xred | 321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5

Analysis

max time kernel
114s
max time network
107s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
19-12-2024 21:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Size

2.8MB
MD5

8354dc3462309aedd0e2bcfa72410f00
SHA1

98cc86359335052835ec0bebad33957cec8905e8
SHA256

321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5
SHA512

c45fb93f91eeaef92e5395b6dc8db4a704a055984756b4e842a939328af3bd9b91daaa203b51526e16f04d30d8f3ba47209a8a8a6370dd7a591e7568145dd87c
SSDEEP

49152:hnsHyjtk2MYC5GDwJUQxE87vxpsrFpIvFbJo+McPe3Nsv2kYKcNTXxicbd:hnsmtk2a3GyPN+TIvFby0ed8QKMMq

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2540	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2648	Synaptics.exe
1668	._cache_Synaptics.exe

Loads dropped DLL 15 IoCs

pid	Process
572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2540	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2540	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2540	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2540	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2540	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
2648	Synaptics.exe
2648	Synaptics.exe
1668	._cache_Synaptics.exe
1668	._cache_Synaptics.exe
1668	._cache_Synaptics.exe
1668	._cache_Synaptics.exe
1668	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1016	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1016	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2540	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	29
PID 572 wrote to memory of 2540	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	29
PID 572 wrote to memory of 2540	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	29
PID 572 wrote to memory of 2540	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	29
PID 572 wrote to memory of 2648	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	30
PID 572 wrote to memory of 2648	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	30
PID 572 wrote to memory of 2648	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	30
PID 572 wrote to memory of 2648	572	321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe	30
PID 2648 wrote to memory of 1668	2648	Synaptics.exe	31
PID 2648 wrote to memory of 1668	2648	Synaptics.exe	31
PID 2648 wrote to memory of 1668	2648	Synaptics.exe	31
PID 2648 wrote to memory of 1668	2648	Synaptics.exe	31

C:\Users\Admin\AppData\Local\Temp\321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
"C:\Users\Admin\AppData\Local\Temp\321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2648
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1668

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.8MB

MD5
8354dc3462309aedd0e2bcfa72410f00

SHA1
98cc86359335052835ec0bebad33957cec8905e8

SHA256
321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5

SHA512
c45fb93f91eeaef92e5395b6dc8db4a704a055984756b4e842a939328af3bd9b91daaa203b51526e16f04d30d8f3ba47209a8a8a6370dd7a591e7568145dd87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1mHAcsoN.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\EB787F00

Filesize
21KB

MD5
a154bad81766c16b21d83fb183c8f303

SHA1
9c4209e6844ad4ad73bec6ffd7d5c6ce6fbe8b30

SHA256
9855c5a7231d0b7acfdade663ab8f2689cd6fd7469278776e14b30089b9175cd

SHA512
4e3c61d3e689d3675194253d1e49f70102138b7d739be19af8c0ba0a53123a5764c98d2b7509e2de16333d4e8176ee2445e639ac007b0956345abe1c9e57f9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\CommandLine.dll

Filesize
71KB

MD5
6d11c677cae02caa249a4f7f35fff112

SHA1
b417114c9b95ac2f3a2e9a68bf669f7342cd4cdb

SHA256
dde08c1db1ff43b08c7de59ae14045cb6fec13bec7ac65e142142453b8ab1ad4

SHA512
f992c2ad42372d0981e8512b34516b88c8ecacd89ade1027600ad883a6346c2b9d448fb027d38915b15f15f39c6b7f7d25c9af0c36835ff85224e48034609857

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\DotNetZip.dll

Filesize
467KB

MD5
190e712f2e3b065ba3d5f63cb9b7725e

SHA1
75c1c8dd93c7c8a4b3719bb77c6e1d1a1620ae12

SHA256
6c512d9943a225d686b26fc832589e4c8bef7c4dd0a8bdfd557d5d27fe5bba0f

SHA512
2b4898d2d6982917612d04442807bd58c37739b2e4b302c94f41e03e685e24b9183b12de2057b3b303483698ad95e3a37795e6eb6d2d3b71e332b59deeca7d02

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\Microsoft.Win32.TaskScheduler.dll

Filesize
126KB

MD5
85f06c0b15781744fcf55c4e9bcca80d

SHA1
2e0cb9a364d7cfe1371a5917b2af6aee58145ef3

SHA256
42cde788e9d0f85ed71b4d1adaa313dc054ac2af58415d6d508507a661c8c70c

SHA512
408618f635b9a800ebd3d019f5037c418f38e06891ba9404bf39f88ebe6363d34c7ab49ca2bf448c86f9ee67881c018b0f18d028c2bae6d0351c04478abd2bcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\Newtonsoft.Json.dll

Filesize
692KB

MD5
98cbb64f074dc600b23a2ee1a0f46448

SHA1
c5e5ec666eeb51ec15d69d27685fe50148893e34

SHA256
7b44639cbfbc8ddac8c7a3de8ffa97a7460bebb0d54e9ff2e1ccdc3a742c2b13

SHA512
eb9eabee5494f5eb1062a33cc605b66d051da6c6990860fe4fd20e5b137458277a636cf27c4f133012d7e0efaa5feb6f48f1e2f342008482c951a6d61feec147

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\OverWolf.Client.CommonUtils.dll

Filesize
655KB

MD5
9562911e11231c09a4d420378c286f64

SHA1
a093e50dfb3cd7b71265d20c78c6182857ea518f

SHA256
c44259feeeae0f009deeffe5b83ed7e72727b8c409c7b62ef6ecb7b24b78b12a

SHA512
6cc6baeb2ca726856c7ba4cfe5a9bf247584a28470dd0de3794274883693d6a0efe922af492e487beae21b53198413e61596ad0e70d448c92acdb06dd9143e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\SharpRaven.dll

Filesize
82KB

MD5
f2f1cd4e9b1f772b7b7955c3310a126a

SHA1
6ea2b5ee4461053ad353d4826ba61388f98c28fc

SHA256
a8cd61fc4478da0464967f5c74b6ecc6a880e879f49ba552f7c3056d3d0d562a

SHA512
587aec3e0b2c913eb40259928dee536ffdb4f51c693682bf926351c86e1ace020bfff3fd9f279a48ecb0d2a46a460aa5d8adeddb3e268c7a5e5dae220100b66d

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\log4net.dll

Filesize
270KB

MD5
f15c8a9e2876568b3910189b2d493706

SHA1
32634db97e7c1705286cb1ac5ce20bc4e0ec17af

SHA256
ae9c8073c3357c490f5d1c64101362918357c568f6b9380a60b09a4a4c1ff309

SHA512
805cd0a70aba2f1cf66e557d51ad30d42b32fbafcfbc6685ec204bc69847619479f653f4f33a4e466055707880d982eb1574ddab8edfa3c641e51cda950e2a0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\nsis7z64.dll

Filesize
514KB

MD5
284c46af1fd2ec3a60ee0c28f276f2a4

SHA1
4d4d41c0af12d928e4e553ab6b80e6b4ab8007bc

SHA256
2368be6d8b21e0047146d3f61f90966a71d0737eed0146bc692b59f3cac97793

SHA512
ca9e4ef79c9c7c5f2282ddeee34ec39a51cddf26dcad4e9f2e42230499b0b898ac2dfd33f25438aa995741d23037fa01a0269823c283b234ecec0f155d3c05ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsp711C.tmp\websocket-sharp.dll

Filesize
270KB

MD5
bd907f40168a3bc1590ee1f22be99014

SHA1
bd3324408817dcfef89595fa2a78acc5497a3f3f

SHA256
0c55480ef4020fddb567cf4487c5a44077a966ec6079b19faecd3e69dd991ad4

SHA512
af669cabcdaf405dde0aa42e04c7ff2234121ff87112b3b30479d24e1f77e120be72e257c1e4d1b436882879cd8c4657634f6f155548f4aa48bdc8fb51ee0065

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_321322d58436bdd27eb8c086014cf60cb8be4ac966e728a0919fa941faf2f0d5N.exe

Filesize
2.1MB

MD5
4a615108909cb8d7a1b18ae0f0653d63

SHA1
43fdc0d43509afffab586c55b0bef004b2a8b828

SHA256
ac966dfd2b7d8a7ff86e2cf3b2f8c4d2b99108f3c5af5e4ce5c74ffecc5566d6

SHA512
7f32326685778fbd6280a4d72d4e1a86ed6645750de0538b44b1e7f402d7255d77520da46b4645575e803e1f2119647bd86181b60d466bd70719644a59ea2e8d

Download Submit
\Users\Admin\AppData\Local\Temp\nsz63A4.tmp\INetC.dll

Filesize
34KB

MD5
87050902acf23fa5aa6d6aa61703db97

SHA1
d5555e17151540095a8681cd892b79bce8246832

SHA256
0ecf8b76a413726d2a9c10213ad6e406211330e9e79cfde5024968eedc64a750

SHA512
d75d3fc84a61887ee63bad3e5e38f6df32446fd5c17bedce3edca785030b723b13134b09a9bbbbaca86d5ea07405b8c4afd524cc156a8c1d78f044a22dee9eab

Download Submit
\Users\Admin\AppData\Local\Temp\nsz63A4.tmp\System.dll

Filesize
21KB

MD5
51bd16a2ea23ae1e7a92cedc6785c82e

SHA1
a9fbaeb9a695b9f2ba8a3ed8f0d95d2bf6a3d36c

SHA256
4dbc79d2b1c7987cc64bb5d014db81bb5108bdd6d8bf3a5f820fac1ded62be33

SHA512
66ffc18b2daf6c4cba01aef0e4af2f006a51aa218eab0f21dc66e47eea0389d2b1748ef0e30d2ec9f0123fd7f38ed3aee964dd6bde5779aaee19ebf55369af79

Download Submit
\Users\Admin\AppData\Local\Temp\nsz63A4.tmp\UserInfo.dll

Filesize
14KB

MD5
1dd4ca0f4a94155f8d46ec95a20ada4a

SHA1
5869f0d89e5422c5c4ad411e0a6a8d5b2321ff81

SHA256
a27dc3069793535cb64123c27dca8748983d133c8fa5aaddee8cdbc83f16986d

SHA512
f4914edc0357af44ed2855d5807c99c8168b305e6b7904dc865771ad0ee90756038612fe69c67b459c468396d1d39875395b1c8ec69e6da559fb92859204763e

Download Submit
\Users\Admin\AppData\Local\Temp\nsz63A4.tmp\uac.dll

Filesize
24KB

MD5
861f7e800bb28f68927e65719869409c

SHA1
a12bfcd2b9950e758ead281a9afbf1895bf10539

SHA256
10a0e8cf46038ab3b2c3cf5dce407b9a043a631cbde9a5c8bcf0a54b2566c010

SHA512
f2bf24a0da69bbe4b4a0f0b1bfc5af175a66b8bcc4f5cc379ed0b89166fa9ffe1e16206b41fca7260ac7f8b86f8695b76f016bb371d7642aa71e61e29a3976eb

Download Submit
\Users\Admin\AppData\Local\Temp\nsz63A4.tmp\utils.dll

Filesize
58KB

MD5
c6b46a5fcdccbf3aeff930b1e5b383d4

SHA1
6d5a8e08de862b283610bad2f6ce44936f439821

SHA256
251ab3e2690562dcfcd510642607f206e6dcf626d06d94b74e1fa8297b1050a0

SHA512
97616475ef425421959489b650810b185488fcb02a1e90406b3014e948e66e5101df583815fd2be26d9c4d293a46b02ba4025426f743e682ed15d228f027f55c

Download Submit
memory/572-98-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download
memory/572-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1016-424-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-710-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download
memory/2648-711-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download
memory/2648-745-0x0000000000400000-0x00000000006D9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads