xred | f4d7b1769a82abb6af1bc9e0003b8b9c783aa006aaf92b4d835f38c6aeb432dd

Analysis

max time kernel
141s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VPN Plus V2/VPN Plus V2.exe
Size

2.6MB
MD5

30a3448e4e667492151d200221cc2330
SHA1

392e50785ea1f153b3031d13150ab518c662b446
SHA256

40332154e44a8a75d54aba96f78927fb0e670db9cca93c6219088fb9d3b3c1f4
SHA512

df441bd04d7f8bc1e3d2b43d376de9a47275238ac20e4b635ce806b01d3ad025f806db553e7ecbc331fb64040032b424ef80263f8d007bab018510687d575b4e
SSDEEP

49152:MnsHyjtk2MYC5GDYecxZBslbm1C5Xj+zlyVUBcpm2TFBUQn:Mnsmtk2aAMZB4m1C5X65yVGcp5TB

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0006000000019218-110.dat
behavioral1/files/0x0006000000019229-132.dat

Executes dropped EXE 6 IoCs

pid	Process
1856	._cache_VPN Plus V2.exe
2708	Synaptics.exe
2576	._cache_Synaptics.exe
2268	VPN Plus Config.exe
2052	VPNPlus.exe
2936	._cache_VPNPlus.exe

Loads dropped DLL 7 IoCs

pid	Process
1508	VPN Plus V2.exe
1508	VPN Plus V2.exe
1508	VPN Plus V2.exe
2708	Synaptics.exe
2708	Synaptics.exe
2052	VPNPlus.exe
2052	VPNPlus.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	VPN Plus V2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VPNPlus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_VPNPlus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VPN Plus V2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2284	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2284	EXCEL.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 1856	1508	VPN Plus V2.exe	31
PID 1508 wrote to memory of 1856	1508	VPN Plus V2.exe	31
PID 1508 wrote to memory of 1856	1508	VPN Plus V2.exe	31
PID 1508 wrote to memory of 1856	1508	VPN Plus V2.exe	31
PID 1508 wrote to memory of 2708	1508	VPN Plus V2.exe	32
PID 1508 wrote to memory of 2708	1508	VPN Plus V2.exe	32
PID 1508 wrote to memory of 2708	1508	VPN Plus V2.exe	32
PID 1508 wrote to memory of 2708	1508	VPN Plus V2.exe	32
PID 2708 wrote to memory of 2576	2708	Synaptics.exe	33
PID 2708 wrote to memory of 2576	2708	Synaptics.exe	33
PID 2708 wrote to memory of 2576	2708	Synaptics.exe	33
PID 2708 wrote to memory of 2576	2708	Synaptics.exe	33
PID 1856 wrote to memory of 2268	1856	._cache_VPN Plus V2.exe	35
PID 1856 wrote to memory of 2268	1856	._cache_VPN Plus V2.exe	35
PID 1856 wrote to memory of 2268	1856	._cache_VPN Plus V2.exe	35
PID 1856 wrote to memory of 2052	1856	._cache_VPN Plus V2.exe	36
PID 1856 wrote to memory of 2052	1856	._cache_VPN Plus V2.exe	36
PID 1856 wrote to memory of 2052	1856	._cache_VPN Plus V2.exe	36
PID 1856 wrote to memory of 2052	1856	._cache_VPN Plus V2.exe	36
PID 2052 wrote to memory of 2936	2052	VPNPlus.exe	37
PID 2052 wrote to memory of 2936	2052	VPNPlus.exe	37
PID 2052 wrote to memory of 2936	2052	VPNPlus.exe	37
PID 2052 wrote to memory of 2936	2052	VPNPlus.exe	37

C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\VPN Plus V2.exe
"C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\VPN Plus V2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPN Plus V2.exe
  "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPN Plus V2.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe
    "C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe"
    3⤵
    - Executes dropped EXE
    PID:2268
- - C:\Users\Admin\AppData\Roaming\VPNPlus.exe
    "C:\Users\Admin\AppData\Roaming\VPNPlus.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2052
  - - C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe
      "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2936
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2708
- - C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2576

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.6MB

MD5
30a3448e4e667492151d200221cc2330

SHA1
392e50785ea1f153b3031d13150ab518c662b446

SHA256
40332154e44a8a75d54aba96f78927fb0e670db9cca93c6219088fb9d3b3c1f4

SHA512
df441bd04d7f8bc1e3d2b43d376de9a47275238ac20e4b635ce806b01d3ad025f806db553e7ecbc331fb64040032b424ef80263f8d007bab018510687d575b4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2gsCv7e.xlsm

Filesize
20KB

MD5
9d63274cb6f29ae763472279adacc303

SHA1
2907a95470a199ec378e7d454adadcc1f8143661

SHA256
96b865e3a84defbec36ab65248cf4f2f9ababcbea92ee6bfe29b873e361aa9be

SHA512
3780c226f0647efc7ba655dc41f0981bb74f0c72e4959982ba53927eadf4085335fae8dafea33fc45a30dfec1ad5e55827552620a6a1a23e61a45f422ddc158b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2gsCv7e.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2gsCv7e.xlsm

Filesize
24KB

MD5
1c3248738c0375fada67d97686c22c7e

SHA1
5554dceba3de17f4b5e6c126415bc7d6ee9bc461

SHA256
c00961c848b4d74042f22f0fd814276f64553c6e96b1089fc5de6674fbd4b5fc

SHA512
7a6274ab9b9494bbfc802f27a1299ab9310d9419c170d007ba4fbec9e2adfef3ce6d45c8cb97f59e2ca4cbca007b5a70818b47f138d5ecd7620723e2cb998859

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2gsCv7e.xlsm

Filesize
28KB

MD5
51cd50c4ed36c90a11c20f8c524f6121

SHA1
56ab9956da666f765631856230af4b7a62f1ade8

SHA256
f977b44311dffc7e438e551abfde22081e3acbd11c7562f27a8dbc167b862250

SHA512
6b31f179af9ff77d20100dd5b583a3a6fb26cdeb3ddb9c4996fd4a3ba9d40defdded989f88edea916729a7fe841d11041e5931a0b74a4784d4662b5ccd063e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\T2gsCv7e.xlsm

Filesize
23KB

MD5
5328c6dff9720c204952b97753ab57e6

SHA1
c3a6484297223c1c28a43c6438cd55fad24a704d

SHA256
baa04c17c8d2781f7a8216e65bf2de249e62af10421134482f28f5e18d1be7c5

SHA512
1ae5cadfa45f469a72fa7830ce30b8ccc03d4252fd803acded9dab8ed6ed08715a194e7d33363817a493db234b1295dc6053f6d9a4f077b438dd9edcb0bafedb

Download Submit
C:\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPNPlus.exe

Filesize
444KB

MD5
f341dc884269172ef968d8fa6927275b

SHA1
5351fe61fd39b7704d9d63b1a36c44746536753d

SHA256
2d41af98b1f58fa4c8266629e6a8eec3a06970a4bd8132f722a3ad71457da4e6

SHA512
0c6933547a0f76b953a6679027e95f2d557c509ac459004baf2a2bf1bb9176d196eb1bea0ef38c6fe8a5b1ad2ecbf92e10542a2be25b563ab2af82f0bdfb1fde

Download Submit
C:\Users\Admin\AppData\Roaming\VPN Plus Config.exe

Filesize
293KB

MD5
0ffc5a768817a65ad00c3225bdcb6a70

SHA1
27c84ea9ad25231d0f01f95e7a5b8bc14e719184

SHA256
8df7d471e2c777b50b717c44149ee1556032f8123913d5bc3366f6f8780eceae

SHA512
282b605a57e3893a966ff482531bbc123ae508ca085b1781516879f09080d797e80ad60811e89f9d6fa0debda6429f5e5600968f5334931cad7a46dbeb96f96c

Download Submit
C:\Users\Admin\AppData\Roaming\VPNPlus.exe

Filesize
1.2MB

MD5
89099b1cc2d117ad367e9cbf10042916

SHA1
65d2b50285a1fb3d7b1e7b691e647abc58b33d5c

SHA256
95e9259b2d0a30d7e16b13d886a70d1d8cfaccd0799d1adff2e105390dbf5ceb

SHA512
7eda8b5035bbe0aaa0e33b1c0eeafaee0f2a3d0b65954819adc5f3b052948d11575ea240c14037f44fa0aa6f2b029b00e6fb88d10aa63a3bed71d7703abb62f2

Download Submit
C:\Users\Admin\Documents\~$UsePush.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\VPN Plus V2\._cache_VPN Plus V2.exe

Filesize
1.9MB

MD5
e765670f02fbba4fdd9317bba1c325ce

SHA1
954e3c2a2d461751fdac14b958cd20d9b5fcb099

SHA256
68c222268509688293c1b878e205134f9ab6c6b7a1d9c9541a9c01012e00e97f

SHA512
f009bc7c6577768ad42f8bbb08313d4ad81f56b3275c6f7ed01e94f818e9682de787046282ccdf961e96c8408269e2039314a3eaa75c31c740c2d0c58fab0eab

Download Submit
memory/1508-25-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/1508-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1856-28-0x0000000000C70000-0x0000000000E56000-memory.dmp

Filesize
1.9MB

Download
memory/2052-74-0x0000000000400000-0x0000000000531000-memory.dmp

Filesize
1.2MB

Download
memory/2268-43-0x0000000000FA0000-0x0000000000FF0000-memory.dmp

Filesize
320KB

Download
memory/2284-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2576-36-0x0000000000D20000-0x0000000000F06000-memory.dmp

Filesize
1.9MB

Download
memory/2708-138-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/2708-139-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/2708-173-0x0000000000400000-0x00000000006A3000-memory.dmp

Filesize
2.6MB

Download
memory/2936-101-0x00000000008B0000-0x0000000000924000-memory.dmp

Filesize
464KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads