xred | 896f987e0f403251ca9e03c239313ba386532ef4e4331c783753a61513dda630

Analysis

max time kernel
141s
max time network
150s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
08-12-2024 18:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Temp Free.exe
Size

1000KB
MD5

cc5f51201874052f462618399a629d74
SHA1

8ad3924bc4311e1ae4f94036c0febf90bd33d91d
SHA256

896f987e0f403251ca9e03c239313ba386532ef4e4331c783753a61513dda630
SHA512

ca4e3579e7072e6baf140c2e2e7729a271d35d812e918d8d2807d5e2f5dfd60e10aa96f9fe2238af06b50f412c277a727889e380b3961643a27d22f23645df73
SSDEEP

12288:TMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V98j2W7tQJ6f+R5hj:TnsJ39LyjbJkQFMhmC+6GD9Mf+7J

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 4 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000018739-95.dat
behavioral1/files/0x000a000000016d9f-107.dat
behavioral1/files/0x0009000000018739-119.dat
behavioral1/files/0x000b000000018739-143.dat

Executes dropped EXE 3 IoCs

pid	Process
2440	._cache_Temp Free.exe
2852	Synaptics.exe
2844	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
1720	Temp Free.exe
1720	Temp Free.exe
1720	Temp Free.exe
2852	Synaptics.exe
2852	Synaptics.exe
840	WerFault.exe
1768	WerFault.exe
840	WerFault.exe
1768	WerFault.exe
840	WerFault.exe
1768	WerFault.exe
1768	WerFault.exe
840	WerFault.exe
1768	WerFault.exe
840	WerFault.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Temp Free.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1768	2844	WerFault.exe	32
840	2440	WerFault.exe	30

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Temp Free.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Temp Free.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2988	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2988	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2440	1720	Temp Free.exe	30
PID 1720 wrote to memory of 2440	1720	Temp Free.exe	30
PID 1720 wrote to memory of 2440	1720	Temp Free.exe	30
PID 1720 wrote to memory of 2440	1720	Temp Free.exe	30
PID 1720 wrote to memory of 2852	1720	Temp Free.exe	31
PID 1720 wrote to memory of 2852	1720	Temp Free.exe	31
PID 1720 wrote to memory of 2852	1720	Temp Free.exe	31
PID 1720 wrote to memory of 2852	1720	Temp Free.exe	31
PID 2852 wrote to memory of 2844	2852	Synaptics.exe	32
PID 2852 wrote to memory of 2844	2852	Synaptics.exe	32
PID 2852 wrote to memory of 2844	2852	Synaptics.exe	32
PID 2852 wrote to memory of 2844	2852	Synaptics.exe	32
PID 2844 wrote to memory of 1768	2844	._cache_Synaptics.exe	34
PID 2844 wrote to memory of 1768	2844	._cache_Synaptics.exe	34
PID 2844 wrote to memory of 1768	2844	._cache_Synaptics.exe	34
PID 2844 wrote to memory of 1768	2844	._cache_Synaptics.exe	34
PID 2440 wrote to memory of 840	2440	._cache_Temp Free.exe	35
PID 2440 wrote to memory of 840	2440	._cache_Temp Free.exe	35
PID 2440 wrote to memory of 840	2440	._cache_Temp Free.exe	35
PID 2440 wrote to memory of 840	2440	._cache_Temp Free.exe	35

C:\Users\Admin\AppData\Local\Temp\Temp Free.exe
"C:\Users\Admin\AppData\Local\Temp\Temp Free.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Users\Admin\AppData\Local\Temp\._cache_Temp Free.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_Temp Free.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2440 -s 624
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:840
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2844 -s 624
      4⤵
      Loads dropped DLL
      Program crash
      PID:1768

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1000KB

MD5
cc5f51201874052f462618399a629d74

SHA1
8ad3924bc4311e1ae4f94036c0febf90bd33d91d

SHA256
896f987e0f403251ca9e03c239313ba386532ef4e4331c783753a61513dda630

SHA512
ca4e3579e7072e6baf140c2e2e7729a271d35d812e918d8d2807d5e2f5dfd60e10aa96f9fe2238af06b50f412c277a727889e380b3961643a27d22f23645df73

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
22KB

MD5
aca57003d260728e5eaac76a03b6907e

SHA1
215e0cb22041f55db750d0a9a1c616278e63084c

SHA256
bdd04e0ed924088c24be3e2699d952587fbedd5d793276f46f09461cc7423d6e

SHA512
7c9eb0277a394f55e54519e6ca0634b373a22720b13358240017ce45a80f46a0cef4360204bc6c72c1fb67656d5339acd17d318db8c89b5d22dcf32677d99b13

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
22KB

MD5
d865b1b01f8278f8e1d465da23ea5ee5

SHA1
c274cb6417d5325cdabb867a15ec525ceef9ebf1

SHA256
92ec3bf84d87ad7598ba19c20ff9e488b5582b43103caf2f0151a392a0e68313

SHA512
810fbd4f83d38eb77125f136b77fb1b2f5b772334ec390e02f13ca012a8332ef3bca8546bae4228a01819756cea59d991d270984d64e656bf97b039d5fa9115d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
21KB

MD5
9867196009d75aef79a74f5238218260

SHA1
5864b225d761373c13c651f316c0ca4ff862c363

SHA256
2d03658d77aac296a8aea272dfd3cc7ad564ef4d27fab65ec96dd8efe774ab26

SHA512
00b1d068d03057702a20a63b67e539ffe4b0b19fb3d8a83bea7e7c56a465864670700bf68dee1c3c29bfc65a103c91c2bcc12482f08589d4a89834c2834c53c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
24KB

MD5
231208aab46f9426159c83edfc0fe972

SHA1
9397baf054014f6ec64defd09395a2ed21b01db0

SHA256
bd6276c3f206b693f84a004c365b39139a8954fc1b108fce03b4b93a33d725bb

SHA512
552bc9e862a08f1104635b169a71fb2bebdde29aadaec2d9d67fa722fac7b568e5d5c72155f681bd9ac570b18c797b632d5da77ebcf568057f2df51d55d68098

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
23KB

MD5
23c43c3fe1c509e45b74ad6f0dbd1353

SHA1
8488179a2ba94cd388ffab2d9c7b0028c3ba6eeb

SHA256
7ec141c1dd1211a6c17f70aab96abfb7cb23a8cf1e969a3537db807fee7183b9

SHA512
fe7590341c46587871f8477069b4929b11e3de726e3a3c5a20edbf96f2ba51e115620c8fa0f7db5305dbf59ae223f7e8843f30affcfc50076266156330ec9af9

Download Submit
C:\Users\Admin\AppData\Local\Temp\aTii553M.xlsm

Filesize
25KB

MD5
544387e9c148dbb986ea17c5f8d0ec23

SHA1
11e821b52e9de8965911b24dc007cfc917bcf90d

SHA256
7dfbdf1e3465f3878cf73be1d79a44165205877129bf14ed8ef52a4985ec6f2d

SHA512
f280b5b26292bc0a00b761b718b35d41fca994ac1c23997f7756f4c01a3b07fed1b21d4a4725d47e62bda28aae75d9c7dfd4f709589de023458622067ebccab0

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_Temp Free.exe

Filesize
246KB

MD5
8818bfbb6f733193f987724a4f0efbd6

SHA1
3f2efc98effc616e99ae733cadf64262bf8e93ed

SHA256
0bb4187f97b57c10dba81e80040ff237f4af881dc8061af3c6af2a31ebd43ba2

SHA512
f7c6cdf9b9fac21fa7e5e8b9ff810172125f08f96719c49927ff143515442f0f7112bcdeb070cd5ea507ae8d59fcf54566acc4b9025f583166121ef996d879c6

Download Submit
memory/1720-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1720-26-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2440-29-0x00000000011E0000-0x0000000001224000-memory.dmp

Filesize
272KB

Download
memory/2844-38-0x00000000011C0000-0x0000000001204000-memory.dmp

Filesize
272KB

Download
memory/2852-148-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2852-149-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2852-181-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/2988-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2988-147-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads