Overview

overview

10

Static

static

10

21d35a7d04...54.exe

windows7-x64

10

21d35a7d04...54.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    119s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2025 12:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54.exe

  • Size

    2.4MB

  • MD5

    1e148da61555b6d30c6ba6e5b4e5010c

  • SHA1

    56d1b7b37873b084837ea73b96ae384bf9e0100a

  • SHA256

    21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54

  • SHA512

    f6c2b9ebb2784f0c768ab12ba1327cb86a7387d3a942bf0f16e29b1788d96400a3b55df1cf442bb65dc89646afcfc27b838022c4f36991710b5bc9c97494166f

  • SSDEEP

    49152:InsHyjtk2MYC5GDcj0c1qaggaqW+2JsKomXNqSf0E7T3rOL:Insmtk2arjnxC5sHmQXE7GL

Score
10/10
xredbackdoordiscoverymacropersistenceupx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Suspicious Office macro 4 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 7 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • UPX packed file 7 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Modifies registry class 36 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54.exe
    "C:\Users\Admin\AppData\Local\Temp\21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54.exe"
    1⤵
    • Loads dropped DLL
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\._cache_21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:1732
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2140
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:2924
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2668

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    2.4MB

    MD5

    1e148da61555b6d30c6ba6e5b4e5010c

    SHA1

    56d1b7b37873b084837ea73b96ae384bf9e0100a

    SHA256

    21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54

    SHA512

    f6c2b9ebb2784f0c768ab12ba1327cb86a7387d3a942bf0f16e29b1788d96400a3b55df1cf442bb65dc89646afcfc27b838022c4f36991710b5bc9c97494166f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\a4gnFvB.ini
    Filesize

    1KB

    MD5

    4c549cced7c148ab3e29b78a6566b953

    SHA1

    d6b54cbca4aa33654a8770a4ebd489edfcaaa499

    SHA256

    6214cbb3b040dc1c80d6f0529fc00e690185f83e1353a7b394d4a78b713c96fc

    SHA512

    eeb297f90c88efbb182ded5a2a3670b2ca90a2abd4d0d1c3b1c65824a3d45525ac0fb60987538b20ac937a894f921e44353974c5e6ccf01ae68809f23b911424

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c9SVfVwR.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c9SVfVwR.xlsm
    Filesize

    25KB

    MD5

    8ef051ba1725e24aa3d93e15334a6ec2

    SHA1

    7249cf72edf18ffae50ac41721942854cedd88b4

    SHA256

    04b27ed80d297595f199239dc50deb744bb68f69b21bed7c7060342b6fc89990

    SHA512

    284edf61b46dae39f0d53718a877448c7b53bf30f1202cc8b547579fa360fe359f36f75861c3ad5ff772214b43928c6deb1e9ef179cb7b3249c0d4dbdd594fb9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c9SVfVwR.xlsm
    Filesize

    21KB

    MD5

    eb6fedc9b6c8d8bdac77e42928cb8256

    SHA1

    ad1511456ac73570398cdd393eb7a2697b12e049

    SHA256

    2dc5aa2153543bcb6b956fa939245f397754caa74ef4c6c71ddb0a309b3e3af4

    SHA512

    4817e747e2cbf3fbab0624fec7cf73d28959d22dd71ba8b06e210d4fb0d40f830117c2fed0822eb3adc2576168217c4f880ee3c348c2b2c9abcd94edf3eed5af

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c9SVfVwR.xlsm
    Filesize

    27KB

    MD5

    4f1a5800b7fa32d7428ab8efc4718049

    SHA1

    04d1544f77338b35e175ed7ff4cc8d13df68d46c

    SHA256

    670553923227ad0c0a5ff28953c13439a1bc9fea2539906fe55ff9410973066b

    SHA512

    6a13cacb437fe9d7b854b71fdbdd42e53994d005c6aeb25af46ec708bddf59b5f50291e492c27d48c77ff877de8f1ede49097a26b746f4db9b091b1796d1c57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\c9SVfVwR.xlsm
    Filesize

    25KB

    MD5

    2854302232e8d79cab28bb3d025af171

    SHA1

    f9071b98b8e870835f390f3e7eff092745bed2e9

    SHA256

    7544d93cf420b822c9a07fe37f4d2eeb42f697a6809b8fcfd16d8a0718f63815

    SHA512

    3c48c8b3f72159e8e823e9a659cba029cabaf41d34970082ed570ec5399e7e03cf0fda1eb3699e425c9ec35fc9ef28e0f0ac426348413293cb8e0be9457ed07d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\~$c9SVfVwR.xlsm
    Filesize

    165B

    MD5

    ff09371174f7c701e75f357a187c06e8

    SHA1

    57f9a638fd652922d7eb23236c80055a91724503

    SHA256

    e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

    SHA512

    e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

    Download Submit

  • \Users\Admin\AppData\Local\Temp\._cache_21d35a7d045b0412f8379c36d2e53a919b5aafdc7e4a2c96fe49b69ace2f9f54.exe
    Filesize

    1.7MB

    MD5

    0d853b382746e7b22d99baeb1cc4d9fa

    SHA1

    e58eaea35d749d454307be8f9014f70bf8f3924e

    SHA256

    2af92c02377acaca3c387d8a807a56bb29b1b223f1197ec84e7eb965bb21cd0b

    SHA512

    979900535be82b489cc8fa0a87425b7211eb30a893356bd5779ec56b5bcdeab651e08f77a6958cc3a2037ed2055c53537ca9b5f109f19d57dde0b0437617de22

    Download Submit

  • memory/1732-122-0x0000000004D50000-0x0000000004D52000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1732-21-0x0000000000400000-0x0000000000955000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/1732-124-0x0000000000400000-0x0000000000955000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2140-128-0x0000000000400000-0x000000000066A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2140-44-0x0000000005710000-0x0000000005C65000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2140-46-0x0000000005710000-0x0000000005C65000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2140-176-0x0000000000400000-0x000000000066A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2140-131-0x0000000000400000-0x000000000066A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2140-125-0x0000000005710000-0x0000000005C65000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2668-47-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2668-121-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2924-45-0x0000000000400000-0x0000000000955000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/2924-127-0x0000000000400000-0x0000000000955000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/3068-31-0x0000000000400000-0x000000000066A000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3068-0-0x0000000000220000-0x0000000000221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3068-20-0x0000000005780000-0x0000000005CD5000-memory.dmp

    Filesize

    5.3MB

    Download

  • memory/3068-22-0x0000000005780000-0x0000000005CD5000-memory.dmp

    Filesize

    5.3MB

    Download