xred | 447c72c5138078fc11668200f09edaff028ceb40097e409b3ff49125fcc79c9a

Analysis

max time kernel
39s
max time network
34s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-12-2024 22:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MSRX.7z
Size

591KB
MD5

63b8469f969f26dba70a4017c8efa341
SHA1

fb1f0f0bae8f5c2a67ff0d650a192058dd006de0
SHA256

447c72c5138078fc11668200f09edaff028ceb40097e409b3ff49125fcc79c9a
SHA512

ddff04f1c17e6b3a53b2b1f8b9085cb1e5548f9501017123bfd3bc450789265efa9c43f9d9c4cd825ba80a7e085a2f6ac98009ca8f3ac17b1b066a88d50f2972
SSDEEP

12288:vlWrgFvUlZTm25tRGIxNDZCvcYqAZ+IJuxWKxo9sZBsv0r1/85Q:dWreYTj5tRGIRCvcEZ+s+9Z6cr98q

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
behavioral1/files/0x0009000000019629-147.dat

Executes dropped EXE 4 IoCs

Processes:

MSRX.exe._cache_MSRX.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2668	MSRX.exe
2560	._cache_MSRX.exe
2536	Synaptics.exe
2548	._cache_Synaptics.exe

Loads dropped DLL 9 IoCs

Processes:

MSRX.exeSynaptics.exe

pid	Process
2668	MSRX.exe
2668	MSRX.exe
2668	MSRX.exe
2668	MSRX.exe
2668	MSRX.exe
2536	Synaptics.exe
2536	Synaptics.exe
2536	Synaptics.exe
2536	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

MSRX.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	MSRX.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

MSRX.exe._cache_MSRX.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSRX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_MSRX.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1412	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

7zFM.exe._cache_Synaptics.exe

pid	Process
3048	7zFM.exe
2548	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

7zFM.exe

description	pid	Process
Token: SeRestorePrivilege	3048	7zFM.exe
Token: 35	3048	7zFM.exe
Token: SeSecurityPrivilege	3048	7zFM.exe
Token: SeSecurityPrivilege	3048	7zFM.exe
Token: SeSecurityPrivilege	3048	7zFM.exe
Token: SeSecurityPrivilege	3048	7zFM.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

7zFM.exe

pid	Process
3048	7zFM.exe
3048	7zFM.exe
3048	7zFM.exe
3048	7zFM.exe
3048	7zFM.exe
3048	7zFM.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
1412	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSRX.exeSynaptics.exe

description	pid	Process	procid_target
PID 2668 wrote to memory of 2560	2668	MSRX.exe	33
PID 2668 wrote to memory of 2560	2668	MSRX.exe	33
PID 2668 wrote to memory of 2560	2668	MSRX.exe	33
PID 2668 wrote to memory of 2560	2668	MSRX.exe	33
PID 2668 wrote to memory of 2536	2668	MSRX.exe	34
PID 2668 wrote to memory of 2536	2668	MSRX.exe	34
PID 2668 wrote to memory of 2536	2668	MSRX.exe	34
PID 2668 wrote to memory of 2536	2668	MSRX.exe	34
PID 2536 wrote to memory of 2548	2536	Synaptics.exe	35
PID 2536 wrote to memory of 2548	2536	Synaptics.exe	35
PID 2536 wrote to memory of 2548	2536	Synaptics.exe	35
PID 2536 wrote to memory of 2548	2536	Synaptics.exe	35

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\MSRX.7z"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3048

C:\Users\Admin\Desktop\MSRX.exe
"C:\Users\Admin\Desktop\MSRX.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\Desktop\._cache_MSRX.exe
  "C:\Users\Admin\Desktop\._cache_MSRX.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2560
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Users\Admin\Desktop\._cache_Synaptics.exe
    "C:\Users\Admin\Desktop\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2548

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\UruyJWyi.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\UruyJWyi.xlsm

Filesize
23KB

MD5
557bbfd632cfc7b29bd1a61798160209

SHA1
03ac7c08f026ffacddba76e704677926c75c5670

SHA256
a9e651f4fe77a8fba8155dfc78cc56bc38b8ea2d752bc26ee20b9744d4ed12a5

SHA512
7d60c6f5a7d3ff58f997a438914bbc5a02e8b9481552b7e5c3eb79a6f9eac4e3f70a7e8588ca1dc558987f127b4c8e11d1bb6d346a2b6c0fae7f57c5b17ac686

Download Submit
C:\Users\Admin\AppData\Local\Temp\UruyJWyi.xlsm

Filesize
24KB

MD5
66a8d0cc9fdeb40f75b2b8f8d1f1ffcc

SHA1
771c859024635f8558e927eb1df63a36a358a8fc

SHA256
1c138f29c2cedafb30efd9594b9a13f69f83822d4d838ec650196f7c2ccb5b54

SHA512
6931bc3de357b1267eb97de1c7214c4a62e6509afe0974bdd9c55dd5c931e16e9f8f8ed3b301ace14423cb5da98402172e7a024347e4376418e0afb649e348bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\UruyJWyi.xlsm

Filesize
27KB

MD5
0cce6da120027de228ff4ae223b58410

SHA1
e0ff88a5a869e7ba7884bb41a48939daaedac622

SHA256
924d45e57cbfdfe7a9bb7df03899c0305b9c620b9f7ac03ad622127a90b689d1

SHA512
02c13b5dffa62502ba4cfa38ec6efc15c0b1f55d32a4629b68d7c3d0e392a05cdf9be58e117926ed1f08cb0bd3100fb906c993d83a5b4e39dffbf851c0920159

Download Submit
C:\Users\Admin\AppData\Local\Temp\UruyJWyi.xlsm

Filesize
25KB

MD5
72e54b95a3cc983e5f377381a0e0250f

SHA1
9d47519b0031904e474a528c66e7bb7b06ae1ddb

SHA256
9b2c81990cbf2d5964660051077ae4c934b679e34d4bf8ad5cebd31a8a3da589

SHA512
abf374159ab92225ac5e57bc131185be3f5d6855374d823b3f6fcead98299ab3a150d62b45108bffa6ba738e3c503a468da6b2dc0cd41b20e232fd0d39cdd88b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UruyJWyi.xlsm

Filesize
28KB

MD5
61299f09a0ebf66d31f42da862f0ac5a

SHA1
47a5bfdfed296d683b8dd4c129a2818371395f09

SHA256
a054470f68c7b13629e46a74823735116e43e8530af7526633784e08af582fa7

SHA512
df9099d4ff46b82202890af8b7a2ea9d78e85c7dac10be52eb858824517b3df6eaf20a67cad475e5a6d0c585400ad416e69840108d0c5b5d750257e1c06af6e1

Download Submit
C:\Users\Admin\Desktop\MSRX.exe

Filesize
1.8MB

MD5
8eed22631ca6a1573f8bd6443abf9a63

SHA1
1dd9578345f9e5fd9837ffeb5792d64e5b5dc2f3

SHA256
01eaf6db3eff96a405c630ead532557d77d1f22383cf3521eb61cc041d432b9a

SHA512
f09acb725d9ae0ea2309e70c04dc626157fb2997ca901ebb0ec9768657fca1b521c1d4481f5873b3077b44580853bf53d5523a43904205f88c4533a134c396a2

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\Desktop\._cache_MSRX.exe

Filesize
1.1MB

MD5
2fae6ed57fbf6f219991ad8d88fe463a

SHA1
e10ae98dc13030fd3240e0302ff56bb533e1d4db

SHA256
abea4265eacba8836e30e853543025bbca1496ab8002a4ecaa6430fe3e10d9cc

SHA512
20cd9cfbc3ae868ac54db8d05e32fe527f56704ab06f00cc597c974ae17e1412b71c1d6a50b94b1107fbbf4615841a926ee2369a8b9a69bbb4b50c4c7e71427c

Download Submit
memory/1412-64-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2536-156-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2536-159-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download
memory/2548-157-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2560-155-0x0000000000400000-0x0000000000529000-memory.dmp

Filesize
1.2MB

Download
memory/2668-50-0x0000000000400000-0x00000000005DF000-memory.dmp

Filesize
1.9MB

Download