xred | 59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0

Analysis

max time kernel
111s
max time network
103s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
24-11-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
Size

771KB
MD5

c75b0bcffeda19dace16ee5ab82f2da0
SHA1

72203251f9161d5214bfe9e3f7f686f0badf481b
SHA256

59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0
SHA512

c71561895d37448e0a0a2020a863c4065ca4e6eeb16a0a3e25a88936b907390ccb527d80072a242a5d8d084c737f9945ba1199bfe1f08639bdc16cd5c02be5c0
SSDEEP

12288:GMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9f1KE+VIFJj:GnsJ39LyjbJkQFMhmC+6GD99KE+VIFh

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Executes dropped EXE 3 IoCs

Processes:

._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exeSynaptics.exe._cache_Synaptics.exe

pid process

1912 ._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
2232 Synaptics.exe
2788 ._cache_Synaptics.exe

pid	process
1912	._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
2232	Synaptics.exe
2788	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

Processes:

59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exeSynaptics.exe

pid	process
2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
2232	Synaptics.exe
2232	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeEXCEL.EXE59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2704 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2704 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2704	EXCEL.EXE

pid	process
2704	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exeSynaptics.exe

description	pid	process	target process
PID 2248 wrote to memory of 1912	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
PID 2248 wrote to memory of 1912	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
PID 2248 wrote to memory of 1912	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
PID 2248 wrote to memory of 1912	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
PID 2248 wrote to memory of 2232	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	Synaptics.exe
PID 2248 wrote to memory of 2232	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	Synaptics.exe
PID 2248 wrote to memory of 2232	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	Synaptics.exe
PID 2248 wrote to memory of 2232	2248	59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe	Synaptics.exe
PID 2232 wrote to memory of 2788	2232	Synaptics.exe	._cache_Synaptics.exe
PID 2232 wrote to memory of 2788	2232	Synaptics.exe	._cache_Synaptics.exe
PID 2232 wrote to memory of 2788	2232	Synaptics.exe	._cache_Synaptics.exe
PID 2232 wrote to memory of 2788	2232	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
"C:\Users\Admin\AppData\Local\Temp\59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe"
  2⤵
  - Executes dropped EXE
  PID:1912
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2788

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
771KB

MD5
c75b0bcffeda19dace16ee5ab82f2da0

SHA1
72203251f9161d5214bfe9e3f7f686f0badf481b

SHA256
59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0

SHA512
c71561895d37448e0a0a2020a863c4065ca4e6eeb16a0a3e25a88936b907390ccb527d80072a242a5d8d084c737f9945ba1199bfe1f08639bdc16cd5c02be5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Filesize
23KB

MD5
32868bf989a0c47b23ba9846107d536e

SHA1
85f1f82fb8e2fe3d4809e9fb48a2272ebb5ca1c9

SHA256
3f6b58b205c70eb1e774b631dfbc3eef79cdeeaf1e11cb0b0d7ef7fa5f8b1d7c

SHA512
28c00bf90dd7dcecbdc8372e54005136402fe3dfccee103a8c2e4eb9ba6e1cb8644b9301bd86ba2d5710c5243f796a6bdac537b4a5f8d9e9ef98225e30633ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Filesize
24KB

MD5
dccc8688688fea694a3e49433977d0df

SHA1
b0620774ccc96f4edaf758e0923c3dcc07bd2e26

SHA256
ee9a6daa9bdb0d213a14bab1599201d7bff031ffcf098741f5547bf6b3b4baa6

SHA512
5958e10cdecb7ef96e7ea2f94225c31cb8bff47223ce703446a2f32786f4689f538185d14e638e57c65a41c7f88a5d24a1bece73aee6b7f166b21d54ce33c729

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Filesize
27KB

MD5
dfda1f5c7c82415b87ff76a50a9e5734

SHA1
cd6e6d0fec04ba6578308f0a519b6b8bd1b0a1c2

SHA256
0943308f72e2d6bee243a3cdf8e9e6d1ade7c81c9346e7c42cf38d757cb2333f

SHA512
ff189a1c464b1946a8d3f2792dd94c9d318f9e35eba50a069a305b8e5ff4a368cf366b6923b705f9b5dbfc159a21f2328e3017d99c00fc70f4cdc36dba6c6ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Filesize
25KB

MD5
b0dcb52e36673ee7e6e23663921247ba

SHA1
98ab29246e27f79555191232e56c775195ff549d

SHA256
1fa5abd5cc0c1cfa5f2ccb03c0cb815577a0fb1f3d657c63dcfcdd69346ebba6

SHA512
5cbebcfc93678892cb6e809db527f39d1d115c6317dcd18d96205108ba7783d57ff82f177553fad44ff9654892c1679b1574ed1693839f1e2669d19e3456358e

Download Submit
C:\Users\Admin\AppData\Local\Temp\C7bZavC7.xlsm

Filesize
28KB

MD5
8899f1d03ede6861ec3f69b3b11b3a3f

SHA1
0068ca253cef556174961475c78ace24a00c0019

SHA256
9949347c564f8ce874f5c97f1734b5a58384ce73807db071ec98120581c9a0f7

SHA512
7fcffbc9b8edafc4a31596df4828782ca7729345383a2249fea292706207a2bfafe9e7fae2e8f012ff9e4fcf006c7ffe043cf76e298a8f00a9c918e602666e6d

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_59cfa86060c2452dc81b90f2b841f22652f509bc816f6b386022c68a060a51f0N.exe

Filesize
18KB

MD5
ac68a7a10fe2ae79b9e27f3dc123d247

SHA1
c3f65c7410d9e4a6f70f3c690e30889a05d27990

SHA256
bc3a11b50c10126abfab710b8f143c82ff8010b49e16e73e6b2db0b86739bb79

SHA512
6620fcf7c5645873c8de78dca4de7f82ca6826fcd4c1de0453ac0f192560cd48683b62f2dd1315c9e98e69c21019f4a6a9242862096656e9669780200d54e087

Download Submit
memory/1912-17-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2232-128-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2232-129-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2232-161-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2248-26-0x0000000000400000-0x00000000004C7000-memory.dmp

Filesize
796KB

Download
memory/2248-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2704-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-36-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download