xred | bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd

Analysis

max time kernel
142s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
24/02/2025, 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
Size

959KB
MD5

666988e7b77645d3bb336ac1172a0f68
SHA1

57b059a71dcc830ae9321f45df49553905673b81
SHA256

bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd
SHA512

6f07956b4427ad30f309ea839c05238ff0ef6a0b42bbc6015b28b94b57b8abcd8d76f126139127ade1f9ccf312060034b2bdeecf1290bf48c01b1c88caef6262
SSDEEP

12288:6MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V94Ht6WvPOglY:6nsJ39LyjbJkQFMhmC+6GD9aJf2

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1952	._cache_bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
2884	Synaptics.exe
2828	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
2884	Synaptics.exe
2884	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\RIP crack dragonjin = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2692	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2692	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2396 wrote to memory of 1952	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	29
PID 2396 wrote to memory of 1952	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	29
PID 2396 wrote to memory of 1952	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	29
PID 2396 wrote to memory of 1952	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	29
PID 2396 wrote to memory of 2884	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	31
PID 2396 wrote to memory of 2884	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	31
PID 2396 wrote to memory of 2884	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	31
PID 2396 wrote to memory of 2884	2396	bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe	31
PID 2884 wrote to memory of 2828	2884	Synaptics.exe	32
PID 2884 wrote to memory of 2828	2884	Synaptics.exe	32
PID 2884 wrote to memory of 2828	2884	Synaptics.exe	32
PID 2884 wrote to memory of 2828	2884	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
"C:\Users\Admin\AppData\Local\Temp\bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2396
- C:\Users\Admin\AppData\Local\Temp\._cache_bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe"
  2⤵
  - Executes dropped EXE
  PID:1952
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2828

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
959KB

MD5
666988e7b77645d3bb336ac1172a0f68

SHA1
57b059a71dcc830ae9321f45df49553905673b81

SHA256
bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd

SHA512
6f07956b4427ad30f309ea839c05238ff0ef6a0b42bbc6015b28b94b57b8abcd8d76f126139127ade1f9ccf312060034b2bdeecf1290bf48c01b1c88caef6262

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBrduqoP.xlsm

Filesize
24KB

MD5
164109eb490d29f1299b63564a8baf0e

SHA1
70e4a669e7605440aa2ea4622d7dd78432d05383

SHA256
0f3b0f9ef7ca584a9be4d5f183a3de2896656391555a2fa4b2ab695275857bf5

SHA512
6e0c56dc23c9c9d66f4b4964607bcff1463b749801e94003a36ab43c6532e548b60b3bb19dc44f7a2f2969739e0f0759e43b175c10ff9bd1b9a2964970290056

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBrduqoP.xlsm

Filesize
29KB

MD5
7e9658b64d669f34bb88c6a10cfa585b

SHA1
cebcb9404ba5cd482344a94b101a21ede31fa5e3

SHA256
ab61681b9d77acd3dcb25796e72b5631c9db713c40a8b73e404b293af0d8e37b

SHA512
8c34f45d5913bc24871b6aa069befc20b767baa90acdc073a25860fa753aa1262cffe3aaf5c99434a157bae94cc39bc8cb9369ccdc02c42375caaa535b22659d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBrduqoP.xlsm

Filesize
31KB

MD5
349c9c7a4963703df5057ca66fc11074

SHA1
9a5709400c9307820906c33e4c65874ddb1f6f69

SHA256
c60514ca343998969e0fc10dff696ad32e7ed0790ca5fb896a01e72b7240504b

SHA512
8ee8caf36ec1d5c4ba7ecf808b46c5ed5423d62281cc621f8487294de8dfb52d0ce15de38bb5c007923ec5b7e0b1b5f3d6de8f84041307498cb8cd19996e3651

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBrduqoP.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBrduqoP.xlsm

Filesize
28KB

MD5
b1255d75ad81ecdbfa3f55588cbce370

SHA1
f342191f675511888af783c3bbcdc70b4e0f5c0b

SHA256
c9f97234684c8b678efb669ac00613bd94e6ebb41e2b1e9d26cacc6f34c7b3d8

SHA512
25aa0b3c30c93a1a4dfb769fda85d45e4bae3f59cea019074e0d07f7b7d906686463fd5bd6b7cb67cd55aae878f1c052cf9004dbf6f18127eb94e184d2f197be

Download Submit
C:\Users\Admin\AppData\Local\Temp\KBrduqoP.xlsm

Filesize
26KB

MD5
0180ec4a3961587e1dbf023a4a09603d

SHA1
1a80ddedd8f3c73cd28fdb28c23c65ae1de3936e

SHA256
c32907d860402de60ff5f08210a6744c81167498554a10504ec4a5314c1c5067

SHA512
67670619928c7cacd2ab644e978cd05f5290d8ca9848041d22be053b4e05667bb0065dc9c659386c1ae3d7a75846fad67bcc356f04f83a14982eb38a04ba7e51

Download Submit
C:\Users\Admin\Desktop\~$WatchGrant.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_bf5af2ea08413353edb66afbcdbf2cd4b99ac148c9360b784895a9e9bbc44cdd.exe

Filesize
19KB

MD5
192844353c18553b86802d1d322ff1b9

SHA1
092ea958b0d310ceb1546a5dea6be5b11050aa88

SHA256
383723e34309e9c87d6be606578a1c5bbb1f2fbaee94ba15eb874fb13e671b2b

SHA512
dd4dbe2833b0152c9728575e25f6da8d14eb6e9baa3e7eabcdbd4829ad72dbda05638cb0983fe0634539b6c9ddd6f674d5fd255e792435458bcfd9b25f34ef3c

Download Submit
memory/2396-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2396-24-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2692-61-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-55-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-42-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-41-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-40-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-39-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-38-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-44-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-60-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-59-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-58-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-57-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-56-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-43-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-54-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-53-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-52-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-51-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-50-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-45-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-46-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-47-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-49-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-48-0x00000000004F0000-0x00000000005F0000-memory.dmp

Filesize
1024KB

Download
memory/2692-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2884-126-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2884-127-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download
memory/2884-161-0x0000000000400000-0x00000000004F6000-memory.dmp

Filesize
984KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads