xred | 2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d

Analysis

max time kernel
111s
max time network
120s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
26-11-2024 09:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
Size

7.2MB
MD5

17fb5a937bb4ab68d8fda97aac0df74e
SHA1

d9e4a969e290907a81e84006f19fb6a3beec0faf
SHA256

2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d
SHA512

ea2af535f1a1dd163656c5d3e25eaff183d0247dba919bf60dd76f24a3f3e9b57a95f3513f20ad09e4b7aacd413293f5f7f381741ef0c2e26fdce82fe4955897
SSDEEP

196608:qLJ1103T3hrxZULtIta6oOcScwWhBNDWR:qV03FrrU5Ita6oOc7NCR

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2396	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2996	Synaptics.exe
2832	._cache_Synaptics.exe
2376	._cache_Synaptics.exe

Loads dropped DLL 19 IoCs

pid	Process
2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2396	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
2996	Synaptics.exe
2996	Synaptics.exe
2996	Synaptics.exe
2832	._cache_Synaptics.exe
2376	._cache_Synaptics.exe
2376	._cache_Synaptics.exe
2376	._cache_Synaptics.exe
2376	._cache_Synaptics.exe
2376	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
808	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
808	EXCEL.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2392 wrote to memory of 2396	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	31
PID 2392 wrote to memory of 2396	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	31
PID 2392 wrote to memory of 2396	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	31
PID 2392 wrote to memory of 2396	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	31
PID 2396 wrote to memory of 2984	2396	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	33
PID 2396 wrote to memory of 2984	2396	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	33
PID 2396 wrote to memory of 2984	2396	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	33
PID 2396 wrote to memory of 2984	2396	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	33
PID 2392 wrote to memory of 2996	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	34
PID 2392 wrote to memory of 2996	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	34
PID 2392 wrote to memory of 2996	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	34
PID 2392 wrote to memory of 2996	2392	2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	34
PID 2984 wrote to memory of 2928	2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	35
PID 2984 wrote to memory of 2928	2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	35
PID 2984 wrote to memory of 2928	2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	35
PID 2984 wrote to memory of 2928	2984	._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe	35
PID 2996 wrote to memory of 2832	2996	Synaptics.exe	36
PID 2996 wrote to memory of 2832	2996	Synaptics.exe	36
PID 2996 wrote to memory of 2832	2996	Synaptics.exe	36
PID 2996 wrote to memory of 2832	2996	Synaptics.exe	36
PID 2832 wrote to memory of 2376	2832	._cache_Synaptics.exe	39
PID 2832 wrote to memory of 2376	2832	._cache_Synaptics.exe	39
PID 2832 wrote to memory of 2376	2832	._cache_Synaptics.exe	39
PID 2832 wrote to memory of 2376	2832	._cache_Synaptics.exe	39
PID 2376 wrote to memory of 2164	2376	._cache_Synaptics.exe	40
PID 2376 wrote to memory of 2164	2376	._cache_Synaptics.exe	40
PID 2376 wrote to memory of 2164	2376	._cache_Synaptics.exe	40
PID 2376 wrote to memory of 2164	2376	._cache_Synaptics.exe	40

C:\Users\Admin\AppData\Local\Temp\2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
"C:\Users\Admin\AppData\Local\Temp\2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2392
- C:\Users\Admin\AppData\Local\Temp\._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Users\Admin\AppData\Local\Temp\._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c cls
      4⤵
      System Location Discovery: System Language Discovery
      PID:2928
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2996
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2376
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c cls
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2164

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.2MB

MD5
17fb5a937bb4ab68d8fda97aac0df74e

SHA1
d9e4a969e290907a81e84006f19fb6a3beec0faf

SHA256
2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d

SHA512
ea2af535f1a1dd163656c5d3e25eaff183d0247dba919bf60dd76f24a3f3e9b57a95f3513f20ad09e4b7aacd413293f5f7f381741ef0c2e26fdce82fe4955897

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI23962\lxml.etree.pyd

Filesize
2.8MB

MD5
490a41d1696f913cce54a3492f9230cc

SHA1
1783db8852345aee155c62080bdd0c44788bf45c

SHA256
baf2f7c11a41c9a5ee6437174fdaf1753f9a1d592d0f79fc8e5d09ccac164032

SHA512
df14b6eb474965ea6941315250a6cb9d22420d41123640e6d29b1a4563482db2ff89e83a47ac7c777ec85e953093b9c3ed82820770ae7a0466124e169a886252

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLzdeuWN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLzdeuWN.xlsm

Filesize
24KB

MD5
b2f45e49e9f5ea73a22c5f3157a7b0f6

SHA1
e435e56af70ffb624fa3b579c5b7ec95c61d1c40

SHA256
94a86746305a99a06209355453097938816b4b1aa5b23d28d1aa9d8ad20fffb6

SHA512
dabd3ba7755f061abc7cb6a3b6f30784976cb10c1b9c6bddceb2df73db0376452ab603ff1cb671a04d684f6f1a25f07886de9ab78573d56a41e9e1c110d36af5

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2a466b380c58458cb27936e54b9320f7c6df4b960bfab2c5fdaca43916b6cb6d.exe

Filesize
6.4MB

MD5
08f9dfe54351fbe840a1064057534b3c

SHA1
778243c235a8cd0184c1d96f9066e332d26e4096

SHA256
18eac1745817cc2f0fad48e37799596980321b11e16429d642d5089b59948f7d

SHA512
aeb4ff6eb9601d7d7451710b3657608283048062fdaa6e9d4dbbc05324efb799a325a0ab9db9b07d461856faf10c36e5e5935f115a6eb5e5e76bc7eec655be0d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI23962\python27.dll

Filesize
2.2MB

MD5
c5a254155bd7a9548a7b81ae37b46ee4

SHA1
594a143cbdba14743b6d2a702ab0543fe28eba29

SHA256
d46fa7be982ae654c92d5799ddfcbf91d071529f87258646a98a637fe6b650e0

SHA512
b2aa525a7c88df2514e5c542ae04bd05c951ec0142580f57b2819cefb49be7d5e70b708ccf8e154e6be3541811dd7af781a72bfd47611b9a3e87e62c13d0985f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28322\_hashlib.pyd

Filesize
278KB

MD5
cf239a4ea58056f6b32e2928f64738c4

SHA1
a4d2bdf399c2cc56ed1c11e3a48c7bdbcad721e8

SHA256
052fee1823ad2986f7e4bab33f2fba136dcf87ec3d6acca37af72525aa1a6821

SHA512
2c23652ba5e397bedc88eb1a13d4c2dce06ed5c5857d790a5205ab31f9bc5506da5e55e1f139924dad9f446cdf5ea0eae5b2eacc733e6fbdb9eec2e113581adc

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28322\_socket.pyd

Filesize
40KB

MD5
e7e577c117bb5aa1011f841d1a10a218

SHA1
16558097bef92fcb61def76248823fe2d49f83c4

SHA256
74ac52c9497d696c8d8eaa120899752c964573ee90e6b04dc3e6ba72ae06e0a0

SHA512
82dc4594c4c6ad2cff76c54cc2caeb6751068c91f23b61deca6a1f9dba640acc4f0556df70d3812b8592c247c3259a74f5f1abd2b81fd0dfec2f194df62e1a34

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI28322\_ssl.pyd

Filesize
705KB

MD5
e98a9104ee53322918e22b4d5900f695

SHA1
37565ff8a2ac41f97d3eea6db0b51f1d8b59c38a

SHA256
e1f095371953942643b1d4d199b7b090529afeb20ab1bc26c90454716ea96ab2

SHA512
5612dd1388a68e96bd30493d6ceaaecd32df4ceb7db64ae704aba52d041e1f49ad95f94bcab615c76430e250c81a68fee8bc937a43bb80ddc5493c87a7ebdaec

Download Submit
memory/808-84-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2376-109-0x00000000002C0000-0x0000000000309000-memory.dmp

Filesize
292KB

Download
memory/2376-113-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2376-117-0x0000000002B60000-0x0000000002C16000-memory.dmp

Filesize
728KB

Download
memory/2392-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2392-54-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2984-64-0x0000000002B20000-0x0000000002BD6000-memory.dmp

Filesize
728KB

Download
memory/2984-61-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2984-57-0x0000000000270000-0x00000000002B9000-memory.dmp

Filesize
292KB

Download
memory/2996-158-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2996-159-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2996-164-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download
memory/2996-191-0x0000000000400000-0x0000000000B2D000-memory.dmp

Filesize
7.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads