xred | 2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e

Analysis

max time kernel
2s
max time network
14s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15/12/2024, 22:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

000.exe
Size

7.4MB
MD5

06c9504a38c6996916dbd515559c9564
SHA1

33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac
SHA256

2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e
SHA512

e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f
SSDEEP

12288:cMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Jt1I2rVvWHuuuvj:cnsJ39LyjbJkQFMhmC+6GD9j1dUuuu7

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	000.exe

Executes dropped EXE 1 IoCs

pid	Process
692	._cache_000.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	000.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	000.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_000.exe

Kills process with taskkill 4 IoCs

evasion

pid	Process
4320	taskkill.exe
3796	taskkill.exe
4968	taskkill.exe
4788	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	000.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4768 wrote to memory of 692	4768	000.exe	81
PID 4768 wrote to memory of 692	4768	000.exe	81
PID 4768 wrote to memory of 692	4768	000.exe	81

C:\Users\Admin\AppData\Local\Temp\000.exe
"C:\Users\Admin\AppData\Local\Temp\000.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4768
- C:\Users\Admin\AppData\Local\Temp\._cache_000.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_000.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
    3⤵
    PID:2340
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im explorer.exe
      4⤵
      Kills process with taskkill
      PID:4968
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /f /im taskmgr.exe
      4⤵
      Kills process with taskkill
      PID:4788
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' set FullName='UR NEXT'
      4⤵
      PID:2076
  - - C:\Windows\SysWOW64\Wbem\WMIC.exe
      wmic useraccount where name='Admin' rename 'UR NEXT'
      4⤵
      PID:4816
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  PID:3900
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    PID:212
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      4⤵
      PID:1944
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:4320
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:3796
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        5⤵
        
        PID:4516
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' rename 'UR NEXT'
        5⤵
        
        PID:384

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
PID:1156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
7.4MB

MD5
06c9504a38c6996916dbd515559c9564

SHA1
33e92f8c6dd8b3eab4b06ca0bb428e48b4504dac

SHA256
2fbd716ca1f19737591463a9f5776de57105fd800118375012d08fb000d2e39e

SHA512
e9259b0ebcf970db693af90a8811e706ef10187c33d662409c678034abdf5282a1bd63e1a6445c25f35a0c7714863109a17289e1919d9ad268ba72fc4f6f792f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
c71693d0b13636b503b0154ad80f15aa

SHA1
13aa49806556b3fe11c1df97e73e9b2b40d4209b

SHA256
ffe7d7bacd249bc553c2dcbcfb6c4be8307035ac6c0ca9aab8139c6a1b83f964

SHA512
3be22d6daf8e0cdc32638694962c0ef3aff74a0bffcdc64728c4639429601e475fda57cb46ae1756017d500ebc60e31e2b5f64806c7b33bf7edab8923a003e35

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_000.exe

Filesize
6.7MB

MD5
d5671758956b39e048680b6a8275e96a

SHA1
33c341130bf9c93311001a6284692c86fec200ef

SHA256
4a900b344ef765a66f98cf39ac06273d565ca0f5d19f7ea4ca183786155d4a47

SHA512
972e89ed8b7b4d75df0a05c53e71fb5c29edaa173d7289656676b9d2a1ed439be1687beddc6fb1fbf068868c3da9c3d2deb03b55e5ab5e7968858b5efc49fbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\icon.ico

Filesize
361KB

MD5
a4b9662cf3b6ea6626f6081c0d8c13f3

SHA1
946501d358e5e3b10223431e474607e0eb248796

SHA256
84a1c2713642090523f05d9fb015c537fd210d3200cadaf442bb67cf1834b356

SHA512
4e94dcf9200bfd6d685f93acaa0bd93d49bb0fe2229f3105e22b8893e0d530ad15e8dce5be6db1c1db393fcc169defc43f12e35308be30b054631487d16cbf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\one.rtf

Filesize
403B

MD5
6fbd6ce25307749d6e0a66ebbc0264e7

SHA1
faee71e2eac4c03b96aabecde91336a6510fff60

SHA256
e152b106733d9263d3cf175f0b6197880d70acb753f8bde8035a3e4865b31690

SHA512
35a0d6d91178ec10619cf4d2fd44d3e57aa0266e1779e15b1eef6e9c359c77c384e0ffe4edb2cde980a6847e53f47733e6eacb72d46762066b3541dee3d29064

Download Submit
C:\Users\Admin\AppData\Local\Temp\rniw.exe

Filesize
76KB

MD5
9232120b6ff11d48a90069b25aa30abc

SHA1
97bb45f4076083fca037eee15d001fd284e53e47

SHA256
70faa0e1498461731f873d3594f20cbf2beaa6f123a06b66f9df59a9cdf862be

SHA512
b06688a9fc0b853d2895f11e812c48d5871f2793183fda5e9638ded22fc5dc1e813f174baedc980a1f0b6a7b0a65cd61f29bb16acc6dd45da62988eb012d6877

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
memory/692-214-0x000000000C370000-0x000000000C380000-memory.dmp

Filesize
64KB

Download
memory/692-210-0x000000000C370000-0x000000000C380000-memory.dmp

Filesize
64KB

Download
memory/692-201-0x000000000C1E0000-0x000000000C1EE000-memory.dmp

Filesize
56KB

Download
memory/692-132-0x0000000005DA0000-0x0000000006344000-memory.dmp

Filesize
5.6MB

Download
memory/692-207-0x000000000C370000-0x000000000C380000-memory.dmp

Filesize
64KB

Download
memory/692-209-0x000000000C370000-0x000000000C380000-memory.dmp

Filesize
64KB

Download
memory/692-208-0x000000000C370000-0x000000000C380000-memory.dmp

Filesize
64KB

Download
memory/692-127-0x00000000007D0000-0x0000000000E7E000-memory.dmp

Filesize
6.7MB

Download
memory/692-211-0x000000000C330000-0x000000000C340000-memory.dmp

Filesize
64KB

Download
memory/692-1916-0x0000000072D5E000-0x0000000072D5F000-memory.dmp

Filesize
4KB

Download
memory/692-213-0x000000000C370000-0x000000000C380000-memory.dmp

Filesize
64KB

Download
memory/692-212-0x000000000C330000-0x000000000C340000-memory.dmp

Filesize
64KB

Download
memory/692-215-0x000000000C330000-0x000000000C340000-memory.dmp

Filesize
64KB

Download
memory/692-106-0x0000000072D5E000-0x0000000072D5F000-memory.dmp

Filesize
4KB

Download
memory/692-200-0x000000000C210000-0x000000000C248000-memory.dmp

Filesize
224KB

Download
memory/1156-525-0x00007FFC52B50000-0x00007FFC52B60000-memory.dmp

Filesize
64KB

Download
memory/1156-512-0x00007FFC54CB0000-0x00007FFC54CC0000-memory.dmp

Filesize
64KB

Download
memory/1156-514-0x00007FFC54CB0000-0x00007FFC54CC0000-memory.dmp

Filesize
64KB

Download
memory/1156-513-0x00007FFC54CB0000-0x00007FFC54CC0000-memory.dmp

Filesize
64KB

Download
memory/1156-511-0x00007FFC54CB0000-0x00007FFC54CC0000-memory.dmp

Filesize
64KB

Download
memory/1156-510-0x00007FFC54CB0000-0x00007FFC54CC0000-memory.dmp

Filesize
64KB

Download
memory/1156-526-0x00007FFC52B50000-0x00007FFC52B60000-memory.dmp

Filesize
64KB

Download
memory/3900-131-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3900-1918-0x0000000000D20000-0x0000000000D21000-memory.dmp

Filesize
4KB

Download
memory/3900-1917-0x0000000000400000-0x0000000000B6B000-memory.dmp

Filesize
7.4MB

Download
memory/4768-128-0x0000000000400000-0x0000000000B6B000-memory.dmp

Filesize
7.4MB

Download
memory/4768-0-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads