Overview

overview

10

Static

static

10

bc24fa45f5...06.exe

windows7-x64

10

bc24fa45f5...06.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250217-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2025 06:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe

  • Size

    1.1MB

  • MD5

    2168efe511da4705864cc5ddef26edd1

  • SHA1

    d934033eb8f74c47e69063d13574bf571a19ee2e

  • SHA256

    bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206

  • SHA512

    a3d23b94a8f0620c1ed0d1ed3529794ad2ae6909de5f0b9c79eb33af47a47d3f562d107e7e70dc7cef7ba4a8b27b76669e1679fefec3d12f1cc4db4cfa66ac2d

  • SSDEEP

    24576:iap2f3ptaCOa6hw+6GD9kuu1OUjezCk4o5BSj17Qd:ufaC76hw5GDauukUjez+PpQd

Score
10/10
xredbackdoordiscoverypersistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 4 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 52 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 3 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 2 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
    "C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1696
    • C:\Windows\svchost.exe
      "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:8
      • C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
        "C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:2196
        • C:\Users\Admin\AppData\Local\Temp\._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
          "C:\Users\Admin\AppData\Local\Temp\._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops file in Program Files directory
          • System Location Discovery: System Language Discovery
          PID:2564
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Modifies registry class
          • Suspicious use of WriteProcessMemory
          PID:1384
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Drops file in Program Files directory
            • System Location Discovery: System Language Discovery
            PID:2132
  • C:\Windows\svchost.exe
    C:\Windows\svchost.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:4164
  • C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
    "C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
    1⤵
    • Checks processor information in registry
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:4244

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\Mem Reduct\memreduct.exe
    Filesize

    302KB

    MD5

    fe8eb129610e454ad17b9d6ccbf1df8b

    SHA1

    28cfddbc7faf2e66aee0eec673c7eb7beab25510

    SHA256

    8cea4adf5febfa9528d01259bf9b70afdb814ce8b41605b8c619a9738a9c9414

    SHA512

    4aa488a5844eb65fe0f72d1ab325ba07a40fa0cae658bba38f59260c1467d5c902ae8bcd6d8e2f15a5c81139147155948f99a0e303ecca001f24a58d5c5de399

    Download Submit

  • C:\Program Files\Mem Reduct\uninstall.exe
    Filesize

    86KB

    MD5

    6d97f86c3bfdd7932c664992c719b7ac

    SHA1

    0ebe79050d7d22ad7031d1a6b68907f7452e00ea

    SHA256

    b6fd255bf6f0bd9ac665c7f2e930e5779f98059dbdbfa9656466b9bd484faacd

    SHA512

    64fcf3dc8f8b08472b7b334872ada5269b993ed62829356b11912d81a7d655ca3fc56879a5915923d8552b4b96a9322e36ffedb254ddeccb015fb381fbbdf744

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
    Filesize

    357KB

    MD5

    25db35058f16b6fe4b1425b0986ba716

    SHA1

    17b4f5bca2480079e68ea41a52651f34c3cd6a37

    SHA256

    3555b6148f8bf9415c1b0db8b03c649b530670c7775631d6f26fda5eee547f24

    SHA512

    735b58bcafb9382c5d9846756ffa079bc4aac0fd4ff039883382cc0251fdf77bb660e51b9b133dc2fcdc2bfa93c75b6148e0c2cc71ea949c8694407a29fac679

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E4D75E00
    Filesize

    23KB

    MD5

    524fb5522730101d4b1fa89b77290af1

    SHA1

    845042dff9abc22200c43353daf64c286dbbc790

    SHA256

    ac023d59cb73f300109b786acf9cb447334edd13ec5f21ce1dca7b600b0fb15d

    SHA512

    7620c04fae56a3681402da7dce7a28ce3fe6dd8d5fd024a8de4a3b8dfe308f242c59a0a81f79a7aa01fd52b60ee0c7e677fc577cb8badc60d92ec3e6b43c7b5f

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\bc24fa45f522637e923c1e64346be2a9b0d02f64a1beeed3a0e70170ddea0206.exe
    Filesize

    1.1MB

    MD5

    46fe00b3d1eadceba58ded687916b27f

    SHA1

    f08fb994e842a4cfc62e7bd942a0879b27a94774

    SHA256

    d3bf3fae35f44dcd791049693ebb9985dc97400cd882a12ec06cfbbe50b88ee3

    SHA512

    a12458c6ab2a9a45d21133491574a9c027bb7745261c1ea670ff07736ded618c9ee9f68da066cedfd104cbb108301b43fe24848de17c37e62d268006b8ea8b8a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\lgIknqNT.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq88F8.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsq88F8.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    ca95c9da8cef7062813b989ab9486201

    SHA1

    c555af25df3de51aa18d487d47408d5245dba2d1

    SHA256

    feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

    SHA512

    a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsx8BD7.tmp\modern-wizard.bmp
    Filesize

    150KB

    MD5

    52ff52eee3b944b862c11c268a02c196

    SHA1

    8d041966e6fba10aa5e10ce5dc1dc5175f11b2fe

    SHA256

    2079f7a3eba60e0d9ee827a7208aa052a71b384873b641de5e299aeb8e733109

    SHA512

    2861ae5a06f8413810947c08994f4c0da54a1acee8c4df72cd8b03a9503b26e5512809f8d70fd584239b04a651e7329a701bf7ddcee2dec2c2e14d05ae74f220

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\History.lnk
    Filesize

    903B

    MD5

    ca97c8d434c047a83c596211c11f6c7e

    SHA1

    9f60d3f5d19ae3b5dc9446b63c26370a4bc94aeb

    SHA256

    95434c94367bcbae8ba65400306563db6ee58e311f3f0a451d25feff88d570cc

    SHA512

    83dd90fb1446d10adee0b6366db383f64d00473d2c2437afbf7933a86088c967603ddb575f31b578e3a48e43971795ba719fb8c216984601253a6c05664fc5ac

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\License.lnk
    Filesize

    903B

    MD5

    2ecdac1bbfced66dda3f8b987227ce81

    SHA1

    aa30e98e50f4cd7907ae14e7a8f6ed712d615dad

    SHA256

    89b4f4def43dfc4fd09c01fedb6cc724c8d65e8fe468130047d7aa685c532866

    SHA512

    6c7b3004cbeb327db11ab0fb625312394c492446408ca436244fa164d902b44d7c54a29c5217ac3882f02a241c3e9e73ad4329275c10cc117482c0e7756b9e6c

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Mem Reduct\Readme.lnk
    Filesize

    898B

    MD5

    40724a504a57ca1256349f30b4f812f9

    SHA1

    b9e3aa4ef8012269a6bfb3bfff9afd9614d0fb99

    SHA256

    841fc6910ae8334b371538dbdb317fa62e9aae33a700c9baa984abdc27215937

    SHA512

    df338b3077142a34b8a1c1f872d2797dcab2a56be479d160430f8bb8ce5f69498bbaec23feb28ee99904259777ff92ad1616e6cd1793cb9136481929c5ad32f2

    Download Submit

  • C:\Windows\svchost.exe
    Filesize

    35KB

    MD5

    9e3c13b6556d5636b745d3e466d47467

    SHA1

    2ac1c19e268c49bc508f83fe3d20f495deb3e538

    SHA256

    20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

    SHA512

    5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

    Download Submit

  • memory/8-10-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/1384-386-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1384-232-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1384-372-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1384-313-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1384-289-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1696-3-0x0000000000400000-0x0000000000478000-memory.dmp

    Filesize

    480KB

    Download

  • memory/2196-156-0x0000000000400000-0x000000000051C000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2196-13-0x00000000007C0000-0x00000000007C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4164-355-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4164-231-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

    Download

  • memory/4244-239-0x00007FFB5D7E0000-0x00007FFB5D7F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-238-0x00007FFB5D7E0000-0x00007FFB5D7F0000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-237-0x00007FFB5FA50000-0x00007FFB5FA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-236-0x00007FFB5FA50000-0x00007FFB5FA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-235-0x00007FFB5FA50000-0x00007FFB5FA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-234-0x00007FFB5FA50000-0x00007FFB5FA60000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4244-233-0x00007FFB5FA50000-0x00007FFB5FA60000-memory.dmp

    Filesize

    64KB

    Download