xred | ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03/12/2024, 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Size

898KB
MD5

0b2b2940a699e2562878ca7a8ad04d06
SHA1

1fae35e478f84c92261e9e041c19cae2074b17eb
SHA256

ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76
SHA512

b371f871b69781c072f1c2d6d5eef1da8a93084663e01baa36dfb78e790d1dd2efa709bf9e51f60f9a7a47095e56dd309982865459430d165edb8714bd05e560
SSDEEP

12288:AMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IKnPdjDupjIa61UD:AnsJ39LyjbJkQFMhmC+6GD9PPdjCj44

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 5 IoCs

pid	Process
2340	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
3044	Synaptics.exe
1656	Un.exe
836	._cache_Synaptics.exe
1064	Un.exe

Loads dropped DLL 2 IoCs

pid	Process
1064	Un.exe
1656	Un.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Un.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4112	EXCEL.EXE

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE
4112	EXCEL.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 3388 wrote to memory of 2340	3388	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	82
PID 3388 wrote to memory of 2340	3388	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	82
PID 3388 wrote to memory of 2340	3388	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	82
PID 3388 wrote to memory of 3044	3388	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	83
PID 3388 wrote to memory of 3044	3388	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	83
PID 3388 wrote to memory of 3044	3388	ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	83
PID 2340 wrote to memory of 1656	2340	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	84
PID 2340 wrote to memory of 1656	2340	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	84
PID 2340 wrote to memory of 1656	2340	._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe	84
PID 3044 wrote to memory of 836	3044	Synaptics.exe	85
PID 3044 wrote to memory of 836	3044	Synaptics.exe	85
PID 3044 wrote to memory of 836	3044	Synaptics.exe	85
PID 836 wrote to memory of 1064	836	._cache_Synaptics.exe	86
PID 836 wrote to memory of 1064	836	._cache_Synaptics.exe	86
PID 836 wrote to memory of 1064	836	._cache_Synaptics.exe	86
PID 1064 wrote to memory of 3916	1064	Un.exe	87
PID 1064 wrote to memory of 3916	1064	Un.exe	87
PID 1064 wrote to memory of 3916	1064	Un.exe	87
PID 1656 wrote to memory of 4844	1656	Un.exe	88
PID 1656 wrote to memory of 4844	1656	Un.exe	88
PID 1656 wrote to memory of 4844	1656	Un.exe	88
PID 1064 wrote to memory of 3952	1064	Un.exe	89
PID 1064 wrote to memory of 3952	1064	Un.exe	89
PID 1064 wrote to memory of 3952	1064	Un.exe	89
PID 1656 wrote to memory of 1728	1656	Un.exe	90
PID 1656 wrote to memory of 1728	1656	Un.exe	90
PID 1656 wrote to memory of 1728	1656	Un.exe	90

C:\Users\Admin\AppData\Local\Temp\ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
"C:\Users\Admin\AppData\Local\Temp\ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3388
- C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe
    "C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4844
  - - C:\Windows\SysWOW64\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1728
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe
      "C:\Users\Admin\AppData\Local\Temp\~nsu2.tmp\Un.exe" InjUpdate _?=C:\Users\Admin\AppData\Local\Temp\
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module32.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
    - - C:\Windows\SysWOW64\regsvr32.exe
        
        "C:\Windows\system32\regsvr32.exe" /u /s "C:\Users\Admin\AppData\Local\Temp\data\obs-plugins\win-dshow\obs-virtualcam-module64.dll"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3952

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
898KB

MD5
0b2b2940a699e2562878ca7a8ad04d06

SHA1
1fae35e478f84c92261e9e041c19cae2074b17eb

SHA256
ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76

SHA512
b371f871b69781c072f1c2d6d5eef1da8a93084663e01baa36dfb78e790d1dd2efa709bf9e51f60f9a7a47095e56dd309982865459430d165edb8714bd05e560

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_ff7d92aafde3ad32b05ded333782660acfc2e6fa53f4269965cdc58c8e936c76.exe

Filesize
144KB

MD5
4ccbe25e360023421c703a858f4a377c

SHA1
ec3e91ed7ced0dc9319d7a59e25ad7384f336842

SHA256
8a5d67ad13db5cf105b99a0c90b1954fca96388fba1d7df329bcd689c79420ff

SHA512
a6ca98bee85319989f456c85db3040c8cc4b8310d60aa408ba0390d79b3adf44c4c490a36c87ec63d5780d188b4aa5a0d7f728b57b8b3f5a4851f88f5b202f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1W7HRxLi.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\A0C75E00

Filesize
22KB

MD5
a75efd11398e53c28f1dd17e4a50400a

SHA1
e09b9f420ef60fabee593b6bbdba2cfa39b9db5f

SHA256
2532385a5d69c53859f54ebd33a3314af4af03e2e8fdc892b35cd73576f0f8ca

SHA512
53598498c8093b75495b293d0f88f07d48fc1afe283fe039dda6c937de217ed30cf630098ff6ab799dcf80888304a6882a2d5df85d6a1d84a43e15bfe165a92b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8F22.tmp\System.dll

Filesize
12KB

MD5
4add245d4ba34b04f213409bfe504c07

SHA1
ef756d6581d70e87d58cc4982e3f4d18e0ea5b09

SHA256
9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706

SHA512
1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi8F22.tmp\modern-header.bmp

Filesize
33KB

MD5
f007ed32620609ef99928c078564b2a0

SHA1
324371a33b4e1aa557ab1b863fae6b9d623d3bed

SHA256
9c7a53caac4a9ce099278ad1b2364296a3170d893bfb21dda35eb1ffc5b30fce

SHA512
88e62c77391776429eba180281a2b9df7430ac8873578a3cf9e7ebbf708d50997282eeefc2fd0f7016a9837d03a677b38534bc695958f12ac214a5736bb11272

Download Submit
memory/3044-213-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3044-308-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3044-277-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3388-128-0x0000000000400000-0x00000000004E6000-memory.dmp

Filesize
920KB

Download
memory/3388-0-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/4112-225-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

Filesize
64KB

Download
memory/4112-229-0x00007FF97C170000-0x00007FF97C180000-memory.dmp

Filesize
64KB

Download
memory/4112-230-0x00007FF97C170000-0x00007FF97C180000-memory.dmp

Filesize
64KB

Download
memory/4112-228-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

Filesize
64KB

Download
memory/4112-227-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

Filesize
64KB

Download
memory/4112-226-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

Filesize
64KB

Download
memory/4112-224-0x00007FF97E690000-0x00007FF97E6A0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads