xred | 33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1b

Analysis

max time kernel
112s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2024 12:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Size

898KB
MD5

a446b22cb3093a099c48c96fe3dbb980
SHA1

c7c416787c7b02626779553a4b43177fbd0e7334
SHA256

33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1b
SHA512

354125d920f2a001eda845f2d887d1961ea950ccb77aef4eeea9f0a4a86ee2d5263da010b6fe1acf9c5363266d143fa5c2c19b7436c532657351b697defdaa61
SSDEEP

12288:AMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IKnPdjDupjIa61Uz:AnsJ39LyjbJkQFMhmC+6GD9PPdjCj44

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
2196	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
3424	Synaptics.exe
3540	Un.exe
2424	._cache_Synaptics.exe
1992	Un.exe

Loads dropped DLL 2 IoCs

pid	Process
1992	Un.exe
3540	Un.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4916	EXCEL.EXE

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE
4916	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 2196	4472	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	83
PID 4472 wrote to memory of 2196	4472	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	83
PID 4472 wrote to memory of 2196	4472	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	83
PID 4472 wrote to memory of 3424	4472	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	84
PID 4472 wrote to memory of 3424	4472	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	84
PID 4472 wrote to memory of 3424	4472	33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	84
PID 2196 wrote to memory of 3540	2196	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	85
PID 2196 wrote to memory of 3540	2196	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	85
PID 2196 wrote to memory of 3540	2196	._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe	85
PID 3424 wrote to memory of 2424	3424	Synaptics.exe	86
PID 3424 wrote to memory of 2424	3424	Synaptics.exe	86
PID 3424 wrote to memory of 2424	3424	Synaptics.exe	86
PID 2424 wrote to memory of 1992	2424	._cache_Synaptics.exe	87
PID 2424 wrote to memory of 1992	2424	._cache_Synaptics.exe	87
PID 2424 wrote to memory of 1992	2424	._cache_Synaptics.exe	87
PID 1992 wrote to memory of 4368	1992	Un.exe	88
PID 1992 wrote to memory of 4368	1992	Un.exe	88
PID 1992 wrote to memory of 4368	1992	Un.exe	88
PID 3540 wrote to memory of 2748	3540	Un.exe	89
PID 3540 wrote to memory of 2748	3540	Un.exe	89
PID 3540 wrote to memory of 2748	3540	Un.exe	89
PID 1992 wrote to memory of 2860	1992	Un.exe	90
PID 1992 wrote to memory of 2860	1992	Un.exe	90
PID 1992 wrote to memory of 2860	1992	Un.exe	90
PID 3540 wrote to memory of 2240	3540	Un.exe	91
PID 3540 wrote to memory of 2240	3540	Un.exe	91
PID 3540 wrote to memory of 2240	3540	Un.exe	91

C:\Users\Admin\AppData\Local\Temp\33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
"C:\Users\Admin\AppData\Local\Temp\33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Users\Admin\AppData\Local\Temp\._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2240
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3424
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2424
  - - C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe" InjUpdate _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4368
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2860

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
898KB

MD5
a446b22cb3093a099c48c96fe3dbb980

SHA1
c7c416787c7b02626779553a4b43177fbd0e7334

SHA256
33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1b

SHA512
354125d920f2a001eda845f2d887d1961ea950ccb77aef4eeea9f0a4a86ee2d5263da010b6fe1acf9c5363266d143fa5c2c19b7436c532657351b697defdaa61

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_33c3a67e7b3680a8f3f3c2d7b6c262ac9375a4e5a964ab84f826a790570c5f1bN.exe

Filesize
144KB

MD5
4ccbe25e360023421c703a858f4a377c

SHA1
ec3e91ed7ced0dc9319d7a59e25ad7384f336842

SHA256
8a5d67ad13db5cf105b99a0c90b1954fca96388fba1d7df329bcd689c79420ff

SHA512
a6ca98bee85319989f456c85db3040c8cc4b8310d60aa408ba0390d79b3adf44c4c490a36c87ec63d5780d188b4aa5a0d7f728b57b8b3f5a4851f88f5b202f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ipeSON8r.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa79C6.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsa79C6.tmp\modern-header.bmp

Filesize
33KB

MD5
f007ed32620609ef99928c078564b2a0

SHA1
324371a33b4e1aa557ab1b863fae6b9d623d3bed

SHA256
9c7a53caac4a9ce099278ad1b2364296a3170d893bfb21dda35eb1ffc5b30fce

SHA512
88e62c77391776429eba180281a2b9df7430ac8873578a3cf9e7ebbf708d50997282eeefc2fd0f7016a9837d03a677b38534bc695958f12ac214a5736bb11272

Download Submit
memory/3424-134-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/3424-214-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3424-276-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3424-245-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4472-128-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/4472-0-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/4916-225-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

Filesize
64KB

Download
memory/4916-229-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

Filesize
64KB

Download
memory/4916-230-0x00007FFC3D8E0000-0x00007FFC3D8F0000-memory.dmp

Filesize
64KB

Download
memory/4916-231-0x00007FFC3D8E0000-0x00007FFC3D8F0000-memory.dmp

Filesize
64KB

Download
memory/4916-228-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

Filesize
64KB

Download
memory/4916-226-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

Filesize
64KB

Download
memory/4916-227-0x00007FFC3FC90000-0x00007FFC3FCA0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads