xred | 9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4

Analysis

max time kernel
112s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 19:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Size

1.1MB
MD5

df3901a8f7f3c0dacaccc1d3a6436f40
SHA1

88d2f84d1a472efd09f7b9c7cf8619bd679442df
SHA256

9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4
SHA512

12b1c6ee60007321a1333532411ae7a8717a8f2ae27b14ae390f7e63efbd47a219c5e353b00cfc2ed21537e9b78d3457f67c3d4038e62eed9503723a5fb9a075
SSDEEP

24576:1nsJ39LyjbJkQFMhmC+6GD95PjO7KX53RTh0tFda3K:1nsHyjtk2MYC5GDTrOO53RTqtiK

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
1384	._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
2416	Synaptics.exe
5116	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4820	EXCEL.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE
4820	EXCEL.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 1384	1656	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	85
PID 1656 wrote to memory of 1384	1656	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	85
PID 1656 wrote to memory of 1384	1656	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	85
PID 1656 wrote to memory of 2416	1656	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	87
PID 1656 wrote to memory of 2416	1656	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	87
PID 1656 wrote to memory of 2416	1656	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	87
PID 2416 wrote to memory of 5116	2416	Synaptics.exe	88
PID 2416 wrote to memory of 5116	2416	Synaptics.exe	88
PID 2416 wrote to memory of 5116	2416	Synaptics.exe	88

C:\Users\Admin\AppData\Local\Temp\9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
"C:\Users\Admin\AppData\Local\Temp\9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Users\Admin\AppData\Local\Temp\._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1384
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2416
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5116

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
df3901a8f7f3c0dacaccc1d3a6436f40

SHA1
88d2f84d1a472efd09f7b9c7cf8619bd679442df

SHA256
9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4

SHA512
12b1c6ee60007321a1333532411ae7a8717a8f2ae27b14ae390f7e63efbd47a219c5e353b00cfc2ed21537e9b78d3457f67c3d4038e62eed9503723a5fb9a075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\59D76868C250B3240414CE3EFBB12518_DED20A0F952AFF3092F4A1CA14DFAF28

Filesize
471B

MD5
e4a6e685f5b6dc949e262675778538e2

SHA1
183387f159880d9d9f6781b1ed206e89a7602eec

SHA256
186728cdc8e873b5a6e6b4d492a50492a72b19efffb3f7b7bbb779abe2b47229

SHA512
caf70e7adf2dc2dfaa9c302b862a54f9d1170b41705db66c5483980c69b570f1173b7f55789dc70da2568427ca6159aaa9408ce3e045135bfe55fe36a528adf2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
471B

MD5
a0688939142428010a3f0bcc7c383f85

SHA1
187326c4d0cc41ae24bbc88083b00fa83b76074c

SHA256
1ba62412d4fa05bee752d74dac0369115e2fdd5ceeff8aff6cd6da89eab60c69

SHA512
7ff6b98538e280614622145c46d7c261219738d03feeb59898cf3394875b956026d2b5637c394ce2b53f4ef09804da6737419ee70368e33231b956ef58f4acbe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\59D76868C250B3240414CE3EFBB12518_DED20A0F952AFF3092F4A1CA14DFAF28

Filesize
408B

MD5
24d911d8ee4944e2240b2714811d8975

SHA1
0edd2b4428b6ea582a7018a6035f893ab14a15be

SHA256
7c14571327314bca9daa4650e48ba14009236db341dc49ae8f0bb89fcd2a5e43

SHA512
4fbfa5870ea354bf75ac7c70eb8057369c767e344004517a113398c3fdde21de079e2d4130263f11787e7cea174da7955369eb3ea11d2fd525c521d0b4add00c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419

Filesize
412B

MD5
c971ca6fc602b61d1ea2aaaf68208adf

SHA1
0c4b3a29bc665cf4f56006805c645bbdd4b720c9

SHA256
eabc4ac805a8e5b016100d149df1d469fd611092a01fc227f7c9a2059cca77bc

SHA512
09c63676474f859ce570d4b47569debb7730c71d3d966661fed37c21f1039b7c3029202a0413c93593420c4e5d466bce7a2200b330a6b89e618dd3c80381ce2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe

Filesize
324KB

MD5
401d2bb1174f24689d0279ee0d4c4c85

SHA1
6182304eb212b5458f0c6b18c5d8bcd8da18c96a

SHA256
6fc6a0156e6f38b1d61ee39df837fa3f49e9f87807599dc9694582d7d646c23e

SHA512
ee0bedd2029b9aa724af8c2991303402359193132d92e1bea755c12b4c6828fe320a12d05642cf0bb69257fc873ffe12e7a6db53b14d532e18c32374179d229f

Download Submit
C:\Users\Admin\AppData\Local\Temp\92E75E00

Filesize
24KB

MD5
ad9596ce1ec8187ff158b3ba43f3bd1a

SHA1
beea783fd7c2094a65d808762a9cfc41b3f921b6

SHA256
e518fe40f402636ff7bf2fe00b8e6eb74ae49c6097b4bc2d521a46110bb5c11f

SHA512
6bf3657706b9da71f9bf08087880985b9d20727c97eb346666c869cc88a775fd6b746e021ece09965f268ccdb0ec1db81a0daf569c222176072ec1aabacf4693

Download Submit
C:\Users\Admin\AppData\Local\Temp\GC8X2AER.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\LogTransport2\LogTransport2.cfg

Filesize
142B

MD5
708e70bb8457512bd59b0b1d1ae5cf95

SHA1
338aac5c514b8bcd82b56e4df2b32b92888b3117

SHA256
8f46a5749117a9f6447458d20dc2e8a8fcb45db56c2be8bc8cf8b2851abae93d

SHA512
fde423f19062d2b33d218fa8de6e00295eb45a8d8e6685e460987c0f33ed0c5a306a5f4fb50aa920fbf3f80462ef24d9b5287b050baa868a0896bc0daeb7925c

Download Submit
memory/1656-127-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/1656-0-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/2416-259-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2416-290-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4820-193-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/4820-201-0x00007FFBCE540000-0x00007FFBCE550000-memory.dmp

Filesize
64KB

Download
memory/4820-197-0x00007FFBCE540000-0x00007FFBCE550000-memory.dmp

Filesize
64KB

Download
memory/4820-195-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/4820-194-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/4820-192-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download
memory/4820-191-0x00007FFBD0CF0000-0x00007FFBD0D00000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads