xred | be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecf

Analysis

max time kernel
110s
max time network
120s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
02-12-2024 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
Size

821KB
MD5

513f889c3acba25660ff5fb0f22427d0
SHA1

7025a63bef0a64531ceb49c1d532773bfcd94114
SHA256

be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecf
SHA512

842629ba4fab49d00a176ac2a4a1bdf51ead040b58860d910fb0e02bad8ca8efc0514c91b7b5828adb2932f3b1c2c5702ba5732481ec5fa95156f3a5b1143da5
SSDEEP

12288:VMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9O9wroR:VnsJ39LyjbJkQFMhmC+6GD9HK

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

Processes:

._cache_be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
484	._cache_be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
2916	Synaptics.exe
2956	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

Processes:

be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exeSynaptics.exe

pid	Process
2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
2916	Synaptics.exe
2916	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exeSynaptics.exeEXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3004	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
3004	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exeSynaptics.exe

description	pid	Process	procid_target
PID 2296 wrote to memory of 484	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	30
PID 2296 wrote to memory of 484	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	30
PID 2296 wrote to memory of 484	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	30
PID 2296 wrote to memory of 484	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	30
PID 2296 wrote to memory of 2916	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	32
PID 2296 wrote to memory of 2916	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	32
PID 2296 wrote to memory of 2916	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	32
PID 2296 wrote to memory of 2916	2296	be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe	32
PID 2916 wrote to memory of 2956	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2956	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2956	2916	Synaptics.exe	33
PID 2916 wrote to memory of 2956	2916	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
"C:\Users\Admin\AppData\Local\Temp\be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\._cache_be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe"
  2⤵
  - Executes dropped EXE
  PID:484
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2956

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
821KB

MD5
513f889c3acba25660ff5fb0f22427d0

SHA1
7025a63bef0a64531ceb49c1d532773bfcd94114

SHA256
be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecf

SHA512
842629ba4fab49d00a176ac2a4a1bdf51ead040b58860d910fb0e02bad8ca8efc0514c91b7b5828adb2932f3b1c2c5702ba5732481ec5fa95156f3a5b1143da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qd6jDpK.xlsm

Filesize
25KB

MD5
cd3772a95a4814f76a1815fe56914eec

SHA1
7a3b54f9cba38ff80151e860be759ca7a3ad34c8

SHA256
0070f8763de21fce9edc0e9083dce59f7e51a60ff248c2dd701811aa7e6752a7

SHA512
53d72178fa7854ca10ca89bc9f5132025a25f89c74354070224bfee3c7b071a7789ed74a84cdf8fb760836018c472d03e54029db05c78cb56891a25f5faa0584

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qd6jDpK.xlsm

Filesize
23KB

MD5
755a15161213e9411b3fed977b0de644

SHA1
2b94bef4314d020acd32bea1aa1888cb70caf019

SHA256
54fd2a15698b250d98c70bb6218430ce7c747e4cd73258337b9f9dba6bc6f80e

SHA512
398da523db1f9a089cb92eb643ae2484dc10f7baedffc3caa6363e48e8ccb4de72052a87fe06f4cf3d1e9743cef4a38921f3a8959fab07d7bcdc5f9f92ffab41

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qd6jDpK.xlsm

Filesize
31KB

MD5
8f81338ca49eba4432dc560a73b8b26a

SHA1
ad7d6f60f780c638f02ab5a491bffbbab734337b

SHA256
3146a4fe1b8230eef8186f07ceb73cb747e029ca7eb5ad94ae5b0ed3716bbb66

SHA512
921d7b30b56c46163dbfe9c57e269cde084f9826150ce5c62ff8f01bfda341c38ba6f945e15b4279e2460333eebc9c19ae3f7865c40ac5e49e469b43359dd167

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qd6jDpK.xlsm

Filesize
25KB

MD5
df753e016c6735b59de0368999046151

SHA1
43682554ebe707bc4218a5ca67f0ca65f6d5df8a

SHA256
cb06cdd706b03af3aa31470a8a3839514ed277e10f9d59f023d19c5b33d75065

SHA512
c4d5985425012512fe1ae12a71b8ad1d2c9c062473a463a1904a0bec5150c3f1bed3a96b3894b0880a1a487511fd0a88799b1fe99e6747968c616a7e44f4985b

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qd6jDpK.xlsm

Filesize
26KB

MD5
2adb1895b3f42e3fcbf465bbb1e08abc

SHA1
4259f252443b4c0da37ca9e9675a2f244c3b270f

SHA256
40d88e8205acec303f7f6c7178f602384e908c1eb354bd0863c5550b6457261e

SHA512
9d179b9ceba47e0f3a60fbeb3289f232031d4a43efe02b766b03c64e7eb8fc3be6db8697d0117dfa215ccb0e73d0e4724e42e248ef371b74a79d9c87b7fda916

Download Submit
C:\Users\Admin\AppData\Local\Temp\4qd6jDpK.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\Desktop\~$TestInstall.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_be0922fff67de2e529cbdb0bee8454472c7c8961b18fe1098bd73f21475dfecfN.exe

Filesize
67KB

MD5
75cba417114e4da36613a30fc692fb23

SHA1
b06fa3146b4feb1f6465b7c6489f4fc63e79a20c

SHA256
405f451da226def25b8a6372c354a5642db81d4d9829aabaac00156d3d0dffbf

SHA512
8ed3e6e47ec7406b07f2acd7662f91b22dbd1d043174acad51937e77c10b06aa04c0e4e754e69c12435c45a0c1577df14083ba5a63e50ff16e0f634713c257d1

Download Submit
memory/484-28-0x0000000001090000-0x00000000010A4000-memory.dmp

Filesize
80KB

Download
memory/2296-24-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2296-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2916-125-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2916-126-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2916-160-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2956-36-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/3004-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3004-124-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download