xred | a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e

Analysis

max time kernel
141s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
Size

1.0MB
MD5

79764ca5483381c2db355f8657776bf8
SHA1

c19160c3541d302eb9b2e096d1f9c0c77e4d0e7d
SHA256

a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e
SHA512

bbbc45a8e52075875c75e495de88b7a7d2e533b4dc3a2ad9f32020020ddc816fe572ddb1869d415db99bc480161e36ba2a87135f84be82f78923bb545ff1852c
SSDEEP

24576:ensJ39LyjbJkQFMhmC+6GD97Oq+4181YFWwsEac9s:ensHyjtk2MYC5GD1C681YVU

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0008000000016dd7-96.dat

Executes dropped EXE 3 IoCs

pid	Process
2792	._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
2968	Synaptics.exe
2580	._cache_Synaptics.exe

Loads dropped DLL 9 IoCs

pid	Process
1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
2968	Synaptics.exe
2968	Synaptics.exe
2580	._cache_Synaptics.exe
2580	._cache_Synaptics.exe
2792	._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
2792	._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2564	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2564	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 2792	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	30
PID 1940 wrote to memory of 2792	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	30
PID 1940 wrote to memory of 2792	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	30
PID 1940 wrote to memory of 2792	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	30
PID 1940 wrote to memory of 2968	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	31
PID 1940 wrote to memory of 2968	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	31
PID 1940 wrote to memory of 2968	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	31
PID 1940 wrote to memory of 2968	1940	a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe	31
PID 2968 wrote to memory of 2580	2968	Synaptics.exe	32
PID 2968 wrote to memory of 2580	2968	Synaptics.exe	32
PID 2968 wrote to memory of 2580	2968	Synaptics.exe	32
PID 2968 wrote to memory of 2580	2968	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
"C:\Users\Admin\AppData\Local\Temp\a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Users\Admin\AppData\Local\Temp\._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2792
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2580

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2564

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
79764ca5483381c2db355f8657776bf8

SHA1
c19160c3541d302eb9b2e096d1f9c0c77e4d0e7d

SHA256
a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e

SHA512
bbbc45a8e52075875c75e495de88b7a7d2e533b4dc3a2ad9f32020020ddc816fe572ddb1869d415db99bc480161e36ba2a87135f84be82f78923bb545ff1852c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwUVod1.xlsm

Filesize
26KB

MD5
60f21fd2dabc51e7c7a38aef90e87e32

SHA1
be368d98d5b5f2e4c9ecac7ff671d9b58be11895

SHA256
e84cd9d094fffb9be1da2fdaa7514887a85f93fdc1c41a43981457352ad3ca7d

SHA512
57ec858f6071df16a8f13465986039510dacbf04de1acbadee7d5e6720889015e220fcff8b8a479d37d220a85d5d9d60ee8818dd252127683d384c97c9ee1296

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwUVod1.xlsm

Filesize
32KB

MD5
f5d1b00a41920ba1a31ca418eab776fc

SHA1
1cdbae4d59ccd24c956ed1f585b21124ea6115f0

SHA256
9a20fb7df74d8d7c783fcb02d9194f1396178ccb36370ac41342c1fe399ecfaf

SHA512
ad0d4da69a5929217b8443f6eee834a1da4e1767d90e401840582c9cddf49f79223021c3f7ae567e4cf5a756518521fc17245b8e4ea1a0faefe5bdb1665ba2ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwUVod1.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwUVod1.xlsm

Filesize
32KB

MD5
ff019a376f48ae0f242f5edca64346f0

SHA1
2a961d4a8f67861e6b5361c485816d4de6b98c5b

SHA256
e33c56b8fd196a2a74725a89d031825fa8ef8a549ef1c354d14f75b8ddd62c96

SHA512
e3494ce9cb39b97f8ab5ec0b7b71ae170343597ed1d1a9d0f54557f8baa612a6b0c22e656506419617eb23f8ede4c89d5270ba9762795d740c12466552c65909

Download Submit
C:\Users\Admin\AppData\Local\Temp\KGwUVod1.xlsm

Filesize
28KB

MD5
069cb566247ca8ea85f090040b5343d0

SHA1
c16eabb85154d809aa438e593f4dd33b12f73f09

SHA256
0ba9d832364c52f10e86ce6816cd787ac9d2d2a926444e65651265e6c3a65880

SHA512
47568d1b385c1007f5f709905b668d363a64101c3d3eb406b524089fc70b03695a12e65f52591df4da5e806c469bf62c64ce67c26b7818f8e4d2f7e690566428

Download Submit
C:\Users\Admin\Downloads\~$DebugCopy.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a8be2b9743370affb1605a768c24fe20be1ba00c1a3d3161e8c5e55280171e7e.exe

Filesize
306KB

MD5
75cf1ba78ae7a0391564cb7bdfb2e016

SHA1
828f479f83cc8274af25e78e02671f7a96924729

SHA256
d6b611a76934e9d9976543eb7e2f0d6acd2192fd7befad736395c8b2d46e3ae2

SHA512
167ce40b1fee09dc19f70f2d27339d06a772d7b115092d9215e74630c3671f1ee6468337d9766303ea0568a3d3d03dda76c24193eb2c05fac67cc69147d78dba

Download Submit
\Users\Admin\AppData\Local\Temp\nso32B6.tmp\System.dll

Filesize
11KB

MD5
301a9c8739ed3ed955a1bdc472d26f32

SHA1
a830ab9ae6e8d046b7ab2611bea7a0a681f29a43

SHA256
6ec9fde89f067b1807325b05089c3ae4822ce7640d78e6f32dbe52f582de1d92

SHA512
41d88489ecb5ec64191493a1ed2ed7095678955d9fa72cccea2ae76dd794e62e7b5bd3aa2c313fb4bdf41c2f89f29e4cafe43d564ecad80fce1bf0a240b1e094

Download Submit
memory/1940-26-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/1940-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2564-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2968-141-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download
memory/2968-176-0x0000000000400000-0x000000000050F000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads