xred | 8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387

Analysis

max time kernel
113s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24-11-2024 17:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Size

7.2MB
MD5

ba953b5381694ed49ebe449ce9bed3f0
SHA1

0269af2a058fe1286ad0847e5a7de7bdb08f597f
SHA256

8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387
SHA512

27ee40ce2516422193bf5302a43820b9fa812ed0f87663f3ebdf2e52f05facdca1ef4677e5bd1db69ee8e33c3dc154c9161109f45cc6a392f37d9bda8c7e9041
SSDEEP

196608:qLJ1103T3hrxZULtIta6oOcScwWhBNDWD:qV03FrrU5Ita6oOc7NCD

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
1168	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4624	Synaptics.exe
2684	._cache_Synaptics.exe
1928	._cache_Synaptics.exe

Loads dropped DLL 16 IoCs

pid	Process
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe
1928	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1640	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE
1640	EXCEL.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 1168	1572	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	83
PID 1572 wrote to memory of 1168	1572	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	83
PID 1572 wrote to memory of 1168	1572	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	83
PID 1168 wrote to memory of 4000	1168	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	86
PID 1168 wrote to memory of 4000	1168	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	86
PID 1168 wrote to memory of 4000	1168	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	86
PID 1572 wrote to memory of 4624	1572	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	85
PID 1572 wrote to memory of 4624	1572	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	85
PID 1572 wrote to memory of 4624	1572	8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	85
PID 4000 wrote to memory of 2412	4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	87
PID 4000 wrote to memory of 2412	4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	87
PID 4000 wrote to memory of 2412	4000	._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe	87
PID 4624 wrote to memory of 2684	4624	Synaptics.exe	88
PID 4624 wrote to memory of 2684	4624	Synaptics.exe	88
PID 4624 wrote to memory of 2684	4624	Synaptics.exe	88
PID 2684 wrote to memory of 1928	2684	._cache_Synaptics.exe	90
PID 2684 wrote to memory of 1928	2684	._cache_Synaptics.exe	90
PID 2684 wrote to memory of 1928	2684	._cache_Synaptics.exe	90
PID 1928 wrote to memory of 1052	1928	._cache_Synaptics.exe	91
PID 1928 wrote to memory of 1052	1928	._cache_Synaptics.exe	91
PID 1928 wrote to memory of 1052	1928	._cache_Synaptics.exe	91

C:\Users\Admin\AppData\Local\Temp\8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
"C:\Users\Admin\AppData\Local\Temp\8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4000
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      System Location Discovery: System Language Discovery
      PID:2412
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4624
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1928
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1052

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.2MB

MD5
ba953b5381694ed49ebe449ce9bed3f0

SHA1
0269af2a058fe1286ad0847e5a7de7bdb08f597f

SHA256
8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387

SHA512
27ee40ce2516422193bf5302a43820b9fa812ed0f87663f3ebdf2e52f05facdca1ef4677e5bd1db69ee8e33c3dc154c9161109f45cc6a392f37d9bda8c7e9041

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_8a10fffbd68d759b73ccacaa2f2ef25f37b380ef4e5d3ec7d4d7fe9b1384a387N.exe

Filesize
6.4MB

MD5
08f9dfe54351fbe840a1064057534b3c

SHA1
778243c235a8cd0184c1d96f9066e332d26e4096

SHA256
18eac1745817cc2f0fad48e37799596980321b11e16429d642d5089b59948f7d

SHA512
aeb4ff6eb9601d7d7451710b3657608283048062fdaa6e9d4dbbc05324efb799a325a0ab9db9b07d461856faf10c36e5e5935f115a6eb5e5e76bc7eec655be0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\C6E75E00

Filesize
22KB

MD5
fb4dbc8148438723b5ff7d9911199701

SHA1
df32c9ad183efac1f9d08544ac41b71a4af56652

SHA256
f31f3ad90ac3285e49d21507b696b949dab734fb3c6882c24df366f00cb4193a

SHA512
745666c1b0de9275e9e901ae8751bc5c39997d08f211935defef34e4953281e16815318e354c503b3470010bc55e9f782326c16de7458a451a467450966afec1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MxOIVKHW.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11682\_hashlib.pyd

Filesize
278KB

MD5
cf239a4ea58056f6b32e2928f64738c4

SHA1
a4d2bdf399c2cc56ed1c11e3a48c7bdbcad721e8

SHA256
052fee1823ad2986f7e4bab33f2fba136dcf87ec3d6acca37af72525aa1a6821

SHA512
2c23652ba5e397bedc88eb1a13d4c2dce06ed5c5857d790a5205ab31f9bc5506da5e55e1f139924dad9f446cdf5ea0eae5b2eacc733e6fbdb9eec2e113581adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11682\_socket.pyd

Filesize
40KB

MD5
e7e577c117bb5aa1011f841d1a10a218

SHA1
16558097bef92fcb61def76248823fe2d49f83c4

SHA256
74ac52c9497d696c8d8eaa120899752c964573ee90e6b04dc3e6ba72ae06e0a0

SHA512
82dc4594c4c6ad2cff76c54cc2caeb6751068c91f23b61deca6a1f9dba640acc4f0556df70d3812b8592c247c3259a74f5f1abd2b81fd0dfec2f194df62e1a34

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11682\_ssl.pyd

Filesize
705KB

MD5
e98a9104ee53322918e22b4d5900f695

SHA1
37565ff8a2ac41f97d3eea6db0b51f1d8b59c38a

SHA256
e1f095371953942643b1d4d199b7b090529afeb20ab1bc26c90454716ea96ab2

SHA512
5612dd1388a68e96bd30493d6ceaaecd32df4ceb7db64ae704aba52d041e1f49ad95f94bcab615c76430e250c81a68fee8bc937a43bb80ddc5493c87a7ebdaec

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11682\lxml.etree.pyd

Filesize
2.8MB

MD5
490a41d1696f913cce54a3492f9230cc

SHA1
1783db8852345aee155c62080bdd0c44788bf45c

SHA256
baf2f7c11a41c9a5ee6437174fdaf1753f9a1d592d0f79fc8e5d09ccac164032

SHA512
df14b6eb474965ea6941315250a6cb9d22420d41123640e6d29b1a4563482db2ff89e83a47ac7c777ec85e953093b9c3ed82820770ae7a0466124e169a886252

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11682\python27.dll

Filesize
2.2MB

MD5
c5a254155bd7a9548a7b81ae37b46ee4

SHA1
594a143cbdba14743b6d2a702ab0543fe28eba29

SHA256
d46fa7be982ae654c92d5799ddfcbf91d071529f87258646a98a637fe6b650e0

SHA512
b2aa525a7c88df2514e5c542ae04bd05c951ec0142580f57b2819cefb49be7d5e70b708ccf8e154e6be3541811dd7af781a72bfd47611b9a3e87e62c13d0985f

Download Submit
memory/1572-139-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/1572-0-0x00000000029C0000-0x00000000029C1000-memory.dmp

Filesize
4KB

Download
memory/1640-218-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/1640-219-0x00007FF818C60000-0x00007FF818C70000-memory.dmp

Filesize
64KB

Download
memory/1640-215-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1640-217-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1640-216-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1640-214-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1640-213-0x00007FF81ADD0000-0x00007FF81ADE0000-memory.dmp

Filesize
64KB

Download
memory/1928-206-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/1928-201-0x0000000000650000-0x0000000000699000-memory.dmp

Filesize
292KB

Download
memory/1928-210-0x0000000002140000-0x00000000021F6000-memory.dmp

Filesize
728KB

Download
memory/4000-128-0x00000000028F0000-0x0000000002939000-memory.dmp

Filesize
292KB

Download
memory/4000-133-0x00000000021C0000-0x00000000021CC000-memory.dmp

Filesize
48KB

Download
memory/4000-137-0x0000000002980000-0x0000000002A36000-memory.dmp

Filesize
728KB

Download
memory/4624-212-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/4624-140-0x00000000026A0000-0x00000000026A1000-memory.dmp

Filesize
4KB

Download
memory/4624-266-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/4624-289-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/4624-298-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads