xred | b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
06-12-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe
Size

753KB
MD5

45011233f584317d3450a81d260c2a15
SHA1

ae512c745c512cb52112e6369741a14584a1fd95
SHA256

b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408
SHA512

39e6b275060bebdccd1c1bfef8f1d62a90839a260bb45355a999a38de28d4a6133a7f02585b07f866afa92d6c6a03b4c66f101e11050f7d3b05f9f2cd40af75e
SSDEEP

12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Izr:ansJ39LyjbJkQFMhmC+6GD9I

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 1 IoCs

pid	Process
2004	Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
2604	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe
2604	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2896	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2896	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2004	2604	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe	30
PID 2604 wrote to memory of 2004	2604	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe	30
PID 2604 wrote to memory of 2004	2604	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe	30
PID 2604 wrote to memory of 2004	2604	b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe	30

C:\Users\Admin\AppData\Local\Temp\b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe
"C:\Users\Admin\AppData\Local\Temp\b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
45011233f584317d3450a81d260c2a15

SHA1
ae512c745c512cb52112e6369741a14584a1fd95

SHA256
b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408

SHA512
39e6b275060bebdccd1c1bfef8f1d62a90839a260bb45355a999a38de28d4a6133a7f02585b07f866afa92d6c6a03b4c66f101e11050f7d3b05f9f2cd40af75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
22KB

MD5
a0c6a6e1de0c9b7c5fb7f2cb581939d9

SHA1
1313c00fef45f3399ff712c60886806533e4c29b

SHA256
efd39075c65745b0b350d399d3f458cb1adff94389a18920ad38417e4dc4439e

SHA512
58f974e6ef41c13d486800ef18c2473df3346965d68052fb7658d09f6e611cdb277322e87d9102bd7dff36addee9ce086de5fa4e71e4119ab07f1a126dee44b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
21KB

MD5
d7f3521245d650d115e5919916aa4eb1

SHA1
d3cab083d014795c2d17b07b2642ebb04cd90b1f

SHA256
4263be8a674709a40369de06e64773e621bbc3cdeefec0eb4c6605edb59230a6

SHA512
fbe06479860b13587247c37d92b34e2e1c00eda0934453a3e7a976137345fea89fdf9560cefafe65c5dbc98ae4a9a95ab7cab399b8076b7e8f58892e8d9cfa8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
22KB

MD5
81b3e434db8344044eb3424b17d7d09b

SHA1
581275be8faf1fa69cc32e7ce03df8d75109c9dd

SHA256
f6fde25c3b144b505f73217dccd6f799db29f07b2148798e040290596220470c

SHA512
e7a366c65d0d7cfc92a9d2512d6502884af940721661806c31c0251854924ee235753462fa6cd77aab65002ede0d1c42d8ba0f697118df589e65ec896a0d7bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
23KB

MD5
a9efc2970083f2033b61d11e9e5e68df

SHA1
dc292209246b79aa64f8879ed104e2945d65e025

SHA256
e11541e8eeb04e5470bf0e83aac1c512e0824f4fe3a59ebb21b1c2ec3ca1863e

SHA512
3532d5e7cf68280c60551bb5641da113cb3e15978a13066c49364c65c3e05957f12f532f5d3a7237b6d115e7ab57db9cd7184840bdd968cb07c61f1b29897bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
24KB

MD5
2984743f2c12e873d7aab1a59203b502

SHA1
174941a80378aa759609c67927f5a32116402a46

SHA256
34fbeed36b132f377fcce28c943c0b08851960ed9e498fde0e1f6e4f290be8e5

SHA512
32ea179600cb69fb3a012a068a164d28e5943b790ac159ba345a44dacef727ed77cb7cc8f4d6999869b89b2893b6991da2a7520571f9bc9759c7f54ea5d8f14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\2vuJbL6c.xlsm

Filesize
25KB

MD5
630de5b637e5bc834b67321045550fee

SHA1
02f8f9e7936af99bb50e04542061e6e1c51a8ecd

SHA256
dcc4d1f2f6708df6644212622ca6c0a5238db803324a9c5ac530cf905139fa3c

SHA512
5b883b299d763b79dc8d0efe0bb07b02f0fc6b05d7272acb815ca85d8c75040770dcfdc658ec164f6194fd97f8509d7e9c8f6212a3e2e5626cc156def2ab782b

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2004-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-117-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2004-116-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2004-118-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2004-149-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2604-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2604-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2896-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2896-115-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads