xred | 980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9db

Analysis

max time kernel
111s
max time network
107s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 02:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
Size

9.5MB
MD5

f28012e70bf98f0cb3d24fd82a44be80
SHA1

9b480ac32ed01463ff4b10cffed0049b645b488b
SHA256

980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9db
SHA512

7f00637ffbe47093897e75813bb23d69306620f4b6b2be4a5941fc0d7e17ca039bcc12419c380d9c999b05594516e0c2110f345e6b7a77ceaf27bccc57d02271
SSDEEP

196608:cLwIkJ4io4EM+8muhUgeyeclXYGZKHEyUjGC+wmTkK6MYdd:cIfo4EMPmuhUceclXYaAEy2MwmTkvMYT

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2804	._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
2868	Synaptics.exe
2628	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
2868	Synaptics.exe
2868	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe

Enumerates system info in registry 2 TTPs 7 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2804	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	30
PID 1840 wrote to memory of 2804	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	30
PID 1840 wrote to memory of 2804	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	30
PID 1840 wrote to memory of 2804	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	30
PID 1840 wrote to memory of 2868	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	31
PID 1840 wrote to memory of 2868	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	31
PID 1840 wrote to memory of 2868	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	31
PID 1840 wrote to memory of 2868	1840	980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe	31
PID 2868 wrote to memory of 2628	2868	Synaptics.exe	32
PID 2868 wrote to memory of 2628	2868	Synaptics.exe	32
PID 2868 wrote to memory of 2628	2868	Synaptics.exe	32
PID 2868 wrote to memory of 2628	2868	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
"C:\Users\Admin\AppData\Local\Temp\980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Users\Admin\AppData\Local\Temp\._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Enumerates system info in registry
  PID:2804
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Enumerates system info in registry
    PID:2628

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
9.5MB

MD5
f28012e70bf98f0cb3d24fd82a44be80

SHA1
9b480ac32ed01463ff4b10cffed0049b645b488b

SHA256
980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9db

SHA512
7f00637ffbe47093897e75813bb23d69306620f4b6b2be4a5941fc0d7e17ca039bcc12419c380d9c999b05594516e0c2110f345e6b7a77ceaf27bccc57d02271

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2MrXxL.xlsm

Filesize
23KB

MD5
6cd1723e23e8de436622f3caa6708065

SHA1
d0e63eede3f42e280eacf826b1af816fa6818e5b

SHA256
0fdeaa968531518001cb06e03ec526450ea1ef7c8a1bc47cb09ad176567a6f93

SHA512
026855cd0c63877545028784133af0890892c15e435383b05872dfb552e7c22d0763686bf1520d5b251a45e4fa6f428b20e1e2897ea0d77c57736ee9ff9fd5bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2MrXxL.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2MrXxL.xlsm

Filesize
24KB

MD5
09452e96a5e6b82f4c0d0b4d877323cf

SHA1
7ae965c028d29608eb7f6a4c5aa0106b1e74cf1b

SHA256
0c2ed781ea7d4333d6f1ad21337d16bf7b3f048bd8769ece9e36145700045820

SHA512
4bb61448824ac41a0336f52d8b4957456b6f76bbb7b6311b68919d6bf4f68032d40705c70dde2605f14e8aab9c174f3291b75b248e76e14894afdd6dd9c74fd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2MrXxL.xlsm

Filesize
27KB

MD5
247e183298a05d3721837ecc03caa7c3

SHA1
f18758de49dc32a6db6187fdc251d737d98e6088

SHA256
c8c4de42dbafc4b472db63d16f6de05b0b6078269f16a0737682c2532e3da097

SHA512
322e9a18afa19524c89bb65c5f835eef0080536ee8c47458926dff91983f58c208bc530e814af9d876459b226b4aa8c901ffd543c10027b558edeba8a1457f8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2MrXxL.xlsm

Filesize
25KB

MD5
0f4515f19a92246dfa7d2e7071ae8325

SHA1
5af536278f1a36f2782d0003c466c28505284a7d

SHA256
a4afe7b89e475538b245727c39142e43f85fb91113ab281bd23e03d9dabb1f6e

SHA512
3bfdcd3913e251f7f88709eeeb415fdbbffa998f866212515cf05af540e89492a134a136fd1b56e9f5032bf7c29add30b990da12717ec906850cec4374b9ef1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kC2MrXxL.xlsm

Filesize
28KB

MD5
d391af680172a0171e6559cf5dca0502

SHA1
4df2f7a018df75dc7b87e0c7146c751c209cfa39

SHA256
5dfda84c0d8a3f7e6e94b23da4279d1ff22e559eb3bbde4b4d72e65ece62ae0e

SHA512
d5afb3d9b9ec77f5f6cefd225367cfb03fa1d494f8626be709f306c75c5902bad57fe1ff919fb5acbba3d29dca1184bfc6a2cc3fffb42229d62aa6acff4370b1

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_980da76a12482736cfa65694f93a69f1c55d05be5fa080171c3e39d8cc54a9dbN.exe

Filesize
8.8MB

MD5
26417db2e641625ab5051d68dd43ec63

SHA1
35c6c775d4f8c279911528df14cb5496d92cf8f3

SHA256
cb068cde08cc4e7338942b0b28975d5b39a231a25fd6069bd6ab0a9139eb11f1

SHA512
0b8a5a84517d496e5251602c78ca58d5cbd82462c1cef5a137fb161ce685b05bb6aedeb3af1d982ab5efff459ec6e53003e948c9fa51c1e9a19ac80e286aaba4

Download Submit
memory/1840-25-0x0000000000400000-0x0000000000D8F000-memory.dmp

Filesize
9.6MB

Download
memory/1840-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2628-39-0x00000000012D0000-0x0000000001BA2000-memory.dmp

Filesize
8.8MB

Download
memory/2788-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-38-0x0000000005A10000-0x0000000005C22000-memory.dmp

Filesize
2.1MB

Download
memory/2804-27-0x0000000001150000-0x0000000001A22000-memory.dmp

Filesize
8.8MB

Download
memory/2868-40-0x0000000000400000-0x0000000000D8F000-memory.dmp

Filesize
9.6MB

Download
memory/2868-132-0x0000000000400000-0x0000000000D8F000-memory.dmp

Filesize
9.6MB

Download
memory/2868-133-0x0000000000400000-0x0000000000D8F000-memory.dmp

Filesize
9.6MB

Download
memory/2868-165-0x0000000000400000-0x0000000000D8F000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads