xred | b8c5e2c8477706f3f54e152443718dcec270889002289aa1730eabc5ba3f312f

Analysis

max time kernel
31s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Size

15.2MB
MD5

6d2849c0ff4b4cf3ef02f4fde0d92351
SHA1

1173bd4bd5c3c107ac9cb9b6b92379b85d0ace71
SHA256

2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f
SHA512

553b31e4c338239be5aca5b58722432c7e9cb7dfa96950952035a5f316f44127c4cec3978db80312b80196be319f0ca920a687204de3367a0a10d82728266743
SSDEEP

393216:LGg4aQGg4aDGg4aRGg4aTGg4akGg4auGg4awGg4aDGg4a1Gg4aPGg4at:r+zZDSsezdPt

Score

10^/10

xred backdoor discovery execution

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2740	powershell.exe
2744	powershell.exe
1832	powershell.exe
2284	powershell.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
9	reallyfreegeoip.org
17	reallyfreegeoip.org
4	checkip.dyndns.org
8	reallyfreegeoip.org

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
3004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2744	2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe	31
PID 2668 wrote to memory of 2744	2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe	31
PID 2668 wrote to memory of 2744	2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe	31
PID 2668 wrote to memory of 2744	2668	2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe	31

C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
"C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  PID:2744
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2740
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2368.tmp"
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:2596
- C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
  "C:\Users\Admin\AppData\Local\Temp\2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"
  2⤵
  PID:2644
- - C:\Users\Admin\AppData\Local\Temp\._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe"
    3⤵
    PID:1344
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    PID:592
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:2284
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
      4⤵
      Command and Scripting Interpreter: PowerShell
      PID:1832
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9B75.tmp"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3004
  - - C:\ProgramData\Synaptics\Synaptics.exe
      "C:\ProgramData\Synaptics\Synaptics.exe"
      4⤵
      PID:2176
    - - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
        
        "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
        5⤵
        
        PID:2480

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
15.2MB

MD5
6d2849c0ff4b4cf3ef02f4fde0d92351

SHA1
1173bd4bd5c3c107ac9cb9b6b92379b85d0ace71

SHA256
2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f

SHA512
553b31e4c338239be5aca5b58722432c7e9cb7dfa96950952035a5f316f44127c4cec3978db80312b80196be319f0ca920a687204de3367a0a10d82728266743

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_2743ade13f30458e6811f8eb99cf64cec0739d268d241b2a00ba57a9ffac835f.exe

Filesize
91KB

MD5
b45e3c4c10da3da0c69e2f90dc3dfb10

SHA1
61a36473ced38978793a9af1aea1fc528eebe457

SHA256
b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6

SHA512
44d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GyxFSKFx.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2368.tmp

Filesize
1KB

MD5
9d72bca34262a2e7fba3de3a03c2e049

SHA1
185c80e95fb884d857f3659b480c8c2d082c28a5

SHA256
781e99a7459eae1031bf16603bf5ac31b442bdfbcec28521208e9629e3786306

SHA512
5bce4ec0b0f2e801b69b88e7b1f03db25437ba36c753f7a5f511ea50b4cbac01c57d0208ad7f60d8741949ff5132ff933cc7ea14b848cf5cc56864c1a2e5ebe7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2LC2JCOSMJ1M2BPMQ0F8.temp

Filesize
7KB

MD5
59b988d8a3145f4232cda29a304961c3

SHA1
fea58e679a6d974d0930defbe32c348e082f244a

SHA256
0d31f5b5aa7da4edb9d8008d80238ad20ca261eb5bf5591c732c321f41b04a9e

SHA512
ff6e7839512540befa45961c4b7ea4c0521118754146967310ae5821994cb10fa9301a05d90fde55068f817cdad9bd4221d5e4c2c21fba0371f46e9df199aae8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UF90BW07HTYZYQLW0R1L.temp

Filesize
7KB

MD5
6729b34a0e19037ff7605e94b74b0e6b

SHA1
f984c9bc643dc975ee7e0242f5c6f3ba0f407c20

SHA256
4750de912bc263a1f6af5379f0e477b815973679fb8db923ddeaa3fbb5689dc2

SHA512
4926d6cfec82d77747cb1005f35b3a040328f6f72841fcb205acdf07284c14606996e9b08054ef1d8d0f3f5d26da76c628e48d7583774e17ef23e56787c5d28a

Download Submit
memory/592-62-0x00000000009E0000-0x000000000191C000-memory.dmp

Filesize
15.2MB

Download
memory/1344-55-0x00000000002F0000-0x000000000030E000-memory.dmp

Filesize
120KB

Download
memory/1656-104-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2176-93-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2176-125-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2176-126-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2176-124-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2176-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-103-0x00000000010A0000-0x00000000010BE000-memory.dmp

Filesize
120KB

Download
memory/2644-32-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-35-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-30-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-28-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-26-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-36-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-23-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-24-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2644-20-0x0000000000400000-0x00000000004D9000-memory.dmp

Filesize
868KB

Download
memory/2668-3-0x0000000006470000-0x00000000065CC000-memory.dmp

Filesize
1.4MB

Download
memory/2668-4-0x0000000000490000-0x00000000004AE000-memory.dmp

Filesize
120KB

Download
memory/2668-7-0x00000000067F0000-0x000000000690E000-memory.dmp

Filesize
1.1MB

Download
memory/2668-6-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/2668-0-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2668-5-0x00000000748AE000-0x00000000748AF000-memory.dmp

Filesize
4KB

Download
memory/2668-1-0x0000000000FF0000-0x0000000001F2C000-memory.dmp

Filesize
15.2MB

Download
memory/2668-39-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download