xred | 5826c49ee8093a997df75d2bcc05f8996e11a66fd9e4f6d3c65afa39feddeeab

Analysis

max time kernel
293s
max time network
255s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-12-2024 17:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
Size

4.6MB
MD5

24256ed6083f31556ddc5a1ba5be2f75
SHA1

128285a982842b79c09544fb0fc87aa3955f1021
SHA256

00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd
SHA512

0a93fdbe51600db8ec4a609eb5a7847dce086fc0661b23c20848cc9d5c71efcb2c843749fa6c5243ec4cea3ffe07d3d4f411c559c647cdb58d2e9b80f98a4499
SSDEEP

98304:Jnsmtk2aBPP/vhTxl71QVKwnYfmIINv8wO+S:VLwHxxl71QVKwnYuhNvfO+S

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2392	._cache_00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
2796	Synaptics.exe
2264	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
2796	Synaptics.exe
2796	Synaptics.exe
2796	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1100	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2264	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1100	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2084 wrote to memory of 2392	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	30
PID 2084 wrote to memory of 2392	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	30
PID 2084 wrote to memory of 2392	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	30
PID 2084 wrote to memory of 2392	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	30
PID 2084 wrote to memory of 2796	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	31
PID 2084 wrote to memory of 2796	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	31
PID 2084 wrote to memory of 2796	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	31
PID 2084 wrote to memory of 2796	2084	00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe	31
PID 2796 wrote to memory of 2264	2796	Synaptics.exe	32
PID 2796 wrote to memory of 2264	2796	Synaptics.exe	32
PID 2796 wrote to memory of 2264	2796	Synaptics.exe	32
PID 2796 wrote to memory of 2264	2796	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
"C:\Users\Admin\AppData\Local\Temp\00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Users\Admin\AppData\Local\Temp\._cache_00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2264

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
24256ed6083f31556ddc5a1ba5be2f75

SHA1
128285a982842b79c09544fb0fc87aa3955f1021

SHA256
00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd

SHA512
0a93fdbe51600db8ec4a609eb5a7847dce086fc0661b23c20848cc9d5c71efcb2c843749fa6c5243ec4cea3ffe07d3d4f411c559c647cdb58d2e9b80f98a4499

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeB1qOvF.xlsm

Filesize
21KB

MD5
c4ed4b970eacb7cd37ff4d95ba03dcbd

SHA1
ece61e7cd24403a6fa70f58a65155232205f8153

SHA256
4a9064b1f5791e88c7891c2a210d67f722aba590e5ef646f80c49ee6188679c9

SHA512
1c61b1015fe7274c95a6930ebb29a8a47ba2fc5e231671224b1f1f2cfde421dfda1e01ebcc80878ac16e16fc6664c3dec549c852808542771ea807acfe68a9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeB1qOvF.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeB1qOvF.xlsm

Filesize
25KB

MD5
f62b6b60ef5d2f31b0493a326d22c11d

SHA1
774f2afd71957199ae70c3787f30626693e365ac

SHA256
f080d0d9739dbb364221402daeb67f593c911ec9e1cbcf00812dd58099b949af

SHA512
0f96efe271beb201618852a941bc9083d08ee2655d5983fdfb733e114a378a87cd11d90689e2a46eb6d31aeb2768cb76844af195dcf02c6cd9f317e4ab2fd6e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeB1qOvF.xlsm

Filesize
23KB

MD5
640465b1b12a64a346bde82f0dd69bd6

SHA1
ba69548e44786a65fdeedff6186226c885db5821

SHA256
312a10f8879947a1fe04cf7b27dedf4c339f6ca8bfbc2fe345ae950d7594d334

SHA512
1831112b1d71e3297d18e5c6d5c4aeb7634674b57a761858c4e3103d175fdd457dee394f56cbb7b79afefe4477f7d41adf6650ab5183e81c26ac9996fdad0db2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeB1qOvF.xlsm

Filesize
21KB

MD5
b7be2af46dd0e2ec8bef9007ae0a6b12

SHA1
21d270c4ce69c6e094e1ac3e06e091e9d194f812

SHA256
ccb40b931c2dc0904f53ca384e9791dad34cb3146c84386a200053fa81f6b795

SHA512
2446866295c6eb02d943d91e40bde52c2389f76597e43f3f74b7014db10cd4153f3e0c3e07e8aa0139ff92d11cf5f1ad28c0a8ad0afea60e270c38ae4311e4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZeB1qOvF.xlsm

Filesize
26KB

MD5
784bd6f0e2ad2821b9d0d88a300282dd

SHA1
e7b4cdf5a36133c2483b46501df63fe7f3561f7d

SHA256
de4d86380e38d4b2976ef4905a65d4435ef7173d3dd04d1633858ffcaa9bcdf8

SHA512
c4c46ea8220dac5cb1e4080bea016b586d50254b7cd323af21d2f23df6a5529b0c01dfc3ae92885710a41a4b2623bb26e5b38b36a7ed54423f558861f5d8f5d3

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_00029a8f1d571f6bbc96cc5c648e781f8ef550d26ceb899fe19e6b0733bab1fd.exe

Filesize
3.8MB

MD5
4f9c858b581fd025d901e3707c7cd375

SHA1
83ea6882708c9d3f20dd86b7c65855abf7a96571

SHA256
b64b1d63adf65292f3ec449b0b0e02739956d57d2a3fdfe582685cb71887fa22

SHA512
581c6ebe5b2ded1f8374000cf14bdb44d6e6383075cba22e6d89964316c8490c8eae112cd7b6a99a932adbdc7151faca55f5f4625f4c2d61e8b1ee0f8eca4b2f

Download Submit
memory/1100-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1100-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2084-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2084-29-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2264-139-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-181-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-207-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-205-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-136-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-202-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-199-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-196-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-45-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-142-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-193-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-149-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-152-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2264-190-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-140-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-137-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-185-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-188-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-206-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-146-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-43-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-197-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-203-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-200-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2392-182-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/2796-138-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2796-135-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2796-180-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download
memory/2796-44-0x0000000000400000-0x0000000000898000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads