xred | b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 07:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
Size

765KB
MD5

033cde990fe1a9d15fa070f9ef142ebb
SHA1

30f3557e1f228b1c4b54f4afd3f4987b53bb0da0
SHA256

b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004
SHA512

696d35e470fd9c5bb23951ad77930db5933ece144150b5fc613aca92bcc9ac82a03d05411e367a665a58f8d53e225364af67d3bbab0e7c81d7cd8a21223a85f5
SSDEEP

12288:CMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Q/oj:CnsJ39LyjbJkQFMhmC+6GD9MI

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00090000000160ae-89.dat
behavioral1/files/0x000700000001903d-113.dat

Executes dropped EXE 3 IoCs

pid	Process
2520	._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
2220	Synaptics.exe
2804	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
2220	Synaptics.exe
2220	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_Classes\Local Settings	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2408	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2804	._cache_Synaptics.exe
2408	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2520	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 2296 wrote to memory of 2520	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 2296 wrote to memory of 2520	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 2296 wrote to memory of 2520	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 2296 wrote to memory of 2220	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 2296 wrote to memory of 2220	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 2296 wrote to memory of 2220	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 2296 wrote to memory of 2220	2296	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 2220 wrote to memory of 2804	2220	Synaptics.exe	33
PID 2220 wrote to memory of 2804	2220	Synaptics.exe	33
PID 2220 wrote to memory of 2804	2220	Synaptics.exe	33
PID 2220 wrote to memory of 2804	2220	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
"C:\Users\Admin\AppData\Local\Temp\b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Users\Admin\AppData\Local\Temp\._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2520
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2804

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
765KB

MD5
033cde990fe1a9d15fa070f9ef142ebb

SHA1
30f3557e1f228b1c4b54f4afd3f4987b53bb0da0

SHA256
b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004

SHA512
696d35e470fd9c5bb23951ad77930db5933ece144150b5fc613aca92bcc9ac82a03d05411e367a665a58f8d53e225364af67d3bbab0e7c81d7cd8a21223a85f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe

Filesize
11KB

MD5
6bd00bcdba9fcda14497510d62931077

SHA1
e116a1f1d6cf4f429250b3aa98bf84596bbef78c

SHA256
9dd804cc9c950322d3780e9b2b774cfd5b6f3bf875fec20f7bd7ba868eb77f30

SHA512
19c3f0fa712f7bf7562de015d1de2c1570540d53bfb0ad9a78b5031697fe75524c8f6898975530ad52303ea3ba3f41570711d22cec3dde9486c0742b2d9b6146

Download Submit
C:\Users\Admin\AppData\Local\Temp\3U5qAE9k.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\3U5qAE9k.xlsm

Filesize
23KB

MD5
0934615f8816c768e12cbb690f6ece45

SHA1
9f9ae3c679b8d9a7cafba46af7cb81b64c2d84ee

SHA256
3575d2139c154b9a8db26f1b338de422486ee573ee65c2f0a991b3cf44fed6e5

SHA512
a74a67ed6ef509d89e26b13f8e47f30c97d5f571284a22e4ada098e722a217e138b5bdcb2539089af8715465b086232a7760f75a6b453c59c149b0d262b2a112

Download Submit
C:\Users\Admin\AppData\Local\Temp\3U5qAE9k.xlsm

Filesize
21KB

MD5
319790b3b22ffabd7c3d75105237b652

SHA1
1250f5b50df3e56767894c6b5eb94a8ce08874bd

SHA256
53f78683f3a7ada49f2184c8d6149cc363e42671a5152c6ff3b558a76ab1b269

SHA512
b45d75f27d0f95295b5b33dc7cef4d981012c1265f819e72af192e9c213efd7623dd742b12bddb7378ece28868f460f25856ca3c28a8f910acd4bc4360d17df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3U5qAE9k.xlsm

Filesize
25KB

MD5
73bf14962de135996491279f0420db3b

SHA1
b11cd7e69bcb5936ac5aa5d0144d8b6105101a8f

SHA256
a0831ee6378993dac86e43ca1354aed6408cfd0299ab2e5e7da9299ff295efdb

SHA512
11f9635f8181fe37cba2490d8350eca299167aa32312b174b6a9eda8b4afe83f19790bebfe67bf1ac4ae274ee092de74132e15a0783bbd4b174c9284bbf7c711

Download Submit
C:\Users\Admin\AppData\Local\Temp\3U5qAE9k.xlsm

Filesize
21KB

MD5
ee4efad77f0072d33c8d640571270981

SHA1
40158c02e03a8227cd6503afda1261ea8e203c58

SHA256
149a56af3320029d6852fdb2f68d6e1eb6a1f2ba206a312dd5d4c7d68cea49c2

SHA512
35c89e16a157082f47b7cf5197481cc8a389ebdeeb284531ff15f02e091369ce7c0014ec234eba5a5d5879467bfb634903f7a684904de759c46509abba27653c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3U5qAE9k.xlsm

Filesize
26KB

MD5
997270625764c71475705fdfca18d69d

SHA1
9a5fddef1ba9b9c6fb3ea63242161f192b965145

SHA256
acfbbbf6f7e3c26fed1fb78c2e6fa6229de70f32102a61d202ae3b9320e4c4c4

SHA512
bd6414847e7cef3fd9fdb05e3603e07edf66353af5a9715ac47e07ab253d2664db7111136b99fa11e673405cb915f80985102b3274f30ba922ad85627447f3cf

Download Submit
C:\Users\Admin\Desktop\~$OpenBackup.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/2220-40-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2220-129-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2220-130-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2220-163-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2296-26-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2296-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2408-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2408-128-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2520-29-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2804-39-0x00000000066C0000-0x00000000066C2000-memory.dmp

Filesize
8KB

Download
memory/2804-38-0x00000000012B0000-0x00000000012B8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads