xred | 10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c

Analysis

max time kernel
141s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-12-2024 19:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
Size

1.2MB
MD5

9865af46180d9eec214713622cb82d7b
SHA1

8f18fe6bf7b58bdcb6ad71d0d7f2ffd5a909a07f
SHA256

10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c
SHA512

3e0ca8bc92b58ed3c159bf9f78e86c4cf43a99d429e06d5d0b38cfd0db6571c021896a6c14cbe7783e1878973d27e9b725ee66b0f1c67736f81cc1e00d304d3c
SSDEEP

24576:znsJ39LyjbJkQFMhmC+6GD9GyIZ8E19pme8Ndd/bW83G:znsHyjtk2MYC5GDIyg849WVNW

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
3028	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
2392	Synaptics.exe
2744	._cache_Synaptics.exe
2928	._cache_Synaptics.tmp

Loads dropped DLL 7 IoCs

pid	Process
2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
2392	Synaptics.exe
2392	Synaptics.exe
2744	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\CyberLink\AudioDirector15\is-MTPG2.tmp	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
File created	C:\Program Files\CyberLink\AudioDirector15\is-LTJ6G.tmp	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
File created	C:\Program Files\CyberLink\AudioDirector15\is-IFKGG.tmp	._cache_Synaptics.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2788	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3028	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
3028	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
2928	._cache_Synaptics.tmp
2928	._cache_Synaptics.tmp

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2928	._cache_Synaptics.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3028	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
2928	._cache_Synaptics.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2788	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2512 wrote to memory of 2328	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	30
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2328 wrote to memory of 3028	2328	._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	31
PID 2512 wrote to memory of 2392	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	32
PID 2512 wrote to memory of 2392	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	32
PID 2512 wrote to memory of 2392	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	32
PID 2512 wrote to memory of 2392	2512	10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe	32
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2392 wrote to memory of 2744	2392	Synaptics.exe	33
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35
PID 2744 wrote to memory of 2928	2744	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
"C:\Users\Admin\AppData\Local\Temp\10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Users\Admin\AppData\Local\Temp\is-KGNTQ.tmp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp
    "C:\Users\Admin\AppData\Local\Temp\is-KGNTQ.tmp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp" /SL5="$8019A,119392,114176,C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3028
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2392
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\Users\Admin\AppData\Local\Temp\is-JQL5P.tmp\._cache_Synaptics.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-JQL5P.tmp\._cache_Synaptics.tmp" /SL5="$9019C,119392,114176,C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of FindShellTrayWindow
      PID:2928

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\CyberLink\AudioDirector15\is-IFKGG.tmp

Filesize
381B

MD5
61a7279afdb88c3843a57c0edf94ae5e

SHA1
e1abfaad737d58a65e1448d89428647aace81891

SHA256
d817f1e8d48d7b3c5c442b64f6aab6338985255f7592b77115e24dd58fb5300a

SHA512
240b8fb90e6e352df69aaab602a8b5e8d37ec340691a7c29c263dc3d76ed9e27afd1f5cf1937b3c0b74f56a9af538a744b7718e52f3a0d7b1591d9c2a0cde4db

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
9865af46180d9eec214713622cb82d7b

SHA1
8f18fe6bf7b58bdcb6ad71d0d7f2ffd5a909a07f

SHA256
10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c

SHA512
3e0ca8bc92b58ed3c159bf9f78e86c4cf43a99d429e06d5d0b38cfd0db6571c021896a6c14cbe7783e1878973d27e9b725ee66b0f1c67736f81cc1e00d304d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.exe

Filesize
480KB

MD5
478931185c762e3820cc89da1e932dbe

SHA1
64feec6ff7981eed8d8e7c8c9f96a060b901df94

SHA256
a9c902b4bc20046c921dfc99744a791ca694ea0e9ecf7a757279ea50ab364bf1

SHA512
8b797b8ca5a8377e39db3cce101f0a76248dada2e592be3bd04a11fe486d36c3417054a6352b4c55e55903ade41321fc7a54ff5e07853e253dbf6b01a3be840d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F3C67F00

Filesize
24KB

MD5
e86d60e14356df615e99c68026462a1a

SHA1
b8d4ee9e01008f0516ca1a83745679f56dfbd9d2

SHA256
c4db8679a16e5b256fa115b1c3509a36cc5191c44036c5cd270fe4f64bd2d1fc

SHA512
ce3f569f9cb7a98f321e21513e1a29997571289e847f9e799a4bab833ea87011d291fdce83fbf5fc8bdf4914fea25a01e2dbcf5ea97f841dbc18daee8eee6d97

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHqFX8Ue.xlsm

Filesize
23KB

MD5
cb2f22067fe9e2eb00f89377d64c8a80

SHA1
7093a9c590dd001b3ee2a33ccc409be3b21c2546

SHA256
25dc5d51eca3b95873f90b87e852fc4a777310105f6131225838451b7857ed83

SHA512
070ebb8e4665af95bf4ed4e005b500dd86c56c9753e1dc4a85b5704ca2218fbc2ec0b4abbe5be68bf669b00fd878eac1126a00092940a345a06ef490af5d6017

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHqFX8Ue.xlsm

Filesize
24KB

MD5
c9bf29caa4a2cb33106369a1aeaa5895

SHA1
94b9e05a97b0f2cafd7303a44dc32ffe3234bc04

SHA256
9f4bbc2359992f15912d66c9c04d703c51acc3ff5e1e24aea42b8cde3a1177cd

SHA512
add9baadcf2539edff0f51a5470e2faf1ce62b929d6c920c7faf8b8621a8c70ba7d4268b6125d89d40f96b87d954fa4ab33fc76e5e69c6e89f8a81e7e70a8f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHqFX8Ue.xlsm

Filesize
24KB

MD5
7167de7046cbf562197f79d79471c96f

SHA1
fab833dfa4090fdeb42f2436562e50cab946bd39

SHA256
ad98f42a8b1517d3f5ce095d04daad28331e3c0ce76f337364d87b2a18c7e799

SHA512
d04dc90f6e18015f748737cf8ade2617802320c1e85eb14cdf947f87827e990b23827f4e315469aa8ff1c11b9dc20c10ff5ad4c11612b7a968275efbc670794b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHqFX8Ue.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHqFX8Ue.xlsm

Filesize
25KB

MD5
1441e51b10e1902ee9a1d8e4bb20c5ab

SHA1
4bf708f1a0f19211e1635431c7c650b64459df12

SHA256
a94fdd2330eecb16523fbb41c4af75847153fddf71f4874eaa7e670dcd58c7af

SHA512
6c5ac1f5354323df253d48d5897d0e0ee8de5c35673fdea6577be6fbd37d91bc13048435d73d4e7767869cf4515006c10d3a36ca304c14ced43a96ad3695047d

Download Submit
C:\Users\Admin\Desktop\~$UnblockPublish.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\is-KGNTQ.tmp\._cache_10f238048d9a4b16e13e973af14b7e8b19b4ed1a2e34d30682d1402602da844c.tmp

Filesize
757KB

MD5
bf1ce8b5097aadbe98c5c87f8d59be2f

SHA1
5c30464b85d8a12f0abee6519eb8f3448042f9f8

SHA256
0b6baaeb14ed1b68a45213b8a63cd9d69c3070a72dd75ba0fb45c5d60f308bc3

SHA512
072a85610d7f9f6894d9822e5493cec98876bdb0157a826de59f80219a1924d6e698c94b2959516395443a930b20879af44fa4ef48142983436f66977386dc45

Download Submit
memory/2328-17-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2328-142-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2328-166-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2328-20-0x0000000000401000-0x000000000040C000-memory.dmp

Filesize
44KB

Download
memory/2392-144-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2392-206-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2392-155-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2512-34-0x0000000000400000-0x000000000053A000-memory.dmp

Filesize
1.2MB

Download
memory/2512-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2744-44-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2744-145-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2788-52-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2788-139-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2928-158-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2928-146-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/2928-169-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3028-154-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3028-164-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download
memory/3028-143-0x0000000000400000-0x00000000004CD000-memory.dmp

Filesize
820KB

Download