xred | 565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13

Analysis

max time kernel
142s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-02-2025 23:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
Size

3.7MB
MD5

d1cba134b4521df7c56d7fee4189d503
SHA1

9a64d0a88884629e85a37429b836c98d424f35ea
SHA256

565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13
SHA512

a698e48fc5b3bcf34cca0c25dbe352b16bf196d3bfcddc2626e95ed7d2c2703fed070c893b65f73cb41078b243004aad5a55e75e8d169400a1bf7e0d30bc15f4
SSDEEP

98304:Knsmtk2ar0SK+48FFNFF3CF7DFFFEw3nNY2Drs0Vq5Vse9LngNkteBb:ELfS2/sh5V1nWkteBb

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1172	._cache_565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
2872	Synaptics.exe
2796	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
2872	Synaptics.exe
2872	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2736	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1172	._cache_565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
Token: SeDebugPrivilege	2796	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2796	._cache_Synaptics.exe
1172	._cache_565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2736	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 1172	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	30
PID 2124 wrote to memory of 1172	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	30
PID 2124 wrote to memory of 1172	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	30
PID 2124 wrote to memory of 1172	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	30
PID 2124 wrote to memory of 2872	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	31
PID 2124 wrote to memory of 2872	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	31
PID 2124 wrote to memory of 2872	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	31
PID 2124 wrote to memory of 2872	2124	565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe	31
PID 2872 wrote to memory of 2796	2872	Synaptics.exe	32
PID 2872 wrote to memory of 2796	2872	Synaptics.exe	32
PID 2872 wrote to memory of 2796	2872	Synaptics.exe	32
PID 2872 wrote to memory of 2796	2872	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
"C:\Users\Admin\AppData\Local\Temp\565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\._cache_565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1172
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2796

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.7MB

MD5
d1cba134b4521df7c56d7fee4189d503

SHA1
9a64d0a88884629e85a37429b836c98d424f35ea

SHA256
565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13

SHA512
a698e48fc5b3bcf34cca0c25dbe352b16bf196d3bfcddc2626e95ed7d2c2703fed070c893b65f73cb41078b243004aad5a55e75e8d169400a1bf7e0d30bc15f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\.minecraft\PCL.ini

Filesize
31B

MD5
67bfcfc208d787e99ca8ea4801117538

SHA1
f7b82fe95f72e953e2d2b7fe4aa879a7e4eba2b7

SHA256
9a64e96548ed95ab1e5d69f36cc0313ab399e517ce2ef6dbad8e56ba47090d46

SHA512
8311a07b8f17de515e4917b109cce69569bc136ae1456acd7d6f9a069823e3bd0466282db53a4dfc0b88507772bfb6521fe5179fbd759d2bf8d3c692d370440b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Log1.txt

Filesize
62B

MD5
1b42d5f6b975f7a1a746f524bf03b000

SHA1
42f36f054cb3aa4c0abb53714cdbde832bbf3831

SHA256
cf96b64520dabeddc2defa8949824e8412657249be26290ae9ef3b119019d562

SHA512
a210ad42cea85bda94a06de14f505ec9ac43e3c86ffa9c2fd38b895bc2dc125923e6e11c2446c0cf715fe61726cac85b491519b00eda7b63e2907074345eb87c

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Setup.ini

Filesize
29B

MD5
a068737344ad1e4bcde127bc215d3f4c

SHA1
7e0df815a4bffea2bfe76e1099053b335dd66e66

SHA256
9832e053464d410f8d185eec8bf0d07edba9c04745913c56145db541855d2c99

SHA512
25c7cf162cc15d32c0be8ced9de163da93c7a3251d35747e4547bef5c46d60d87f0a91db92aeee1f650feab9410e81d9aba4503ec5ec120599964bd8edb79512

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Setup.ini

Filesize
64B

MD5
4360c9f933de34fd6797628b25617595

SHA1
ab19b2d0d60ba2609dfd4651692776d66dc843b5

SHA256
172ecdf122b4d744cd73607cf0c043bac9d47978cd8671ab86eb25d43e23bb3f

SHA512
efa1bb2f9aa6748e2a2b88664c87553572b9614f19809fa74196cbc00420ca1cf562e2192b4e887cec29719fa95ec5cb8a3d134e6273ce9cf9089c27c3f70d56

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCL\Setup.ini

Filesize
88B

MD5
36d7b4a54a5545e673c2a155032f1bae

SHA1
73a1a440bbdaed38fae625fcf35fabfa5344903d

SHA256
d1b8b1e3a1be908136b18d5b3aff5f62cb8feea0db5131c9f66362195cd7c6f6

SHA512
f1837f9e7055beec745022cbd05019456f9e14e0d9be80f0ee3fd8b19713d2172a1eca0efba14dc005f7ff0fe5ebb95dc5ef3aa7969a46d6ce08debd26c22937

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOiSvgXs.xlsm

Filesize
23KB

MD5
b4effd96ea19b5f4f8ee71b10ef2104e

SHA1
8f78e0e11a474a17f7adb68e78b290a9e9ec7406

SHA256
815ac25302b18183ab6faa20df1773096fd9bd730a0392a815ae2563518cb1e4

SHA512
19192be35f220b5075866898d78c4099d0a6266bb4748b2397e0db0c681ef9f0b70f68454e8596e82ae4ab075cb597b6dcea2218d0a2db2f73b20d9d18705f76

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOiSvgXs.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOiSvgXs.xlsm

Filesize
25KB

MD5
27b28c6f3a2a0e4c0119d8631fa5bb26

SHA1
fc8dd01485214ab44572e40a0a2ae11cfa437334

SHA256
433be71ba670551bc9a2ef0acf8fbcf8ec90829808180ed6743db514354a1f6b

SHA512
39a9e65ab35c21c0507dee46d24f8149b425a2665782897a038c7b80aa85abdba40221ccffa1b5738e20dfe58a192d91b27c05045cce6ad8087520dd3f9479a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\hOiSvgXs.xlsm

Filesize
21KB

MD5
41e9eb0b1b4cc647cb56142545783f8a

SHA1
fd9b0f63413f7c76738c48ceb1357f2950792d71

SHA256
1d17ef55a57c62d0a8eff1e86143301194715a10f4ac0c345c7e38f5b8509016

SHA512
3b9990700fc3def754e612ce8e1b63f92bca25f881c26d093d1bf2a303b41b215316b54b0f84937fca60f7c44f953b90adfdcba56dbd14ea4f067aca8bf287ac

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_565df4bb4f0a2488f515a0ebf1de9fbd0af2b69c54ef1f0a4e066a2632a6bb13.exe

Filesize
3.0MB

MD5
0a243f44d1a6a0b26923888273ce76a6

SHA1
f65fb58639d7d9cf5fcd97a6eb4adf979237e1a7

SHA256
e8b57c4bc6f60eca976f96b6026ce893b32bee672ce3a5dfb7c6856e21b41fd4

SHA512
5eeb9e92c3af45da8b830ac61c6d63a284cc411e00635673b9e48fb8ba83055cc2d3638b1a14ff839f078546dd98025b413895d2468fbd69c994fb6ab44dae32

Download Submit
memory/1172-111-0x000000001B0B0000-0x000000001B158000-memory.dmp

Filesize
672KB

Download
memory/1172-35-0x00000000008E0000-0x0000000000BE4000-memory.dmp

Filesize
3.0MB

Download
memory/2124-24-0x0000000000400000-0x00000000007C4000-memory.dmp

Filesize
3.8MB

Download
memory/2124-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2736-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2736-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2796-106-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2796-90-0x000000001BAF0000-0x000000001BDA2000-memory.dmp

Filesize
2.7MB

Download
memory/2796-36-0x00000000003C0000-0x00000000006C4000-memory.dmp

Filesize
3.0MB

Download
memory/2796-125-0x00000000007E0000-0x00000000007EA000-memory.dmp

Filesize
40KB

Download
memory/2872-124-0x0000000000400000-0x00000000007C4000-memory.dmp

Filesize
3.8MB

Download
memory/2872-126-0x0000000000400000-0x00000000007C4000-memory.dmp

Filesize
3.8MB

Download
memory/2872-134-0x0000000000400000-0x00000000007C4000-memory.dmp

Filesize
3.8MB

Download
memory/2872-163-0x0000000000400000-0x00000000007C4000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads