xred | 6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2

Analysis

max time kernel
111s
max time network
107s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02-01-2025 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
Size

1.3MB
MD5

647af3192be8432c1d1b5f76d960dce1
SHA1

5da0a56f6f1ea2502771565f36cebe6bf4140410
SHA256

6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2
SHA512

a6cc0cdd7dea587119e4bcb273942a7445f61d02b414e4e772bcb3ad51ecba3d4fabdcd0358eaefbfb5107f0f24fd568226bcabd0f256f30280aed7f2a1a9bc8
SSDEEP

24576:JnsJ39LyjbJkQFMhmC+6GD92amx88FgqIK0KjmaAeR:JnsHyjtk2MYC5GDRVpAA6

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1836	._cache_6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
2792	Synaptics.exe
2748	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
2792	Synaptics.exe
2792	Synaptics.exe
2792	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2520	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2520	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1836	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	30
PID 1864 wrote to memory of 1836	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	30
PID 1864 wrote to memory of 1836	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	30
PID 1864 wrote to memory of 1836	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	30
PID 1864 wrote to memory of 2792	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	31
PID 1864 wrote to memory of 2792	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	31
PID 1864 wrote to memory of 2792	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	31
PID 1864 wrote to memory of 2792	1864	6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe	31
PID 2792 wrote to memory of 2748	2792	Synaptics.exe	32
PID 2792 wrote to memory of 2748	2792	Synaptics.exe	32
PID 2792 wrote to memory of 2748	2792	Synaptics.exe	32
PID 2792 wrote to memory of 2748	2792	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
"C:\Users\Admin\AppData\Local\Temp\6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\._cache_6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe"
  2⤵
  - Executes dropped EXE
  PID:1836
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2792
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2748

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
647af3192be8432c1d1b5f76d960dce1

SHA1
5da0a56f6f1ea2502771565f36cebe6bf4140410

SHA256
6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2

SHA512
a6cc0cdd7dea587119e4bcb273942a7445f61d02b414e4e772bcb3ad51ecba3d4fabdcd0358eaefbfb5107f0f24fd568226bcabd0f256f30280aed7f2a1a9bc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\D3E67F00

Filesize
27KB

MD5
cf9e44784bf4a33d5a19efd66b87c594

SHA1
9a2f0d58abc425fa8a0487669e2e8f3d48841c4c

SHA256
0f2c607ff7d96f68d01f0a17abadd6c1e85303441a8f63ee8c8891d9507b6ab6

SHA512
0fa663303d326ff0b2cb16bf2b11327ccdd1d86bf352da72399535b95f115f16028d848a371b12568d6631e82c70926954b783c5a4e677b6d18d654fecaa0471

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYqBEPeM.xlsm

Filesize
23KB

MD5
70f6b165d64f7a66937740d5eb8996d6

SHA1
be2bbea4d61202a0040892c31f77f9a29126105e

SHA256
54dab3166d599c731403d85e40d690d80c0fa55c33b1c57d6593a1490898d984

SHA512
0a7f96c133bbdc5010ae8d62336066a2cd6edfc1f0e950b1bc428213840a374178063168ea5b38da3353e632a2517bbd8dfd7b8afbbeb6603eb8584954bebd74

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYqBEPeM.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYqBEPeM.xlsm

Filesize
24KB

MD5
3ed341b1f2db879f27a36a2decec52f1

SHA1
7532027d4cf89c30abe0c01c7af448cb8756fbea

SHA256
ec814ff82a572019c2d39b00efb17af09a77d62136919349c69c5a8de87fd684

SHA512
99c2f104c64ff2e810e71ec354609dbc07fc3f4809df3eade5b552ae5a10d84f288ea2ca8844893a7ec2fb013b8076c4345883bf9e158329f48dc711ca667e91

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYqBEPeM.xlsm

Filesize
25KB

MD5
5111b472353e855d335c995ad2985ad0

SHA1
25ccbe4c26cf8b52750995cacda1b8e726427792

SHA256
7490d9ed3d0f32e8000cb28afadb638c54cd6d7fcdcad933379a567d9aeda0d0

SHA512
5c3a4cdbb51180f85b93c48b5b99b311ada19aec039665b9a6ad6d8b1a9df3b1fe13d06b27d39ec54bf2bb890333bbf02efa73e91219e1abc08190b016c1dfa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYqBEPeM.xlsm

Filesize
28KB

MD5
4dcf93df6747116bc4a415b822363031

SHA1
718bf0fd8cb164c8ae6a482eb75d5983ccb9a68b

SHA256
e65638c15aacb50d869469d75d59f60adbebe59a371d5ace016c9404830ddaa6

SHA512
6231d84e3691a2ae8ea40f8331da8d7ad3c8986f6fd428a720c6f794d1afad10e27568b8c787292d284f0b56ed6bf4b7761ee63bab340771699b1fe923d6f7fd

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_6011e2b900f0bfdd612c73834be817399051ace569e81906f893dc80e014b2f2.exe

Filesize
580KB

MD5
89fadc3fffa70a3589968b544d07913d

SHA1
08c0fea24e14cd7294cba37e51dbc6927bbae726

SHA256
d509b098f77b3397aa2d2132383d2ed98e240b3e2fd5d4d74c4f53cfd242b5e4

SHA512
e9868f823fe3ddf8bec61c5f51ace83bc542c3fc47bb204555eb33f85f352a8ab42cb34ae1ceff0b9151ebf0b7a2651929ec6d8dfb09b6070c7c6a87952f94ae

Download Submit
memory/1864-28-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/1864-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2520-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2792-41-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2792-133-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2792-134-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download
memory/2792-166-0x0000000000400000-0x0000000000553000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads