Overview

overview

10

Static

static

5

db69f19879...85.exe

windows7-x64

db69f19879...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 04:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

  • Size

    6KB

  • MD5

    06303600a3a44eb2fbce248eb0fe9fc1

  • SHA1

    ccfb720a50808469da5d67eea306d08f51e11538

  • SHA256

    db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85

  • SHA512

    b135f23760aba312cb0c0cab697d2ec4f735f5cad9011d3b11310eb9cc59f65c4ffdc757e4f39bdcf6c8abb3badb6865301ffd5ed817c1251b6ecabe21f17df9

  • SSDEEP

    192:DfaOBqbo/qmA2LEnrtDINynT+vCgcJXB:OOY8tLqltJXB

Score
10/10
xredbackdoordiscoverypersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Downloads MZ/PE file
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 17 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
    "C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4712
    • C:\Program Files (x86)\1.exe
      "C:\Program Files (x86)\1.exe" 0
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4900
      • C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:436
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:4492
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1004
    • C:\Program Files (x86)\2.exe
      "C:\Program Files (x86)\2.exe" 0
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3772
      • C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:3632
    • C:\Program Files (x86)\3.exe
      "C:\Program Files (x86)\3.exe" 0
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:60
    • C:\Program Files (x86)\4.exe
      "C:\Program Files (x86)\4.exe" 0
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2468
    • C:\Windows\wic.exe
      "C:\Windows\wic.exe" 0
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4052
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2912
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown /r /t 0
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:3156
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4400
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa39ac055 /state1:0x41c64e6d
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:3152

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\1.exe
    Filesize

    811KB

    MD5

    d026cfe00b08da14b0a8b7f8860887d7

    SHA1

    08ef96351067f151c19b9cc21605ea018fb43a18

    SHA256

    e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd

    SHA512

    4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

    Download Submit

  • C:\Program Files (x86)\2.exe
    Filesize

    4.4MB

    MD5

    85a57509db3e9dfa7b4e451b8243220d

    SHA1

    ee21f93372218959f8b3dcefaa2c680d857e9e52

    SHA256

    fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1

    SHA512

    104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

    Download Submit

  • C:\Program Files (x86)\3.exe
    Filesize

    9KB

    MD5

    1edb88f9ee745eaaee2cbd8219318eb0

    SHA1

    6561c12d51090972b6f866f38f8ed281c5c83313

    SHA256

    0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0

    SHA512

    a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

    Download Submit

  • C:\Program Files (x86)\4.exe
    Filesize

    338KB

    MD5

    39e7be73c7531ac895f75834fdc1bcd6

    SHA1

    646b88b488cf673c38b56fe7748c70b31bb29fc3

    SHA256

    a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195

    SHA512

    e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

    Download Submit

  • C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-3227495264-2217614367-4027411560-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg
    Filesize

    108KB

    MD5

    c89510a520601efe72caff55feec32ea

    SHA1

    87c5ee03ae56503fba1cc9c1e092182880d49795

    SHA256

    5d988846715f45d37dde32eb39cbb5815e1a0f8d966f5dfe94491fe6c83f762d

    SHA512

    7af7cb61dfe2d145f77a9fb9691f94a26ede47270c96acc397f6a99f1c68d3b796818a62f2e492ad16e7b14bd1fe3bed5e20d51d29489e1003977274b489bf2e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
    Filesize

    58KB

    MD5

    aed710082d6986c6dceed09d3a5edcc6

    SHA1

    02456d21cef29be4cb63004aea6aa225a90fd882

    SHA256

    5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e

    SHA512

    4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
    Filesize

    3.7MB

    MD5

    b7176450aebb9572b34e875984456ac1

    SHA1

    5d9d1824c5c235dcfc82e6e3af48b63d70016393

    SHA256

    f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2

    SHA512

    4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\D0A75E00
    Filesize

    21KB

    MD5

    ddbfb6f54e9027f95b5a56313ee5a66c

    SHA1

    60ba07d718d7881ab1f846a63dded10b4436f93c

    SHA256

    7f0a9f4ec3924e815f180d28027e88e916f4a40acdbff39290d6c2285ae8fb97

    SHA512

    d0e1ccfd5c753a0fabed126242cc47feca0f8901ef51b47362714f7d2d127f3481feb4d0ff3446798e47b54d746b659649c56c5b69b14e4803e8c6c49261999f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\w1rtKyBH.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\wic.exe
    Filesize

    3.3MB

    MD5

    6ad65b03e75bc5509ba3104510178ee6

    SHA1

    dba73f97938d2dab4bf8fb8076b363db82ad3a16

    SHA256

    4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6

    SHA512

    976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

    Download Submit

  • memory/60-340-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/60-247-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/436-337-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/436-55-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1004-169-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/1004-335-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3772-234-0x0000000000400000-0x0000000000874000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/4400-218-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4400-231-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4400-219-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4400-220-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4400-221-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4400-222-0x00007FFB3C7D0000-0x00007FFB3C7E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4400-223-0x00007FFB39FD0000-0x00007FFB39FE0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4492-341-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/4712-322-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4712-0-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/4900-119-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/4900-17-0x0000000002260000-0x0000000002261000-memory.dmp

    Filesize

    4KB

    Download