Overview

overview

10

Static

static

10

dxwebsetup.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250129-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-02-2025 11:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dxwebsetup.exe

  • Size

    1.0MB

  • MD5

    2c46e51a52896cbefe4a12549db10b47

  • SHA1

    80168e935d4291a9b7cc687f9c390c6857769859

  • SHA256

    81fffafeca14093a43077df42f4f2d13117a4618ab9174555d6834094637aaa1

  • SHA512

    88f629a14a0e5d6965ea5e97f4f1352ced16840572326e219af30ae79c46bd55d874dd95393d25461cf80be427602b9e665791b63644a1ce45f673232f5243a3

  • SSDEEP

    24576:CnsJ39LyjbJkQFMhmC+6GD9Wc40RDI1pEO:CnsHyjtk2MYC5GDgl3wO

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in System32 directory 7 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe
    "C:\Users\Admin\AppData\Local\Temp\dxwebsetup.exe"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4000
    • C:\Users\Admin\AppData\Local\Temp\._cache_dxwebsetup.exe
      "C:\Users\Admin\AppData\Local\Temp\._cache_dxwebsetup.exe"
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Drops file in System32 directory
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        PID:4856
    • C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1656
      • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:5032
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4580

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    1.0MB

    MD5

    2c46e51a52896cbefe4a12549db10b47

    SHA1

    80168e935d4291a9b7cc687f9c390c6857769859

    SHA256

    81fffafeca14093a43077df42f4f2d13117a4618ab9174555d6834094637aaa1

    SHA512

    88f629a14a0e5d6965ea5e97f4f1352ced16840572326e219af30ae79c46bd55d874dd95393d25461cf80be427602b9e665791b63644a1ce45f673232f5243a3

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_dxwebsetup.exe
    Filesize

    288KB

    MD5

    2cbd6ad183914a0c554f0739069e77d7

    SHA1

    7bf35f2afca666078db35ca95130beb2e3782212

    SHA256

    2cf71d098c608c56e07f4655855a886c3102553f648df88458df616b26fd612f

    SHA512

    ff1af2d2a883865f2412dddcd68006d1907a719fe833319c833f897c93ee750bac494c0991170dc1cf726b3f0406707daa361d06568cd610eeb4ed1d9c0fbb10

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\4IMPiKbA.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\64C75E00
    Filesize

    23KB

    MD5

    93f5375c1850690ef40867458ed19027

    SHA1

    f20483699166bac9b71586d86092a292ee47b95b

    SHA256

    37235fc6b678f8315a90dbc6d789948162991d35b7e446689c0eeb84073a7754

    SHA512

    c005e7189c7d75185cdff2e84a5ecb5e6db602d276c652b6550277e3be4e928a2752310f3de74c120c8ef740fdae56bfc112b031ef889ddbcba8486ba37a7fb1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    Filesize

    515KB

    MD5

    ac3a5f7be8cd13a863b50ab5fe00b71c

    SHA1

    eee417cd92e263b84dd3b5dcc2b4b463fe6e84d9

    SHA256

    8f5e89298e3dc2e22d47515900c37cca4ee121c5ba06a6d962d40ad6e1a595da

    SHA512

    c8bbe791373dad681f0ac9f5ab538119bde685d4f901f5db085c73163fc2e868972b2de60e72ccd44f745f1fd88fcde2e27f32302d8cbd3c1f43e6e657c79fba

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf
    Filesize

    477B

    MD5

    ad8982eaa02c7ad4d7cdcbc248caa941

    SHA1

    4ccd8e038d73a5361d754c7598ed238fc040d16b

    SHA256

    d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

    SHA512

    5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

    Download Submit

  • C:\Windows\SysWOW64\directx\websetup\dsetup.dll
    Filesize

    93KB

    MD5

    984cad22fa542a08c5d22941b888d8dc

    SHA1

    3e3522e7f3af329f2235b0f0850d664d5377b3cd

    SHA256

    57bc22850bb8e0bcc511a9b54cd3da18eec61f3088940c07d63b9b74e7fe2308

    SHA512

    8ef171218b331f0591a4b2a5e68dcbae98f5891518ce877f1d8d1769c59c0f4ddae43cc43da6606975078f889c832f0666484db9e047782e7a0ae4a2d41f5bef

    Download Submit

  • C:\Windows\SysWOW64\directx\websetup\dsetup32.dll
    Filesize

    1.5MB

    MD5

    a5412a144f63d639b47fcc1ba68cb029

    SHA1

    81bd5f1c99b22c0266f3f59959dfb4ea023be47e

    SHA256

    8a011da043a4b81e2b3d41a332e0ff23a65d546bd7636e8bc74885e8746927d6

    SHA512

    2679a4cb690e8d709cb5e57b59315d22f69f91efa6c4ee841943751c882b0c0457fd4a3376ac3832c757c6dfaffb7d844909c5665b86a95339af586097ee0405

    Download Submit

  • memory/1656-341-0x0000000000400000-0x000000000050A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/1656-310-0x0000000000400000-0x000000000050A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4000-153-0x0000000000400000-0x000000000050A000-memory.dmp

    Filesize

    1.0MB

    Download

  • memory/4000-0-0x00000000022A0000-0x00000000022A1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4580-228-0x00007FFB528F0000-0x00007FFB52900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4580-233-0x00007FFB50240000-0x00007FFB50250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4580-234-0x00007FFB50240000-0x00007FFB50250000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4580-232-0x00007FFB528F0000-0x00007FFB52900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4580-229-0x00007FFB528F0000-0x00007FFB52900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4580-231-0x00007FFB528F0000-0x00007FFB52900000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4580-230-0x00007FFB528F0000-0x00007FFB52900000-memory.dmp

    Filesize

    64KB

    Download