xred | 70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-01-2025 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
Size

14.5MB
MD5

7274b0b15c4e6d5bbe8db5aa93c65a12
SHA1

643418b70ee7242fb4cf797e54ec78c910d32824
SHA256

70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435
SHA512

241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224
SSDEEP

393216:o0d/FlptVYmfr7yBG/4JU4TRjtjUMy4i6kgsY7A:H1PpttD7yBG/QHTJtYMyke3

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 5 IoCs

pid	Process
1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
2344	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
2652	Synaptics.exe
1084	._cache_Synaptics.exe
796	._cache_Synaptics.exe

Loads dropped DLL 9 IoCs

pid	Process
3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
2344	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
2652	Synaptics.exe
2652	Synaptics.exe
1084	._cache_Synaptics.exe
796	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
572	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
572	EXCEL.EXE

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 3060 wrote to memory of 1972	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	30
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 1972 wrote to memory of 2344	1972	._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	31
PID 3060 wrote to memory of 2652	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	32
PID 3060 wrote to memory of 2652	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	32
PID 3060 wrote to memory of 2652	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	32
PID 3060 wrote to memory of 2652	3060	70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe	32
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 2652 wrote to memory of 1084	2652	Synaptics.exe	33
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35
PID 1084 wrote to memory of 796	1084	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
"C:\Users\Admin\AppData\Local\Temp\70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe
    "C:\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2344
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1084
  - - C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe
      "C:\Windows\Temp\{82637216-CAE8-4BCF-858B-F9CE2AF2FEAC}\.cr\._cache_Synaptics.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188 InjUpdate
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:796

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
14.5MB

MD5
7274b0b15c4e6d5bbe8db5aa93c65a12

SHA1
643418b70ee7242fb4cf797e54ec78c910d32824

SHA256
70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435

SHA512
241ca5eaa520a22a1c264f2fd3307c95d78fb56c2433602e42dcf9f2eb419ed2d43d40f6524a61a1d6e696375f7ea722fd502fa939d4453d88ca63ac068be224

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
21KB

MD5
955962bcb3fb38fc32e84a85af7ec14a

SHA1
615808b78f03ef029a31e9c90f2aca4c3e3fd8e5

SHA256
068c29b84dce0e70c53ff86c738c5b0d33f84ea8e3bda8baabafc126b994c74d

SHA512
298320e195fbb996a383693c8ef108ae5d34f082029e9cf51f88683d80c57b60286672ece75cc661587f927b5be482bd015628802fe31a119c0001eb7c35e977

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
22KB

MD5
c103d59378ed4bc475b7e3aa893cec70

SHA1
c71448efa09c5f956ffe1bb7db6827ab2f0ef836

SHA256
f74d7ce43c5a65c3d9c285bc179fa4ab6374e2aa224e4cf941a7eed5c3f81e37

SHA512
8028535c059484d4b832771f7af4d5bae2eb3f89c9382a3c0cc7c08fc221c67fe8a46c343e8e0086a8501b026d8be5a123406c1f9e4f916836abc3d758dde3cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
22KB

MD5
52457299604c539ce8411e0715c319d5

SHA1
b962722e6dfdcf548878546fe29d5a9957a10a53

SHA256
df0ed27c2ef12bfcf7ad64e29881cc255a6907ded0b9c2511481992af2176e59

SHA512
326ab24d2608620b7b6db0fcc0346e6a027b005c257074f75c717f794d813c5c62109de836b5242a4af0c97fc6a6441cf62a122f9b486e1cc2a1aa7080a2e81d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
23KB

MD5
4902c345b9db73ca26e4bb9b65e0e6d1

SHA1
4a687843fa1ce4ecaafcf04535d0e4147553f9a2

SHA256
6467833674170d5f3c470f2189111e8817576cb3c50579e03a9b37e3e6ddcc2a

SHA512
98c02e3dbfbd4bfc66ab69fb45245958b9a7255ea93ea22182cc61f5e8188bda4adb6f46da14bb998565384fbf13916f8fa3551021aa2d97d85f186477f794f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
24KB

MD5
6331dabfaff67e686a38d50040613882

SHA1
0d198576b441c4136180502cc097b8f0739bd957

SHA256
49746b5b74ed7e725a2c485f3cec2389198a2c6f470cac1a1c6c91549074ff65

SHA512
77eae6110be75406c80e23a2f5591c80ab3926fabd34ce2cf410a166cce9cc4314911bca5a21ce4260fcd05cfc20c8ee75e22791da51e530fedff843bbf713c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ghkOwGk4.xlsm

Filesize
25KB

MD5
49d6bffd6cac4075fd9d2d33d5f1a406

SHA1
6f15b0167d3f90ba34c1cb47fdbc28ba45f73c94

SHA256
f7a7c7fe1230a17144be19dadc15f45d7f10da35e8b46fa6000348341ddbca22

SHA512
2ee44218587a7f3977748c8bfc2c436596a6b32428cd36ceee0da97e8163cc79a30901ce5e619027c6e536cd2206a9bf0b8b6841059ee1c4f9d7d9ac1b4aa4d6

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\Temp\{F334285F-72CA-46DE-8C3B-1EEB68BD0DAB}\.ba\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

Filesize
13.7MB

MD5
de34b1c517e0463602624bbc8294c08d

SHA1
5ce7923ffea712468c05e7ac376dd9c29ea9f6be

SHA256
ac96016f1511ae3eb5ec9de04551146fe351b7f97858dcd67163912e2302f5d6

SHA512
114bca1ecd17e419ad617a1a4341e607250bcb02626cdc0670eb60be734bbad1f3c84e38f077af9a32a6b1607b8ce6e4b3641c0faefaa779c0fec0d3ac022dac

Download Submit
\Windows\Temp\{22015C37-1906-48AA-BC4F-73B6BA618102}\.cr\._cache_70c87af178a804f97a312d3d8d509d5c6f4a54ac07d08bacf858e6687de7e435.exe

Filesize
632KB

MD5
2f9d2b6ce54f9095695b53d1aa217c7b

SHA1
3f54934c240f1955301811d2c399728a3e6d1272

SHA256
0009d3f27837c3af3f6fff7973faf07afaa4b53119846f55b6f2a79f1759c757

SHA512
692857f960f26039c7b0af6329e65a71e8588ff71eaac6b956bd6e437994a8d5a470c7e75dd776e0772e473967b64d5ea0e1d8396546691316daf4d6b8ccc237

Download Submit
\Windows\Temp\{F334285F-72CA-46DE-8C3B-1EEB68BD0DAB}\.ba\wixstdba.dll

Filesize
191KB

MD5
eab9caf4277829abdf6223ec1efa0edd

SHA1
74862ecf349a9bedd32699f2a7a4e00b4727543d

SHA256
a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041

SHA512
45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

Download Submit
memory/572-135-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/572-233-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2652-234-0x0000000000400000-0x0000000001281000-memory.dmp

Filesize
14.5MB

Download
memory/2652-301-0x0000000000400000-0x0000000001281000-memory.dmp

Filesize
14.5MB

Download
memory/2652-333-0x0000000000400000-0x0000000001281000-memory.dmp

Filesize
14.5MB

Download
memory/3060-67-0x0000000000400000-0x0000000001281000-memory.dmp

Filesize
14.5MB

Download
memory/3060-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads