xred | b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004

Analysis

max time kernel
144s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
Size

765KB
MD5

033cde990fe1a9d15fa070f9ef142ebb
SHA1

30f3557e1f228b1c4b54f4afd3f4987b53bb0da0
SHA256

b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004
SHA512

696d35e470fd9c5bb23951ad77930db5933ece144150b5fc613aca92bcc9ac82a03d05411e367a665a58f8d53e225364af67d3bbab0e7c81d7cd8a21223a85f5
SSDEEP

12288:CMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Q/oj:CnsJ39LyjbJkQFMhmC+6GD9MI

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00070000000174f8-87.dat

Executes dropped EXE 3 IoCs

pid	Process
2540	._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
2260	Synaptics.exe
2828	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
2260	Synaptics.exe
2260	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe

Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	._cache_Synaptics.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	._cache_Synaptics.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	._cache_Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2640	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2828	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2640	EXCEL.EXE
2828	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2540	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 3044 wrote to memory of 2540	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 3044 wrote to memory of 2540	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 3044 wrote to memory of 2540	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	30
PID 3044 wrote to memory of 2260	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 3044 wrote to memory of 2260	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 3044 wrote to memory of 2260	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 3044 wrote to memory of 2260	3044	b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe	32
PID 2260 wrote to memory of 2828	2260	Synaptics.exe	33
PID 2260 wrote to memory of 2828	2260	Synaptics.exe	33
PID 2260 wrote to memory of 2828	2260	Synaptics.exe	33
PID 2260 wrote to memory of 2828	2260	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
"C:\Users\Admin\AppData\Local\Temp\b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2540
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2828

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
765KB

MD5
033cde990fe1a9d15fa070f9ef142ebb

SHA1
30f3557e1f228b1c4b54f4afd3f4987b53bb0da0

SHA256
b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004

SHA512
696d35e470fd9c5bb23951ad77930db5933ece144150b5fc613aca92bcc9ac82a03d05411e367a665a58f8d53e225364af67d3bbab0e7c81d7cd8a21223a85f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
22KB

MD5
9daf5ad9228af50478a865efc1b7ee5b

SHA1
c927d0c6517c4b5b5210048bd4bb2ae86780bad4

SHA256
6ecf2c5206d33438276e01f04505f85d246b81608a0df36df50981f12ccfac5c

SHA512
fd8b94857432e7084562ca584939ea8d32ee5303caabc616c0071c2ac01f52e98d348433bb107ce6fff00bdcfb357a71aacdf67e6989241bf3f47c93bb1a4ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
23KB

MD5
18964d8c83eca9439cec269093bf352a

SHA1
3f21661201fbe8dd60445d982a6c2a30a69ddb4c

SHA256
685b2097197a5169f38cc42e1193bd929704641b07d58cbc93b1316aeb305a56

SHA512
28ac62d3c4b85a02acee380c1e289788d97ec16b4f37bd5a0b7068a8ea7ede2d0b305c0f866a3dd2d0ff9e494e99c0260ac064e0c423fdcf725056e2473c8030

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
21KB

MD5
26e977029312090962a488c928e4aaa0

SHA1
657b094fb7254c88341bd8b67fdec5aec921892b

SHA256
2cb29e3c54c7c72d18daa08772b2e2fa4f878b5a2078067b0ee66597d077e526

SHA512
cfc4a3fd0c44c7518d7d36acdcb981d1ae0936f2f05f2608717fd07b12ba788a7b276032d40d7308af8cf39907630ff4fc83261ba8f05783bce4430b248f8eb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
22KB

MD5
079b707bade67002694059c15944a0a6

SHA1
54ad2634eb526b0d88d3c0bfff42ae9b96eb9b8f

SHA256
a3fe7e69649eff545b3f5ac8bc6ea454a3c532e61b06bb3149981b4b9b353bb3

SHA512
7f998994cb80e6879737f5dc9d416a14ec5eb08cfb04c17006d32640a498e5136038cae3d579f7b9ab614bbfb21165316e77e6257f9e785214ef7cf23ac891aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
24KB

MD5
250d02f43a4cf422e40d86a5057102c1

SHA1
7f8921a5f53080315a3ddb9630b92f3a8205017a

SHA256
ebc6b1448744f1ac4dfd6d6f1cb3d1b6c0538092530a172e2c224cc9a80a88d9

SHA512
4724d72519eb29e78a0506c433e37d441cbd85b751f0be740fbfb8b1c873df99f5c75f1993e900d617db0e1291f969083e7825e625cc20ac6d9237e9ea81a68d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KHjCuD9A.xlsm

Filesize
25KB

MD5
1ab8e13111d0d984f566bbb02adbaa43

SHA1
f9423052ab07ceb935913f45b8b5ffecdc657e63

SHA256
b8e57b4268825c185d2253ffaf0d0efee47ac49823eed12ad1ce4dff7ebc3535

SHA512
14ba4b91fb815a9d1478247760eb836420632c6f3ffe83b1f64a4ae9aade6d1d076afb5166dfb44600256104ed4c37f95cbe34f8efd25411fc7aff3055a1fee5

Download Submit
C:\Users\Admin\Desktop\~$LimitTrace.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_b097eb6bcc9eb5f5fd17a77654739e4e186cfe29afa2168ec72a42c2c8e6b004.exe

Filesize
11KB

MD5
6bd00bcdba9fcda14497510d62931077

SHA1
e116a1f1d6cf4f429250b3aa98bf84596bbef78c

SHA256
9dd804cc9c950322d3780e9b2b774cfd5b6f3bf875fec20f7bd7ba868eb77f30

SHA512
19c3f0fa712f7bf7562de015d1de2c1570540d53bfb0ad9a78b5031697fe75524c8f6898975530ad52303ea3ba3f41570711d22cec3dde9486c0742b2d9b6146

Download Submit
memory/2260-173-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2260-139-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2260-140-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2540-29-0x0000000000D20000-0x0000000000D28000-memory.dmp

Filesize
32KB

Download
memory/2640-137-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-39-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-138-0x00000000068B0000-0x00000000068B2000-memory.dmp

Filesize
8KB

Download
memory/2828-38-0x00000000010B0000-0x00000000010B8000-memory.dmp

Filesize
32KB

Download
memory/3044-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3044-26-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads