xred | 33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1b

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Size

898KB
MD5

a446b22cb3093a099c48c96fe3dbb980
SHA1

c7c416787c7b02626779553a4b43177fbd0e7334
SHA256

33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1b
SHA512

354125d920f2a001eda845f2d887d1961ea950ccb77aef4eeea9f0a4a86ee2d5263da010b6fe1acf9c5363266d143fa5c2c19b7436c532657351b697defdaa61
SSDEEP

12288:AMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IKnPdjDupjIa61Uz:AnsJ39LyjbJkQFMhmC+6GD9PPdjCj44

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
2200	Synaptics.exe
2676	Un.exe
2612	._cache_Synaptics.exe
2968	Un.exe

Loads dropped DLL 9 IoCs

pid	Process
2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
2200	Synaptics.exe
2200	Synaptics.exe
2612	._cache_Synaptics.exe
2676	Un.exe
2968	Un.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1092	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1092	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2740	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	30
PID 2488 wrote to memory of 2200	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	31
PID 2488 wrote to memory of 2200	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	31
PID 2488 wrote to memory of 2200	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	31
PID 2488 wrote to memory of 2200	2488	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	31
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2740 wrote to memory of 2676	2740	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	32
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2200 wrote to memory of 2612	2200	Synaptics.exe	33
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2612 wrote to memory of 2968	2612	._cache_Synaptics.exe	34
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2968 wrote to memory of 1508	2968	Un.exe	36
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1232	2676	Un.exe	35
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2676 wrote to memory of 1344	2676	Un.exe	37
PID 2968 wrote to memory of 1096	2968	Un.exe	38
PID 2968 wrote to memory of 1096	2968	Un.exe	38
PID 2968 wrote to memory of 1096	2968	Un.exe	38
PID 2968 wrote to memory of 1096	2968	Un.exe	38
PID 2968 wrote to memory of 1096	2968	Un.exe	38
PID 2968 wrote to memory of 1096	2968	Un.exe	38
PID 2968 wrote to memory of 1096	2968	Un.exe	38

C:\Users\Admin\AppData\Local\Temp\33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
"C:\Users\Admin\AppData\Local\Temp\33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Users\Admin\AppData\Local\Temp\._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1232
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1344
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2612
  - - C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe" InjUpdate _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2968
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1096

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
898KB

MD5
a446b22cb3093a099c48c96fe3dbb980

SHA1
c7c416787c7b02626779553a4b43177fbd0e7334

SHA256
33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1b

SHA512
354125d920f2a001eda845f2d887d1961ea950ccb77aef4eeea9f0a4a86ee2d5263da010b6fe1acf9c5363266d143fa5c2c19b7436c532657351b697defdaa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1ybuuEM.xlsm

Filesize
21KB

MD5
f4e5952b03de02e24ec8df91c510c933

SHA1
e703f43e9065e5c4b369513278fb5b52e3225b64

SHA256
7e90ccddfd7975b10a531701e7d6309141b49e654a7e0f59cdcb1fbca2ea00d2

SHA512
292834736c0cbccafee10dbde185ca0a4ec40dd94744e8e6fb9a53f8c2f71bb35802825c0c6475ed5b8178fd0e8dce1d0c7f83ac22653a983a881ee24c4b97f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1ybuuEM.xlsm

Filesize
26KB

MD5
760b7cdcb6f8dcb347ca740ea72b3a35

SHA1
05c8e937bf6ea4b7361ce046f2d154713aaf9f22

SHA256
f6eab78a90febca45d4661045d6fad39902c82971658d41bae82efb4cae2ba1e

SHA512
345274b7423bad2337a5fb63150b329e70e8d230da2c9b7726782c6aa1a4dd0c2c3d8b223b5df72932b5b584b92c7e8d36bf5d2ad4ff513e650a1b32f69f0b91

Download Submit
C:\Users\Admin\AppData\Local\Temp\H1ybuuEM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nse2906.tmp\modern-header.bmp

Filesize
33KB

MD5
f007ed32620609ef99928c078564b2a0

SHA1
324371a33b4e1aa557ab1b863fae6b9d623d3bed

SHA256
9c7a53caac4a9ce099278ad1b2364296a3170d893bfb21dda35eb1ffc5b30fce

SHA512
88e62c77391776429eba180281a2b9df7430ac8873578a3cf9e7ebbf708d50997282eeefc2fd0f7016a9837d03a677b38534bc695958f12ac214a5736bb11272

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe

Filesize
144KB

MD5
4ccbe25e360023421c703a858f4a377c

SHA1
ec3e91ed7ced0dc9319d7a59e25ad7384f336842

SHA256
8a5d67ad13db5cf105b99a0c90b1954fca96388fba1d7df329bcd689c79420ff

SHA512
a6ca98bee85319989f456c85db3040c8cc4b8310d60aa408ba0390d79b3adf44c4c490a36c87ec63d5780d188b4aa5a0d7f728b57b8b3f5a4851f88f5b202f6b

Download Submit
\Users\Admin\AppData\Local\Temp\nse2906.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
memory/1092-78-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1092-132-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2200-67-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2200-133-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2200-134-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2200-168-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2488-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2488-25-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads