xred | af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
01/01/2025, 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
Size

760KB
MD5

4db9a153be2070f9470396fc1b2e3a25
SHA1

2dc49154e1d8c5c3658e1dde874168d06332ca81
SHA256

af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911
SHA512

aac3b94c18265504754069e4740ae9e23a663dbd286d60cd18c6d2aa08587388d787dbfd299512cffe33cc241a6ba7084be30bfa328d3994b1b942a03250a9c7
SSDEEP

12288:qMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9kGMpr:qnsJ39LyjbJkQFMhmC+6GD9x8

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2556	._cache_af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
2728	Synaptics.exe
2248	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
2728	Synaptics.exe
2728	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1240	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1240	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2820 wrote to memory of 2556	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	30
PID 2820 wrote to memory of 2556	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	30
PID 2820 wrote to memory of 2556	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	30
PID 2820 wrote to memory of 2556	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	30
PID 2820 wrote to memory of 2728	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	32
PID 2820 wrote to memory of 2728	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	32
PID 2820 wrote to memory of 2728	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	32
PID 2820 wrote to memory of 2728	2820	af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe	32
PID 2728 wrote to memory of 2248	2728	Synaptics.exe	33
PID 2728 wrote to memory of 2248	2728	Synaptics.exe	33
PID 2728 wrote to memory of 2248	2728	Synaptics.exe	33
PID 2728 wrote to memory of 2248	2728	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
"C:\Users\Admin\AppData\Local\Temp\af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Users\Admin\AppData\Local\Temp\._cache_af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2248

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
760KB

MD5
4db9a153be2070f9470396fc1b2e3a25

SHA1
2dc49154e1d8c5c3658e1dde874168d06332ca81

SHA256
af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911

SHA512
aac3b94c18265504754069e4740ae9e23a663dbd286d60cd18c6d2aa08587388d787dbfd299512cffe33cc241a6ba7084be30bfa328d3994b1b942a03250a9c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
20KB

MD5
d61d99ad34cb82a7ee2fb620b83c6247

SHA1
8fde71edbddef52431f41db34593170bcb31d84f

SHA256
35e8830e92a7a9403fabd695e3684fe8f1ab438476710be97d63248fe8464a91

SHA512
57ac36358243dfd1b94324e01e2525d3075f0580ca534e248bf549fd78bb3dc66cd2e262596122c8435268303e4c6e7ce080143307cef8e43cec509593153bbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
26KB

MD5
82d13c622f76594cdfb81ebff3ea4892

SHA1
d34ae87d11359017180af7ef7cb63fa0e681379f

SHA256
8dd12c6e88fd3a0702e83f12b465870f1105dc46db85c5cb3342669dbc84cecf

SHA512
478d7e44740ff9eed070239e506f2af4da83dae8512c815d346ccb64c7bc45881e6d29ea9100eae883ffa6b883b483a034a5905c8b340db26e0d3dac2a2ac546

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
25KB

MD5
a11dc49196d950b517bd6da63c65b321

SHA1
6f7d7038b474cf1f6a0c9a015954d8e90a06b879

SHA256
34207a150fb9a7236e8d29a9a707042aaa0f08a8c19991875089b206197fe4c6

SHA512
9cc8b1eb30f8e80579db5d746bc6dc7ec27baffc0da33f87eb5fe5a63cd2f4520ffd192aee33661b2ddc0d2722b163ae6fb72fca1cb6c61055fbda9213ef00f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
22KB

MD5
866d0d91c1d0c3cc30d91e61cb612633

SHA1
f09fc5d56fee8b9b3b7f27170599db8fda9225c3

SHA256
9deab89402d5bded25eeda65de89d8920b344910203aee0250ecef9e07b2fd1c

SHA512
8d32f01b124de89cdb9a1169292fe2b9ce4f9410f61cf1ecb9340edd80838e12b093469f55b3c5369b02807bc43d4d914300d673544ac6e4697ca653504edef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
23KB

MD5
04cd0229beb3837e8fbc480a388682b7

SHA1
18c961eab0f0f7c6062751438fa8400ec2b0cb01

SHA256
703223d2ecc6336066ff71c4c4f4c68a727f5c1a02b7d02d5e32f5de8eba1de4

SHA512
1c6c6236daefd8ad2aca2344e96597f1872efee7e0187fb7edf4da9ad11f02823d70a92608b54e0f1aa4770eef4634ca29e683b553a3c1c3413442bd08ed6141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dpi3sjRe.xlsm

Filesize
26KB

MD5
cb6278e96df4efd268d7b090f4782ad7

SHA1
949817e46cb77fe3bf966e3d3687ee70e8dbc822

SHA256
25aec8549b2e9adb47d4e9646699137dbb89e12a3e787cd867902328a74cf91d

SHA512
0658761f593aa5aeed47dd3edd2c06369841e70ded9c0cef076bcf9ddfcb5f66bd23336584c4ef098fd1ddaf90f8c30ad87963c79d8822b8b0b52c7817cff5b9

Download Submit
C:\Users\Admin\Desktop\~$ConvertFromExpand.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_af9167be6638abeea9ee04bc417dd38875fff2287479338af4e1d44c17f83911.exe

Filesize
6KB

MD5
04d7bb96cb87a3a199501c93dd6f0e12

SHA1
cea74e0b3b829c1a933c0485abbfdc09585f6dac

SHA256
6cf85501a4a1754b4d36579442327f4e41617c0f76d5419631e1f2c865e42395

SHA512
e9656c26720211dec46d52b73628bea507c7a1f33bcd0cfed2481f53600794b28535c8377ad67de6830f494382664ade2c051613d5d7fce5af4652f9eb1ee636

Download Submit
memory/1240-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1240-133-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2728-134-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2728-135-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2728-169-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-25-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2820-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads