xred | 595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b

Analysis

max time kernel
111s
max time network
119s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 15:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
Size

1.8MB
MD5

4678a4ea2bf78f0cb7d260064fab8d01
SHA1

c725634f47947586fcf4f58b2f64b05270910afe
SHA256

595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b
SHA512

e7dcba3a4c26c0f73577ba3a9908203983263e8c1a6418fd269a07f6898a57a8f7a98267142b3dc29a0054b6a7da51cb2570398f765ca924abf6e17e24945603
SSDEEP

49152:xnsHyjtk2MYC5GDccykORxLrRtTn6GuY3:xnsmtk2a9kcrRp6GuY3

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2104	._cache_595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
2224	Synaptics.exe
2872	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
2224	Synaptics.exe
2224	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2704	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2704	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1172 wrote to memory of 2104	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	30
PID 1172 wrote to memory of 2104	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	30
PID 1172 wrote to memory of 2104	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	30
PID 1172 wrote to memory of 2104	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	30
PID 1172 wrote to memory of 2224	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	31
PID 1172 wrote to memory of 2224	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	31
PID 1172 wrote to memory of 2224	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	31
PID 1172 wrote to memory of 2224	1172	595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe	31
PID 2224 wrote to memory of 2872	2224	Synaptics.exe	32
PID 2224 wrote to memory of 2872	2224	Synaptics.exe	32
PID 2224 wrote to memory of 2872	2224	Synaptics.exe	32
PID 2224 wrote to memory of 2872	2224	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
"C:\Users\Admin\AppData\Local\Temp\595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1172
- C:\Users\Admin\AppData\Local\Temp\._cache_595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe"
  2⤵
  - Executes dropped EXE
  PID:2104
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2872

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.8MB

MD5
4678a4ea2bf78f0cb7d260064fab8d01

SHA1
c725634f47947586fcf4f58b2f64b05270910afe

SHA256
595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b

SHA512
e7dcba3a4c26c0f73577ba3a9908203983263e8c1a6418fd269a07f6898a57a8f7a98267142b3dc29a0054b6a7da51cb2570398f765ca924abf6e17e24945603

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OgTIO2V.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OgTIO2V.xlsm

Filesize
29KB

MD5
eacca86e390319442d2dad2103cc6fa4

SHA1
caa08fee031d7c2a541dc52673351993f8a60d80

SHA256
ce95e077714b0ce5312b44d6dd6c4008c399403e5a404d32ae8903b4ff33b65c

SHA512
b6cfc994d87a2929c5060cae1a89f2cd338bade34ebbfc1309d7cb772a4066a77558ace86c0236fd7606744d84478f6187599e8f3a5042f23e2070ca0c524ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OgTIO2V.xlsm

Filesize
23KB

MD5
4373c7a89e0c3e539f5becb0c5d8bce7

SHA1
98e6a626aa2e965208342c97454f8d86e6c90b02

SHA256
5b300c6dfd42e476adff6477ef0fa7d25e0d1972723dc475fecd5c306e95ecd0

SHA512
3a19f0a00724bdf79e0d4a5cea1086efb641bce9a3616f356c45b45989c5f63e096c1c68e181c11ad71d28731cb9e4fac7519a2405ae34e5d9f04c609f2aba37

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OgTIO2V.xlsm

Filesize
28KB

MD5
455d4e4ab35ac7d6fc66ced428ab423f

SHA1
bd2bbaf5f24cadc0406cf39ceef52425ec888692

SHA256
c71feef110787b8d4ed9b10d407e8c5b89183c4a696729650a38ebe9300ded33

SHA512
a6c9e092bff7528f51f37ada876dc39bfb8151b76fa7a6cd56db0788621a8c63d36d5dbc18bdb781a757480f79fb5a332794b13dad840ec44b2fed6198c24db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OgTIO2V.xlsm

Filesize
26KB

MD5
2d1bb032229ea0afc7c10472c6b5806c

SHA1
a126d5f5e596cf550f07b276798f6a3f3809d914

SHA256
38e5fdb08918a9fecaad9cf652433d9647810baed378ba5786cf0eb5ea57378f

SHA512
d4f6ad2d50b36a513244776d3047bcaf731731778deff9c3339e56dbdb63baf2c47529d26ad01caf1462cf50d39311814fd9abfe8cc78bed7c4aadaa7d0af934

Download Submit
C:\Users\Admin\AppData\Local\Temp\1OgTIO2V.xlsm

Filesize
29KB

MD5
c552a2ad878957ca02672b4f0a33435a

SHA1
90e07918a28c2119def3f86f963c90ea75cdcfff

SHA256
9060e10893b9db2383f1e8b212ed2490385f4160206ecc386e8c23780a5b5573

SHA512
374f8ea835bcf6fcbcf57b95c9587ee596d56ec56671b174285a1538e6869650d6a7306bcbac27758032b280a84f49b797fe5ec40c6aa72ec5e45aee256900de

Download Submit
C:\Users\Admin\Desktop\~$SyncHide.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_595a25f9726f8d95d9538a58ef68896edfed76b54b4e8ac872d8ba3e83e9f08b.exe

Filesize
1.1MB

MD5
92b6f926e8c048fbd69ac84ab7683e94

SHA1
bab4040dca7222537d26a007b246634486f03892

SHA256
e4115906f2e6d880ea12e498310494403275018d87788ca7cc4bd48c8376ce6f

SHA512
29adf1f7764c40e320fcf02636de1a546b850b16c451a87adacc3ab364fa2f8007c6f56a77674d36298a3113ccf45ecb4f337311c7c20601182193fbc152253b

Download Submit
memory/1172-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/1172-25-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2104-123-0x0000000000400000-0x0000000000528000-memory.dmp

Filesize
1.2MB

Download
memory/2224-127-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2224-161-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2224-124-0x0000000000400000-0x00000000005DE000-memory.dmp

Filesize
1.9MB

Download
memory/2704-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2704-122-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads