xred | 2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e | Triage

Sharing

General

Target

000.exe
Size

7.4MB
Sample

241215-2ylf1asrdk
MD5

06c9504a38c6996916dbd515559c9564
SHA1

33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac
SHA256

2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e
SHA512

e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f
SSDEEP

12288:cMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Jt1I2rVvWHuuuvj:cnsJ39LyjbJkQFMhmC+6GD9j1dUuuu7

Score

10^/10

xred backdoor discovery evasion persistence ransomware

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Targets

- Target
  
  000.exe
- Size
  
  7.4MB
- MD5
  
  06c9504a38c6996916dbd515559c9564
- SHA1
  
  33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac
- SHA256
  
  2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e
- SHA512
  
  e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f
- SSDEEP
  
  12288:cMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Jt1I2rVvWHuuuvj:cnsJ39LyjbJkQFMhmC+6GD9j1dUuuu7
Score

10^/10

xred backdoor discovery evasion persistence ransomware
- Xred
  Xred is backdoor written in Delphi.
  backdoor xred
- Xred family
  xred
- Disables Task Manager via registry modification
  evasion
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Enumerates connected drives
  Attempts to read the root path of hard drives other than the default C: drive.
- Modifies WinLogon
  persistence
- Sets desktop wallpaper using registry
  ransomware
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Winlogon Helper DLL

Defense Evasion

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

Tasks

static1

behavioral1

xredbackdoordiscoveryevasionpersistenceransomware

behavioral2

xredbackdoordiscoverypersistence