Overview

overview

10

Static

static

5

db69f19879...85.exe

windows7-x64

db69f19879...85.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    131s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-01-2025 04:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe

  • Size

    6KB

  • MD5

    06303600a3a44eb2fbce248eb0fe9fc1

  • SHA1

    ccfb720a50808469da5d67eea306d08f51e11538

  • SHA256

    db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85

  • SHA512

    b135f23760aba312cb0c0cab697d2ec4f735f5cad9011d3b11310eb9cc59f65c4ffdc757e4f39bdcf6c8abb3badb6865301ffd5ed817c1251b6ecabe21f17df9

  • SSDEEP

    192:DfaOBqbo/qmA2LEnrtDINynT+vCgcJXB:OOY8tLqltJXB

Score
10/10
xredbackdoordiscoverymacropersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Downloads MZ/PE file
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 9 IoCs
  • Executes dropped EXE 9 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops desktop.ini file(s) 1 IoCs
  • UPX packed file 9 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 25 IoCs
  • Modifies registry class 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of SetWindowsHookEx 13 IoCs
  • Suspicious use of WriteProcessMemory 33 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe
    "C:\Users\Admin\AppData\Local\Temp\db69f19879e131fd35e882606148335c6dcb26cbea650d394ba519d76c57bb85.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Program Files (x86)\1.exe
      "C:\Program Files (x86)\1.exe" 0
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:4416
      • C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_1.exe" 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3804
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1136
        • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:3756
    • C:\Program Files (x86)\2.exe
      "C:\Program Files (x86)\2.exe" 0
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1764
      • C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_2.exe" 0
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2592
    • C:\Program Files (x86)\3.exe
      "C:\Program Files (x86)\3.exe" 0
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3172
    • C:\Program Files (x86)\4.exe
      "C:\Program Files (x86)\4.exe" 0
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4720
    • C:\Windows\wic.exe
      "C:\Windows\wic.exe" 0
      2⤵
      • Drops startup file
      • Executes dropped EXE
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2352
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "shutdown /r /t 0"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:4220
        • C:\Windows\SysWOW64\shutdown.exe
          shutdown /r /t 0
          4⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          PID:2244
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4996
  • C:\Windows\system32\LogonUI.exe
    "LogonUI.exe" /flags:0x4 /state0:0xa398c855 /state1:0x41c64e6d
    1⤵
    • Drops desktop.ini file(s)
    • Drops file in Windows directory
    • Modifies data under HKEY_USERS
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2436

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\1.exe
    Filesize

    811KB

    MD5

    d026cfe00b08da14b0a8b7f8860887d7

    SHA1

    08ef96351067f151c19b9cc21605ea018fb43a18

    SHA256

    e261d309f30de33a1ba0aa43604db15f3326c6c8c5b291bdd52f18ea361fe3dd

    SHA512

    4ef560ff8c6a9a143b9365884c0c999a1fbf5ee638f170ad96add2b8b56933038d573cb31f45724a7f1a7b6a35cd2557344bd55c746fc9e9da38ecd3bdd6361d

    Download Submit

  • C:\Program Files (x86)\2.exe
    Filesize

    4.4MB

    MD5

    85a57509db3e9dfa7b4e451b8243220d

    SHA1

    ee21f93372218959f8b3dcefaa2c680d857e9e52

    SHA256

    fcd8d4592cf92fb9f9235a2774cdc8aff4265d4015269fb7aa995182f8ce26e1

    SHA512

    104615f2366e06cbba58a87f2e01d6806c1871c29af8277e06fcdb385f4ae6beb37c3bafd861c320a01303a287a68ae9b5d8640f29a39c21fe38ad9803ebe00d

    Download Submit

  • C:\Program Files (x86)\3.exe
    Filesize

    9KB

    MD5

    1edb88f9ee745eaaee2cbd8219318eb0

    SHA1

    6561c12d51090972b6f866f38f8ed281c5c83313

    SHA256

    0ac1125284e2600d3714c0226f800f4d8d9aa291fa299bb1d33b7d8984b5e1c0

    SHA512

    a2a20a70c9e1db729f716706796027a5c9002ad000e75c0dced3ece6f26d76ee0803acc31d3a116266e711ec6a16d33c0668412238dfe0f128f3a841232ff4c5

    Download Submit

  • C:\Program Files (x86)\4.exe
    Filesize

    338KB

    MD5

    39e7be73c7531ac895f75834fdc1bcd6

    SHA1

    646b88b488cf673c38b56fe7748c70b31bb29fc3

    SHA256

    a176e32335d81e69906f1c062e62247e97b8863f2c6148a36713e5bed5d16195

    SHA512

    e5c34ef2d309ef2071495a359999b9f8dbeb6d7db1daa67e82494d71b0f1e888d0958b5a503cb3b0e505b70f26cfefe362d6301599143bedb40a19fdb60ef072

    Download Submit

  • C:\ProgramData\Microsoft\Windows\SystemData\S-1-5-21-4089630652-1596403869-279772308-1000\ReadOnly\LockScreen_O\LockScreen___1280_0720_notdimmed.jpg
    Filesize

    367KB

    MD5

    fe90d5da49104eda6b8356126c4a325a

    SHA1

    54cfba4587bf9aef30d5131de0badf053f666a1b

    SHA256

    770f2e38bfaa00f4796511f4d38fc76259a764ed60d7c256ba03b2cc25d58576

    SHA512

    b557a3e6364fec76223107995dd8b9cce6d06c6f67efa288c91b01919d84f9d25b316753d902c77db321e6081295a1023d5d06f7fb27980bfb27a4b1fe6a584f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_1.exe
    Filesize

    58KB

    MD5

    aed710082d6986c6dceed09d3a5edcc6

    SHA1

    02456d21cef29be4cb63004aea6aa225a90fd882

    SHA256

    5cbe5888cd034b95b14f4ad7c63f84f9c9bc605558c5cc484e26c13f1978399e

    SHA512

    4bccab62e816e296becd7318ff76d8fefa1f1cd25bdfcfb092c4424f3cc37e9edb46c90dae78d364c4406c954eaf75a6e18b7499d51b164d1ddf0136e4f52050

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_2.exe
    Filesize

    3.7MB

    MD5

    b7176450aebb9572b34e875984456ac1

    SHA1

    5d9d1824c5c235dcfc82e6e3af48b63d70016393

    SHA256

    f78dcb1b389c99240befde490f8c74d9c9487f54e1f523397aa056072003a4c2

    SHA512

    4c9aba9b92972312c87d2b875246b22dafcb49a0f519291fba823ce57dd9282e25489a7cddf7dfb432caa921602db6266b0e625aae780845824f91cf48d8f85d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4BIfRNA7.xlsm
    Filesize

    23KB

    MD5

    58b0de28ac77d18f3bf0269806e556f4

    SHA1

    a172df9cd00a58a5b5aaaf588d8f6b8b94bae590

    SHA256

    c1f35354d4b9e4ad563c4caa910cb9cb9ae9b5614a52fa4ac1e3a4118212b8c8

    SHA512

    17d8d889c646f73824c21b956e7bf8ac79ee11408ee3402fd08498e04175a0d327d3926819d3e49f764402dbe087382f9dade6f068af42e4a1e99a8afe086816

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4BIfRNA7.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Windows\wic.exe
    Filesize

    3.3MB

    MD5

    6ad65b03e75bc5509ba3104510178ee6

    SHA1

    dba73f97938d2dab4bf8fb8076b363db82ad3a16

    SHA256

    4d74eb72321c5137ed364541deef19ddc30593fff62abab2a3d17a0bad7bd5c6

    SHA512

    976c7aba50e17271f6aea4ab80e7bc89e68727164d98d99566e0752b4989d716a849b0cc53f0321a53dce6086ef4cab1604aae8456ce76bfeacf185137aa8ba8

    Download Submit

  • memory/1136-341-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/1764-245-0x0000000000400000-0x0000000000874000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2228-322-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/2228-0-0x0000000000400000-0x0000000000408000-memory.dmp

    Filesize

    32KB

    Download

  • memory/3172-241-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3172-338-0x0000000000400000-0x000000000040C000-memory.dmp

    Filesize

    48KB

    Download

  • memory/3756-340-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3804-336-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/3804-54-0x0000000000400000-0x00000000004A4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/4416-119-0x0000000000400000-0x00000000004D1000-memory.dmp

    Filesize

    836KB

    Download

  • memory/4416-17-0x00000000007E0000-0x00000000007E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4996-242-0x00007FFC5A2D0000-0x00007FFC5A2E0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-218-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-220-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-219-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-221-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-217-0x00007FFC5CC30000-0x00007FFC5CC40000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4996-222-0x00007FFC5A2D0000-0x00007FFC5A2E0000-memory.dmp

    Filesize

    64KB

    Download