._cache_Synaptics.exe	WerFault.exe
PID 2756 wrote to memory of 1912	2756	._cache_Synaptics.exe	WerFault.exe
PID 2756 wrote to memory of 1912	2756	._cache_Synaptics.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
"C:\Users\Admin\AppData\Local\Temp\20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2452 -s 592
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2972
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2756
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2756 -s 528
      4⤵
      Loads dropped DLL
      Program crash
      PID:1912

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
8.0MB

MD5
4e331e676ff3c714a071c03a2900499c

SHA1
4da12120148f4f1c4f007391e1c23511dbace9e0

SHA256
20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267

SHA512
26a87acab7e15fd39f87def250b25f88bc27d9e18a1d71e36589614eb60ea9e74dc0f34b9ec4f9c6dc54e39611685d5ff1bf8955337281d62ecbbec8b3c6fc60

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Filesize
21KB

MD5
34246806a59bdef0943c57b004f2b62b

SHA1
3681392ec1f76abcc3f9ca34a34cd6e45664244a

SHA256
5da5f28677df464bfcc21779efe74277f74ec662c1dfa361eced13277daa2f21

SHA512
b46f1bd91d54aabc04907c5755b4276542d1b61bab7d20975d9cb9967d4d5dba6f595952320f54f1c5aa0606e9ae032b26f78dda6dadff5a3567acd93cfca5f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Filesize
25KB

MD5
51426d29073857e5090cabb8db23bf40

SHA1
ff7a5b07b87e6d47545c35068cca8b013bdd5cfc

SHA256
17261a78dd5080dfa22a4a317c48cddf8a3fd9065b46795f020c5df1e631728c

SHA512
6a8867cab5b84defb638d7681eca5689610e815bf33499e3b3e4e0890da69aea6a80899b9700d2a8bf96035055ed718403e254ff93fa2ae768cf4af89956208b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Filesize
23KB

MD5
c235df65c392d6c80ca14c1578539f27

SHA1
bc9581555980b2126d9d094d817b4525fa4521dd

SHA256
24c441a246fdc4d9aa4bacba5375b3452701b4174ad76343d4d3eaca58e8dc04

SHA512
8fd4a5f8fc7f8311d1ec231a879cd10cb38036bcab1932e271e77a6cb683cf388998a901e919c44f074c9822b4f33d754f272737ef9530aaec3d43bde0102a37

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Filesize
21KB

MD5
6cb14cfa96d7ffccf05ef00f4ac55cf0

SHA1
95949f8a4b1a305d57212b7b7887fcc8e2e66749

SHA256
39f98959a53577f62ea7baa7f19aee2099621d642c3d8cedce37a684a5ac4f5b

SHA512
d567d67621dbf36b1339223ea874c16a344c447ef2f9adc61af8cb5e040dd630d25e361d90c132669da80549a89c9b0b0de27aeef74072055bbbd018373c578b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BPpu8RT2.xlsm

Filesize
26KB

MD5
e5bd753ae89fa85733bae33282df6a9d

SHA1
a008fff7e6f2d2675a86b9525e3f39d593cbeb0a

SHA256
f23ac7d7c9a79baedcb24da70138b22da4059a75db963012d239c9f79524a70c

SHA512
e774256e5d3c315ef68e55de5fa39c90af82e923e5afe4aa2fa8a0ec143f0ed0fafe80d69397e835e498e8335a262672f57f5517643ebb4373d6eec43a215470

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_20384d1f911f3d88c1029249593ea38877064006e4ca725bff2a1541b4e8a267.exe

Filesize
7.3MB

MD5
25faf73dfd6e6e317e0feac53d45280b

SHA1
bf5e2fcc860b4dea163280c8baf6629ccaa87ae3

SHA256
3921739750770747349e1bbd05e4a06865e8ee1553ca7063b047e11bc18b848a

SHA512
642ba912aeb997c38dcaebb254b0a8363fd83f48bebe32f282e2ef6257a2674013a50dc22f6f276483d0744d38801684f2263d7898b4522fb70987287849aebe

Download Submit
memory/744-48-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/744-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1272-26-0x0000000000400000-0x0000000000C03000-memory.dmp

Filesize
8.0MB

Download
memory/1272-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/3024-47-0x0000000000400000-0x0000000000C03000-memory.dmp

Filesize
8.0MB

Download
memory/3024-136-0x0000000000400000-0x0000000000C03000-memory.dmp

Filesize
8.0MB

Download
memory/3024-137-0x0000000000400000-0x0000000000C03000-memory.dmp

Filesize
8.0MB

Download
memory/3024-169-0x0000000000400000-0x0000000000C03000-memory.dmp

Filesize
8.0MB

Download