Overview

overview

10

Static

static

10

a6b7e1f8d9...13.exe

windows7-x64

10

a6b7e1f8d9...13.exe

windows10-2004-x64

10

a6d91e550d...6e.exe

windows7-x64

7

a6d91e550d...6e.exe

windows10-2004-x64

7

a72cdbd8e2...ad.exe

windows7-x64

10

a72cdbd8e2...ad.exe

windows10-2004-x64

10

a731427f52...04.exe

windows7-x64

6

a731427f52...04.exe

windows10-2004-x64

6

a73951d873...67.exe

windows7-x64

10

a73951d873...67.exe

windows10-2004-x64

10

a74be4d5e7...73.exe

windows7-x64

10

a74be4d5e7...73.exe

windows10-2004-x64

10

a77ff4e4dd...87.exe

windows7-x64

10

a77ff4e4dd...87.exe

windows10-2004-x64

10

a799e456ff...88.exe

windows7-x64

10

a799e456ff...88.exe

windows10-2004-x64

10

a7c49036eb...95.exe

windows7-x64

3

a7c49036eb...95.exe

windows10-2004-x64

3

a7d8553ba6...a8.exe

windows7-x64

7

a7d8553ba6...a8.exe

windows10-2004-x64

7

a7e953c880...28.exe

windows7-x64

10

a7e953c880...28.exe

windows10-2004-x64

10

a7ead69ceb...a3.exe

windows7-x64

9

a7ead69ceb...a3.exe

windows10-2004-x64

9

a7ec6d64b2...db.exe

windows7-x64

1

a7ec6d64b2...db.exe

windows10-2004-x64

1

a7fd5ae1f0...f8.exe

windows7-x64

10

a7fd5ae1f0...f8.exe

windows10-2004-x64

10

a884e586e0...e0.exe

windows7-x64

10

a884e586e0...e0.exe

windows10-2004-x64

10

a8b0399c70...33.exe

windows7-x64

10

a8b0399c70...33.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    163s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22/03/2025, 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a799e456ff773d61953389e7fb322b88.exe

  • Size

    20.2MB

  • MD5

    a799e456ff773d61953389e7fb322b88

  • SHA1

    ee4bb5e3ebfdb9a3a158b6e043ad8ad45405579e

  • SHA256

    3f24ecfe09f50ca00f29c8617bc76f9b01785a2d86eaf16b34d46c60648ed32c

  • SHA512

    5645160a60b98fa38fc2a278fe31290967368ec38df0b0b5ac6ca0fa1073518e7478888b4bbf13082a94d436567c53df04ba02b0265019ff61f7056f82b5f84a

  • SSDEEP

    393216:SGg4aFGg4afGg4ahGg4aEGg4aJGg4akGg4a9Gg4aDGg4aKGg4aPGg4aLGg4aYGgf:AtfpyhSVzoPr2kyp

Score
10/10
xredbackdoorcollectiondiscoveryexecutionmacropersistencespywarestealer

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes
  • email

    [email protected]

  • payload_url

    http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

    https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

    http://xred.site50.net/syn/SUpdate.ini

    https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

    https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

    http://xred.site50.net/syn/Synaptics.rar

    https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

    https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

    http://xred.site50.net/syn/SSLLibrary.dll

Signatures

  • Xred

    Xred is backdoor written in Delphi.

    backdoorxred
  • Xred family
    xred
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Suspicious Office macro 1 IoCs

    Office document equipped with macros.

    macro
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 4 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

    spywarestealer
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Accesses Microsoft Outlook profiles 1 TTPs 6 IoCs
    collection
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 4 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 13 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious use of AdjustPrivilegeToken 8 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 60 IoCs
  • outlook_office_path 1 IoCs
  • outlook_win_path 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a799e456ff773d61953389e7fb322b88.exe
    "C:\Users\Admin\AppData\Local\Temp\a799e456ff773d61953389e7fb322b88.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2240
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\a799e456ff773d61953389e7fb322b88.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2828
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2740
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C41.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:2804
    • C:\Users\Admin\AppData\Local\Temp\a799e456ff773d61953389e7fb322b88.exe
      "C:\Users\Admin\AppData\Local\Temp\a799e456ff773d61953389e7fb322b88.exe"
      2⤵
      • Loads dropped DLL
      • Adds Run key to start application
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3052
      • C:\Users\Admin\AppData\Local\Temp\._cache_a799e456ff773d61953389e7fb322b88.exe
        "C:\Users\Admin\AppData\Local\Temp\._cache_a799e456ff773d61953389e7fb322b88.exe"
        3⤵
        • Executes dropped EXE
        • Accesses Microsoft Outlook profiles
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2100
      • C:\ProgramData\Synaptics\Synaptics.exe
        "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1332
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2704
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\sXLAWJKdeDZVj.exe"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1136
        • C:\Windows\SysWOW64\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\sXLAWJKdeDZVj" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3F.tmp"
          4⤵
          • System Location Discovery: System Language Discovery
          • Scheduled Task/Job: Scheduled Task
          PID:2064
        • C:\ProgramData\Synaptics\Synaptics.exe
          "C:\ProgramData\Synaptics\Synaptics.exe"
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1196
          • C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
            "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe"
            5⤵
            • Executes dropped EXE
            • Accesses Microsoft Outlook profiles
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • outlook_office_path
            • outlook_win_path
            PID:2376
  • C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
    1⤵
    • System Location Discovery: System Language Discovery
    • Enumerates system info in registry
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Scheduled Task/Job

1
T1053

Scheduled Task

1
T1053.005

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials from Password Stores

1
T1555

Credentials from Web Browsers

1
T1555.003

Unsecured Credentials

2
T1552

Credentials In Files

2
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Data from Local System

2
T1005

Email Collection

1
T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Synaptics\Synaptics.exe
    Filesize

    20.2MB

    MD5

    a799e456ff773d61953389e7fb322b88

    SHA1

    ee4bb5e3ebfdb9a3a158b6e043ad8ad45405579e

    SHA256

    3f24ecfe09f50ca00f29c8617bc76f9b01785a2d86eaf16b34d46c60648ed32c

    SHA512

    5645160a60b98fa38fc2a278fe31290967368ec38df0b0b5ac6ca0fa1073518e7478888b4bbf13082a94d436567c53df04ba02b0265019ff61f7056f82b5f84a

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\._cache_a799e456ff773d61953389e7fb322b88.exe
    Filesize

    91KB

    MD5

    b45e3c4c10da3da0c69e2f90dc3dfb10

    SHA1

    61a36473ced38978793a9af1aea1fc528eebe457

    SHA256

    b6fe518ed8ca7ee32f79bb5dd52ab8250cc595d1aa8daec123cef383c6b0bdb6

    SHA512

    44d0c2e0904702dd22c92004415ef3c821bf63de0fb0cc6d7cca41eab36f32531530dd5fdb48017fc5405c7554ae6387514ef3f4e74eea4b36a14d587742e15b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5WPs787t.xlsm
    Filesize

    21KB

    MD5

    ff58db009d240f2ff0d725b5857aa89b

    SHA1

    736ac442a05d646b4d2f5e51ef8c13d917438a87

    SHA256

    b951dbceb2b784e790330fb1828a1aaf25c214d4dc27644db72dce741b557906

    SHA512

    c8b982dff97e53ef456520eb843bb717a491f79f122a83c4e3520db2f63e364a74819ccf5aae07f4740f485992ef2714d27e4676d90bedbf72062482c34925ac

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5WPs787t.xlsm
    Filesize

    17KB

    MD5

    e566fc53051035e1e6fd0ed1823de0f9

    SHA1

    00bc96c48b98676ecd67e81a6f1d7754e4156044

    SHA256

    8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

    SHA512

    a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5WPs787t.xlsm
    Filesize

    25KB

    MD5

    7f309f4fe8458f65abb524e25d601be6

    SHA1

    9dcd31c91a6f08e1cc990c09af188f55396acc3b

    SHA256

    307464933b1d1be17224ef6a9561b6a1b786360fb0ab4d9295a6999bf77bd7b6

    SHA512

    f1747e31a8581d8eb3bcd7bc6c695303160d85008dbed1171cfb619388cda08610e4c378c9210ba4144cdbccfb16e41f1256f2f0113f706ad12847c46b0561e0

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\5WPs787t.xlsm
    Filesize

    23KB

    MD5

    aed9ab28c653317fa97c8f7a7a1ae966

    SHA1

    cfdd8a98d50020e9c8657a3f859af9d15d606da5

    SHA256

    34ad73a3af0b318f71e2cf7e2f4e634a46ff2a588c6e4d42b3010c985a181ed2

    SHA512

    dc4148da307db1fa626465cf62e29c52245df8d05d19844d8cbd7a0075d37a909d012d7d0d68647c54859957fea3cd4b30af94a8a31cefce3093aa922b3d575e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\tmp7C41.tmp
    Filesize

    1KB

    MD5

    abdd7ecd00f7b2a0b28a101a6c2f6341

    SHA1

    348a8fb9fa765cf3d7d212403bc825239465fa2a

    SHA256

    998fb2c1432a18dcffa62687a8f240917739b40290d6847a135ea81c9b751a47

    SHA512

    39ee5c5d26804e4c332f7e684987f5da605c0a2854a8c28547bb186f30a7091390fd027f77289eafc89e630e520ddf46599ffba9e0b2637bae96728c14be56d5

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    45f3b89430be2bef4f042a110aabbf00

    SHA1

    9106f8d9908d9bcd52153ea46c7ab8f10d4eaa3e

    SHA256

    931eaab2df74297b4b32e52752ee37b1b32619d08d680060c2c9856011fb03be

    SHA512

    5bd750ab35226aa94dd1971109ffc557cfcfda8a6461d16f8419aa945b360ded9192f41ffddf3d4d7f4db6222b8ec43603b345e4fff2d5b8980669d585fea44f

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
    Filesize

    7KB

    MD5

    7ddf18b7881eec8ffd69ff4c8db7fbf1

    SHA1

    4d23f8b50eb3de5fd44db3cd944ff5f4028a0f20

    SHA256

    5c14e24cb9bad6530eed14ac37eb05105d1a2e965a89d2d35899292e477ac679

    SHA512

    4cf320120095c636f85f30e2da03e5bf13d32b358f85f8d5966625214a5d37b8b937169d3356c67285803a5afa6e8c3c74824bb8bde55eeef186ac788d265853

    Download Submit

  • memory/1196-92-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1196-201-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1196-171-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1196-168-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1196-169-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/1196-89-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1332-62-0x0000000000D10000-0x0000000002144000-memory.dmp

    Filesize

    20.2MB

    Download

  • memory/2100-50-0x00000000000C0000-0x00000000000DE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2240-3-0x0000000006270000-0x00000000063CC000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2240-1-0x00000000013B0000-0x00000000027E4000-memory.dmp

    Filesize

    20.2MB

    Download

  • memory/2240-37-0x0000000074D40000-0x000000007542E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2240-2-0x0000000074D40000-0x000000007542E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2240-4-0x0000000000CA0000-0x0000000000CBE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2240-7-0x000000000B9B0000-0x000000000BACE000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/2240-6-0x0000000074D40000-0x000000007542E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2240-0-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2240-5-0x0000000074D4E000-0x0000000074D4F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2376-102-0x00000000011E0000-0x00000000011FE000-memory.dmp

    Filesize

    120KB

    Download

  • memory/2692-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2692-170-0x000000005FFF0000-0x0000000060000000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3052-36-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-28-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-24-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-26-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-22-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-30-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-32-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-20-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download

  • memory/3052-34-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3052-35-0x0000000000400000-0x00000000004D9000-memory.dmp

    Filesize

    868KB

    Download