xred | 9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
25-11-2024 06:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
Size

1.2MB
MD5

a6b0c646c57b62e6f11baa38c5e28ef0
SHA1

e394f063c294ac957cb2a91288b74a399e76de4b
SHA256

9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71
SHA512

9663202bddf92fb1c81086ad3d57dd1409b15c28d557c94923da2d8a1f367ba55c93023fc30f5f69addd25c8e02d0d39cbdacc2d35a18ba8d8557aba396784f6
SSDEEP

12288:7MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9APoBhY8QyIE635:7nsJ39LyjbJkQFMhmC+6GD9HY9JBJ

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Executes dropped EXE 3 IoCs

Processes:

._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exeSynaptics.exe._cache_Synaptics.exe

pid process

2532 ._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
2088 Synaptics.exe
2840 ._cache_Synaptics.exe

pid	process
2532	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
2088	Synaptics.exe
2840	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

Processes:

9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exeSynaptics.exeWerFault.exeWerFault.exe

pid	process
2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
2088	Synaptics.exe
2088	Synaptics.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2648	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2868	WerFault.exe
2648	WerFault.exe
2868	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
2648	2840	WerFault.exe	._cache_Synaptics.exe
2868	2532	WerFault.exe	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2748 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2748 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2748	EXCEL.EXE

pid	process
2748	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exeSynaptics.exe._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe._cache_Synaptics.exe

description	pid	process	target process
PID 2100 wrote to memory of 2532	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
PID 2100 wrote to memory of 2532	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
PID 2100 wrote to memory of 2532	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
PID 2100 wrote to memory of 2532	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
PID 2100 wrote to memory of 2088	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	Synaptics.exe
PID 2100 wrote to memory of 2088	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	Synaptics.exe
PID 2100 wrote to memory of 2088	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	Synaptics.exe
PID 2100 wrote to memory of 2088	2100	9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	Synaptics.exe
PID 2088 wrote to memory of 2840	2088	Synaptics.exe	._cache_Synaptics.exe
PID 2088 wrote to memory of 2840	2088	Synaptics.exe	._cache_Synaptics.exe
PID 2088 wrote to memory of 2840	2088	Synaptics.exe	._cache_Synaptics.exe
PID 2088 wrote to memory of 2840	2088	Synaptics.exe	._cache_Synaptics.exe
PID 2532 wrote to memory of 2868	2532	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	WerFault.exe
PID 2532 wrote to memory of 2868	2532	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	WerFault.exe
PID 2532 wrote to memory of 2868	2532	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	WerFault.exe
PID 2532 wrote to memory of 2868	2532	._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe	WerFault.exe
PID 2840 wrote to memory of 2648	2840	._cache_Synaptics.exe	WerFault.exe
PID 2840 wrote to memory of 2648	2840	._cache_Synaptics.exe	WerFault.exe
PID 2840 wrote to memory of 2648	2840	._cache_Synaptics.exe	WerFault.exe
PID 2840 wrote to memory of 2648	2840	._cache_Synaptics.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
"C:\Users\Admin\AppData\Local\Temp\9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2532 -s 628
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2868
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2840
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2840 -s 624
      4⤵
      Loads dropped DLL
      Program crash
      PID:2648

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
a6b0c646c57b62e6f11baa38c5e28ef0

SHA1
e394f063c294ac957cb2a91288b74a399e76de4b

SHA256
9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71

SHA512
9663202bddf92fb1c81086ad3d57dd1409b15c28d557c94923da2d8a1f367ba55c93023fc30f5f69addd25c8e02d0d39cbdacc2d35a18ba8d8557aba396784f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9f0af1cf4d104abdef87173ecb3d998003fa6e1bb6bc177efc2aa8621c0a1b71.exe

Filesize
443KB

MD5
40918b19a89cc4dcf6ec03c7f07ccd35

SHA1
26ec973875e0a5b4d4bb0b3eef70a701f3b86c70

SHA256
f723a08340dd51b9264b6dd4b9105634b4537428bc86e1efd93af768501dd66b

SHA512
ce5dbdeb674cf3daabaab3779ec749f7114177dc251e79aafaee4bc46b33b453355ee2b02dc146b93b22693540da104bcb256fe4512b8933c5f8774a34f9f31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
22KB

MD5
1bb7fc28d84f569fe270b8c0813617e4

SHA1
8b2bc29a47794dd662069181cea9710688226a20

SHA256
93927e5cbe5bfbcfda90c3c0f794f60b211c3569afc0088575d76a04a70824e9

SHA512
aa2db2581256f7a6755b9143e0173332a049de0e76079b645c2bcddaea688848ef9358067407091c324c4e65cff73b52985f3f1e81d9ad542ddb036d03998dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
21KB

MD5
f48a47626f424f1ea8e2bc37e261768e

SHA1
09f1da499cbf51343989b144c9a31671b2102871

SHA256
bff2cec57c866e8fa12b4d63a7540dd0c6cf372fc8daf2d00d8b251cdc604c99

SHA512
2b2cea9e3ad0c6be1f4a483b9ba8d2fdde559e75ff25ac12ab9b34c0db8fcaffed5afb14bd11c4d577a85306be5bbc85bc9a303ea786c6acb73bdef27b78980d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
22KB

MD5
5e9db438caee42d873ba3d3a6da41ce2

SHA1
5c154581f01e78e7210eaf2e0e2fb8f96e2143b1

SHA256
4071ad98f3e7c7942e5ed2ce795521ae843d063b6b9bccb7c5e0e1476f71ad82

SHA512
46d18a43da226d626bd846e3eeb8c99d8e287f4912c5e98c2a657b329b84307e4928fa2f53b246675f7d50a16651da5f8fd1c652e42a670283560364072e2f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
23KB

MD5
020d051ac74b3cd8b1735f38762cf3e6

SHA1
97ba9c67f1b0731fc6fdef74e35a7db8747f9c08

SHA256
1116f956471447cf5000778f3aa8bdb629cb0982d4ed7437e46a04a3974f0bcc

SHA512
1d0a16f5ea3eb28719c0a8d83d0e6a1a7a430d67f273d18c2c2a6bba923ce84a2b373b558b2f7373d88026f0eacd1ad73bce176274049de62cf4364b9a89cc9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
24KB

MD5
ca53b9d877bb1844a5602360ccf51d75

SHA1
da9f108e45200c48def6973c9e52ca12a773663b

SHA256
30b87c135eae7b23f65671133dd4079cb73709c096f9ee90bfea89a7e6f2aa17

SHA512
3a208d3bf50488e7b340d0b3273ccc87b3b1f2aa2c30992aa1878f78e4b25db795cba5275cb96b85b63ac6eb6c922918cfe3d941450b7b63c23a3dae38534b93

Download Submit
C:\Users\Admin\AppData\Local\Temp\JVqsuCiJ.xlsm

Filesize
25KB

MD5
a7ce4c8d2feec7c420a09e78befba0e9

SHA1
6e2c8792f998842ba1a82b9b84f895de9965ca50

SHA256
f97f986f0e8d7423b1c2d7bb54095aefebe8121a7b9b7991d1889c52bcd43ec2

SHA512
b557d8b81d804d6ab44ce85f8b2948a998ce0d50ce7abc7ad0f26d2f67bfce52762bb31f1ef0ec57a15cdfd03df025e9c0358956cf03a7a8d8f87ae8e3007fc3

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2088-148-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2088-149-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2088-181-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2100-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2100-25-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2532-29-0x0000000001260000-0x00000000012D4000-memory.dmp

Filesize
464KB

Download
memory/2748-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2748-147-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2840-38-0x0000000000A60000-0x0000000000AD4000-memory.dmp

Filesize
464KB

Download