xred | 6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8a

Analysis

max time kernel
117s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
15-12-2024 23:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
Size

759KB
MD5

f557ab3a26b6d826d047fa5cf4c4e880
SHA1

86788cb72de2465133abe85adec971e2f907c224
SHA256

6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8a
SHA512

3e22465a724303895522ba73c0639ab2607b277c0a4d0c2303028efc808a28da661cffcccfc7c497ecff6848c6789528b73aad41f17430fe813148ccf1ddb14a
SSDEEP

12288:SMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Ynj:SnsJ39LyjbJkQFMhmC+6GD9U

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 6 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000b0000000174a6-131.dat
behavioral1/files/0x000c000000016d47-120.dat
behavioral1/files/0x00090000000174a6-109.dat
behavioral1/files/0x000a000000016d47-96.dat
behavioral1/files/0x00070000000174a6-85.dat
behavioral1/files/0x0008000000016d47-72.dat

Executes dropped EXE 3 IoCs

pid	Process
2848	._cache_6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
2244	Synaptics.exe
2684	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
2244	Synaptics.exe
2244	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2612	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2612	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2848	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	31
PID 2260 wrote to memory of 2848	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	31
PID 2260 wrote to memory of 2848	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	31
PID 2260 wrote to memory of 2848	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	31
PID 2260 wrote to memory of 2244	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	33
PID 2260 wrote to memory of 2244	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	33
PID 2260 wrote to memory of 2244	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	33
PID 2260 wrote to memory of 2244	2260	6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe	33
PID 2244 wrote to memory of 2684	2244	Synaptics.exe	34
PID 2244 wrote to memory of 2684	2244	Synaptics.exe	34
PID 2244 wrote to memory of 2684	2244	Synaptics.exe	34
PID 2244 wrote to memory of 2684	2244	Synaptics.exe	34

C:\Users\Admin\AppData\Local\Temp\6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
"C:\Users\Admin\AppData\Local\Temp\6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Users\Admin\AppData\Local\Temp\._cache_6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8aN.exe"
  2⤵
  - Executes dropped EXE
  PID:2848
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2684

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe

Filesize
5KB

MD5
010dbd61df11615dd70b2ef41542a789

SHA1
2d544016902cd2547d8a4085196f761da0ccff88

SHA256
d99d36821ba2871ffac569442bbcfcfabde87d986ec046668ca7dd198b908f0f

SHA512
6aa422b4812108c61dd6b0e3c2cf85ead0ee545f6dbedc07e9d0a4c1c72ea1b5dd20f51d96803c48887fd7dd505b8bcdd67f18e2df723e5823f8b42f510d5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
27KB

MD5
16ea5557422346c5a0b4d2c387d951e0

SHA1
428dea40ef07cb88d326f14f4ce83b637ee6ff17

SHA256
ecf0f6ff28ac4f3390da711d9c9ca20e23d9cefa6848d53e1a4ddd098e3bc7fb

SHA512
81ceab117b17af88d657dc2114ce6b1d2a157de98340bcdc7a81cabed2b370105d1929b8d6b210fb3b7f19fd2ccebb3c985e707ebd2668f5143e4e901e97173e

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
20KB

MD5
2b0fdcce23279563687db7f5d68b2b71

SHA1
9852a488ee8802d54f5d859933c4c208389db722

SHA256
9f82847b195d501293e6312967442e6598e1499e346d45b623d5330fc745050f

SHA512
2498ed7d94cc69b59e250dc8cc76a67db18e02b57a9718c19e2584914ef7eac4cec0dd92870dd5198aafc61c7e063c4442654294696a17976eb891e2c2b68e08

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
26KB

MD5
692331761faecff7f5ab40846f256b34

SHA1
74ecf0d08edf57156d6e0633b9a76c74c89fc7de

SHA256
d50467ea456071236e30993cfb77dc33ba62b9818e7450908891184ae0932868

SHA512
1423ef2bbef6d3371588e7df8760ea0fbdb64350494d8b63eb6a042916536d02745cfa6be7b62694be09f52956055a4f92d090f5430495cc89b8985f8a5516ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
25KB

MD5
b2e89ec41f4422f213f4eb6c114a1039

SHA1
f8ad81587a3442fb54fa58333e89004f52801e3a

SHA256
d73f2f2a90a58297971d36d3cde76095b20e7391033535683a4a3248e3a55d0c

SHA512
ed11c6b6e20abe9976af4b977476c32a8e647daf1a5879b78c1632be1acf4c8029de76eebb911a6ec87e58aa5e8c00b714013f12c23a5723c6d8e64d07d6f73c

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
23KB

MD5
580f3d54d5c6b39619939ed581d281dc

SHA1
e31dd05512b10b5e3f976d7f5ba91bdaf5b1bd57

SHA256
003d5c1024db71a5846c8d5faacc20e8c38deaea037311262fa4db5d7896fd31

SHA512
3a563897ed7a3e4e816c907a5f40f74a2a5ed07de5bc70ce0c0ae6b14d878a8e626e4ca0b4d32ffc3fbef7e649c35eec7c3984bd942a0254ad57437963d8c9d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\FXR7xELY.xlsm

Filesize
22KB

MD5
5899d4bc2dd59bfc0e8eac9c2eb31874

SHA1
a3d4bb9e06a5f7d1dc7d07b99ba76b1ff07c915b

SHA256
3574f676cbd2423302028909042fe571ba818f8a5778881e56276c7910c378dc

SHA512
f46ce4cafeb97287ecb495de7dd9d31d81f2ff0d289319498eb3f8c59a0c4aa4c95ee569fb95e5b795e535709f75f822447de93fbb7764afe05a1324ac527d47

Download Submit
C:\Users\Admin\Desktop\~$SaveRegister.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\ProgramData\Synaptics\Synaptics.exe

Filesize
759KB

MD5
f557ab3a26b6d826d047fa5cf4c4e880

SHA1
86788cb72de2465133abe85adec971e2f907c224

SHA256
6e10470217032b91d360dc42aa358d96fbf4e225b08e67fcc47eb48de2d9cf8a

SHA512
3e22465a724303895522ba73c0639ab2607b277c0a4d0c2303028efc808a28da661cffcccfc7c497ecff6848c6789528b73aad41f17430fe813148ccf1ddb14a

Download Submit
memory/2244-136-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2244-171-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2260-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2260-0-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2612-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2612-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-36-0x0000000000B90000-0x0000000000B98000-memory.dmp

Filesize
32KB

Download
memory/2848-28-0x00000000008E0000-0x00000000008E8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads