xred | d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01-01-2025 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
Size

903KB
MD5

6f731974f361228d9efde933d1738fc0
SHA1

2d54c2b80e4ecf20933f343e50cc4f0000de150b
SHA256

d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a
SHA512

2cbb5fe194491b2c51273d48144f190dc0b5f2c77d4effc8e9c10099120cec5418b676f3f2e8d9a705b015642176634b797c0f8fa624f30612862f7c007a4404
SSDEEP

12288:kMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9dMxWtwiYj:knsJ39LyjbJkQFMhmC+6GD9TwJ

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2500	._cache_d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
2068	Synaptics.exe
3044	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
2068	Synaptics.exe
2068	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2664	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2664	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 2500	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	30
PID 1568 wrote to memory of 2500	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	30
PID 1568 wrote to memory of 2500	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	30
PID 1568 wrote to memory of 2500	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	30
PID 1568 wrote to memory of 2068	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	31
PID 1568 wrote to memory of 2068	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	31
PID 1568 wrote to memory of 2068	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	31
PID 1568 wrote to memory of 2068	1568	d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe	31
PID 2068 wrote to memory of 3044	2068	Synaptics.exe	32
PID 2068 wrote to memory of 3044	2068	Synaptics.exe	32
PID 2068 wrote to memory of 3044	2068	Synaptics.exe	32
PID 2068 wrote to memory of 3044	2068	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
"C:\Users\Admin\AppData\Local\Temp\d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1568
- C:\Users\Admin\AppData\Local\Temp\._cache_d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe"
  2⤵
  - Executes dropped EXE
  PID:2500
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2068
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:3044

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
903KB

MD5
6f731974f361228d9efde933d1738fc0

SHA1
2d54c2b80e4ecf20933f343e50cc4f0000de150b

SHA256
d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a

SHA512
2cbb5fe194491b2c51273d48144f190dc0b5f2c77d4effc8e9c10099120cec5418b676f3f2e8d9a705b015642176634b797c0f8fa624f30612862f7c007a4404

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRHkvrJZ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRHkvrJZ.xlsm

Filesize
24KB

MD5
299cab08523a9bb030a5ac69ba8586e3

SHA1
1a5c6cdebb882ffbef20ca724631246495aa0d2d

SHA256
111d0061a7f474ec121fb41dac87ee8e887e1258414800b0ff18df3d974037fb

SHA512
4d90df31f16579253cfdf76ad4ca59c3e224cde0f4b3aee1fe89bb127917e0cb257f81970c80e9e3a09f9b246d6d562ddef49faf5c8414a6254a3f90df8310f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRHkvrJZ.xlsm

Filesize
27KB

MD5
4254d55de9f685507b65d5ac88bfa59e

SHA1
855e26429e4dc04dcb340d9837f20b2e4e305c21

SHA256
594b8a58645bfa7ba63bde5a2fa155b022c27526a7501726e2df480d9c21b5c1

SHA512
2777e583027074df27857fd7bcc5e71faa4d88edd7a95d432ae7b48a8b39e33cd5cc14a81218cf7d27d6d19f4c2db9dc9687476fb1a86c8e5f714be57818825a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRHkvrJZ.xlsm

Filesize
23KB

MD5
c2b9223cb6b66cc01b93ae4f06b96366

SHA1
b7abbe2e95cf677aefdccc9b5a84bac3ce188caa

SHA256
d59afc4717e3d60eef8f64ebb0b0652e126b1b8831fb4e0d4e7477ea4c46b811

SHA512
f6b7f7b8f2d5d2ce55a07a3e65bdd63f57e5e77a51452ea64a9d52dce3ce794108bad7ab1773bc5322aae2e8b267438ec2f975197b8e3dd7be007278ae7849ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRHkvrJZ.xlsm

Filesize
25KB

MD5
451b31ff5d1527ffd84cd8c05e7c99a5

SHA1
61771b2069b350a33ca2b41043eeffb10733110b

SHA256
2424a76d94597781682d8443be5050e4d71ecd4c95ebdc94fccaff352fe0030b

SHA512
e7e9b9cb3d487c33191d9d2355db6b29608debd1a4c2c947fc093e400ec59c56de1a57f79741820443048c12556d4a72233d35d862b4dd9a02f6f9b20d906126

Download Submit
C:\Users\Admin\AppData\Local\Temp\tRHkvrJZ.xlsm

Filesize
28KB

MD5
cf2dc07223a5e4072d5f94d59f2c4812

SHA1
3f23ecf1902674772e87b8c044fab86f35c158cf

SHA256
3420f59cb75d5a910f9e5978e6f3b79593d4d8f5b70eab42f9725b095ec02b25

SHA512
ac4701a1048f8bcb0f5015030ac036d9bd7f3896e521531682e42c26de890d1e58173f5b6e7c98a2725c03e57d2d2ff3ba764c4c9a5a302cb214b751cbbcb3c5

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_d2670ba92705b5a935b010ce0d4d0e12b19fe42d6290e0f2c1b8c9443ae19d0a.exe

Filesize
150KB

MD5
60a3a2e69100a5c645e989763feac6c0

SHA1
faedd4270c5ae9c33c69972fd1378d70764a88f3

SHA256
423ea98c2ed98814650e99ec62e59e32ca65c9f670e653fe6452a2eb836dded7

SHA512
0990494cd44f65c597925d712ec84d418412fde08112b7ee32fb9148514564ef9074cf194c0c47652f3637b2a09e396ad4a687d8487524a319de5cb8e2519cf8

Download Submit
memory/1568-25-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1568-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2068-35-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2068-127-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2068-128-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2068-160-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/2664-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads