xred | ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Size

898KB
MD5

0b2b2940a699e2562878ca7a8ad04d06
SHA1

1fae35e478f84c92261e9e041c19cae2074b17eb
SHA256

ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76
SHA512

b371f871b69781c072f1c2d6d5eef1da8a93084663e01baa36dfb78e790d1dd2efa709bf9e51f60f9a7a47095e56dd309982865459430d165edb8714bd05e560
SSDEEP

12288:AMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IKnPdjDupjIa61UD:AnsJ39LyjbJkQFMhmC+6GD9PPdjCj44

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000700000001739c-105.dat

Executes dropped EXE 5 IoCs

pid	Process
2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2756	Synaptics.exe
2704	Un.exe
3028	._cache_Synaptics.exe
1920	Un.exe

Loads dropped DLL 9 IoCs

pid	Process
2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
2756	Synaptics.exe
2756	Synaptics.exe
3028	._cache_Synaptics.exe
1920	Un.exe
2704	Un.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3056	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3056	EXCEL.EXE

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2696	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	31
PID 2636 wrote to memory of 2756	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	32
PID 2636 wrote to memory of 2756	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	32
PID 2636 wrote to memory of 2756	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	32
PID 2636 wrote to memory of 2756	2636	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	32
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2696 wrote to memory of 2704	2696	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	33
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 2756 wrote to memory of 3028	2756	Synaptics.exe	34
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 3028 wrote to memory of 1920	3028	._cache_Synaptics.exe	36
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 1920 wrote to memory of 268	1920	Un.exe	39
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 2704 wrote to memory of 824	2704	Un.exe	38
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 1920 wrote to memory of 1320	1920	Un.exe	40
PID 2704 wrote to memory of 1776	2704	Un.exe	41
PID 2704 wrote to memory of 1776	2704	Un.exe	41
PID 2704 wrote to memory of 1776	2704	Un.exe	41
PID 2704 wrote to memory of 1776	2704	Un.exe	41
PID 2704 wrote to memory of 1776	2704	Un.exe	41
PID 2704 wrote to memory of 1776	2704	Un.exe	41
PID 2704 wrote to memory of 1776	2704	Un.exe	41

C:\Users\Admin\AppData\Local\Temp\ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
"C:\Users\Admin\AppData\Local\Temp\ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:824
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1776
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3028
  - - C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe" InjUpdate _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1920
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:268
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1320

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
898KB

MD5
0b2b2940a699e2562878ca7a8ad04d06

SHA1
1fae35e478f84c92261e9e041c19cae2074b17eb

SHA256
ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76

SHA512
b371f871b69781c072f1c2d6d5eef1da8a93084663e01baa36dfb78e790d1dd2efa709bf9e51f60f9a7a47095e56dd309982865459430d165edb8714bd05e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnh5ZZ2.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnh5ZZ2.xlsm

Filesize
20KB

MD5
ced10c2dceb3508c83af68030acedbbb

SHA1
2d090aa95bc61152656956b1a664371d94e6b960

SHA256
cc438888fba173ba4958922dbbe0917ada679eb2cc5dec95c86b8375bb220476

SHA512
c751c49c003a8774478a76993e94ba7fda88af24cd5ccbfd3d0b9e56c6ea770406a4a66df5cff7ce94933871a570d658908ab37dd45c478944671e27331ccf22

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnh5ZZ2.xlsm

Filesize
22KB

MD5
b463639ed34ca7122627cf821e544f08

SHA1
e0588183922beb5894d06a02386905d9325f3df8

SHA256
228f7717ca534045025038e9039e040133fa9f594eda08af93f4b1be915036c9

SHA512
55501f938463950d6f1424a17a702451994309adb742a43fe90d4c39e0ff682683b10429780935a5f0708642aa7a8ac54db16d88d28e15467efd0166175b5f9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnh5ZZ2.xlsm

Filesize
26KB

MD5
098d125cae9604b9d8eb987b64b6801b

SHA1
86d6404b0df212ac1522eb12d2c6da599162a635

SHA256
9c271283f3127373e2a43fc5153a6517b37cdd69d073dcc3b612502b5ea31c12

SHA512
ccd2e23e46e8ff6fc3aed4ec5c45cbcda38f5e98e226c77ca5d1f2858c9b81e0f9cb8fb8b304bd9e8b0f7977f6d04c49d198c0f04d7747ca086a073b8c710c82

Download Submit
C:\Users\Admin\AppData\Local\Temp\1qnh5ZZ2.xlsm

Filesize
25KB

MD5
423d1ee039a021463b58593b3b0cd373

SHA1
05efec66e0780168b6aa9f3c95175f0d9cd869b7

SHA256
cc01fc39cba9a94dbc11eb7ca4d8feac6edbf17791f17871d01e2cd62417e19f

SHA512
a6bfe8edb88481ac295b665cb5d3d69b699669e962d4b892d415854ca87fcf7a7ee6448a731e4a3577f34a4708cc3ab87e05b524154430ef67794d294ac6911a

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseECB2.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nseECB2.tmp\modern-header.bmp

Filesize
33KB

MD5
f007ed32620609ef99928c078564b2a0

SHA1
324371a33b4e1aa557ab1b863fae6b9d623d3bed

SHA256
9c7a53caac4a9ce099278ad1b2364296a3170d893bfb21dda35eb1ffc5b30fce

SHA512
88e62c77391776429eba180281a2b9df7430ac8873578a3cf9e7ebbf708d50997282eeefc2fd0f7016a9837d03a677b38534bc695958f12ac214a5736bb11272

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$1qnh5ZZ2.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe

Filesize
144KB

MD5
4ccbe25e360023421c703a858f4a377c

SHA1
ec3e91ed7ced0dc9319d7a59e25ad7384f336842

SHA256
8a5d67ad13db5cf105b99a0c90b1954fca96388fba1d7df329bcd689c79420ff

SHA512
a6ca98bee85319989f456c85db3040c8cc4b8310d60aa408ba0390d79b3adf44c4c490a36c87ec63d5780d188b4aa5a0d7f728b57b8b3f5a4851f88f5b202f6b

Download Submit
memory/2636-31-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2636-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2756-144-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/2756-189-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3056-57-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3056-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads