xred | 7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5

Analysis

max time kernel
141s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 03:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
Size

1.1MB
MD5

970271167de81bdd630c912265ba843c
SHA1

65aca5de62e377dcf2a760c47b2957a34c2eda73
SHA256

7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5
SHA512

fe9642e53e707522c631d26f75c89ffb07782e7b92046b2aef1f8656727bac4b1e554076eb8edb2b7c5cb3d42e10cf4adec3fa8ef4f4620110bd8a93261e3400
SSDEEP

24576:dnsJ39LyjbJkQFMhmC+6GD9wAlJx8Eporn:dnsHyjtk2MYC5GDCMCEOrn

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1812	._cache_7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
1624	Synaptics.exe
2768	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
1624	Synaptics.exe
1624	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1812	._cache_7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1812	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	30
PID 2492 wrote to memory of 1812	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	30
PID 2492 wrote to memory of 1812	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	30
PID 2492 wrote to memory of 1812	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	30
PID 2492 wrote to memory of 1624	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	31
PID 2492 wrote to memory of 1624	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	31
PID 2492 wrote to memory of 1624	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	31
PID 2492 wrote to memory of 1624	2492	7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe	31
PID 1624 wrote to memory of 2768	1624	Synaptics.exe	32
PID 1624 wrote to memory of 2768	1624	Synaptics.exe	32
PID 1624 wrote to memory of 2768	1624	Synaptics.exe	32
PID 1624 wrote to memory of 2768	1624	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
"C:\Users\Admin\AppData\Local\Temp\7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Users\Admin\AppData\Local\Temp\._cache_7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1812
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2768

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
970271167de81bdd630c912265ba843c

SHA1
65aca5de62e377dcf2a760c47b2957a34c2eda73

SHA256
7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5

SHA512
fe9642e53e707522c631d26f75c89ffb07782e7b92046b2aef1f8656727bac4b1e554076eb8edb2b7c5cb3d42e10cf4adec3fa8ef4f4620110bd8a93261e3400

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgW4OEz2.xlsm

Filesize
23KB

MD5
6962cc10c3b7b51bdc1756d047994a6f

SHA1
daeeb19332af4532609f53f34d9ed4ae2cc7e7ce

SHA256
39c6ccabe9151e6843c7563c8a2edb84be16a062c1f41a5fd321774abb0f68ed

SHA512
efac9ce8fec27abc405ce7c8f9014ee4be7e754178a8d27b683154db2de26c1619df91ce8e8cfaff846a768a0485ad9047409dddd82f1d0021c0eafb4d947008

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgW4OEz2.xlsm

Filesize
24KB

MD5
203756fee894e8a968b416dcf83af98c

SHA1
c5d8bfcb0d7643fc9429cf5dea31124ddb0a8062

SHA256
13ac5e2e0a4f89685397c350156cfb1bc0a9a60c2277a58a36da565e3c927d6d

SHA512
6716e5a7dfb644b7a42f690e889e7d89b4bdc3aa8b4725795209ae7745c72e922a249fbc1eb1c3069ba6d4a2e71699919a3ecf0cc7649924a741d1bd5d95efe5

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgW4OEz2.xlsm

Filesize
27KB

MD5
81f5a90797efa49a97695aec3cc592bc

SHA1
6d4501f835a839096be056dad0af4f0445228958

SHA256
0ced6f6915ffc6074665a7943975ece96cb2e1fe7570f00eb78a678694cc9f92

SHA512
fc4a984b952ea2acbf86756fab74908ba1e71361888b1219f7d6ca6f687c492e6ac7c6ba52c83de7d5993a51bcff07ba3c282963b71f3ac42a92424e461fc52f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgW4OEz2.xlsm

Filesize
25KB

MD5
4fcfaa7a7f91f21c463dad0a898c5a04

SHA1
be38ec8828314754362331cb1c6e003208e248a8

SHA256
76d494f236b75b930a80ae6eb33e46256f7a3854425f77efd10f6f6552390cbf

SHA512
f4089119f1d8656256945763cf957af1bde599ea31cdc587424895c7536efbe9ff0544b6d8fea6b862e6dc8d63c55f3142a8230ee3e8ee3e04c1f9b7dbb46826

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgW4OEz2.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\KgW4OEz2.xlsm

Filesize
28KB

MD5
71124ed8828bf31fe018b71ffdafb0e2

SHA1
17c69b289c2078c591e275b7a80b1d8b588a51d9

SHA256
d68e54793700053ddaeb1abfda16c59537db0609df20c54a53a372d2095d3d56

SHA512
7d42c5d1926afb70d83372224b1889dadeabc209ab4e0d498b804390a3a24c646471923d9b230b90ab9abc3ef82190abbbbfa73384ce811a559444305158c753

Download Submit
C:\Users\Admin\Desktop\~$StepInitialize.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_7f0d56ac6044835dea627cd0997520fc9c314cf508f966923593067b8d2b57d5.exe

Filesize
333KB

MD5
c6377c648ac8775fcc8302c1db14a8aa

SHA1
2b5faa68d1c9ff2572210a6420b39e9b2d4394c9

SHA256
df6589654abfacb1490a9f19e9c0e32623e73f2a1b852e8a8379b7873d03a33a

SHA512
dfb7ea7eb049847f0ebebbd74b4fe39b464b61ca0cb161186f5a40cb8e96978f73df200ce43b0e69a8707150f2026d6171109dbd60cb498aa74465e9d96e909f

Download Submit
memory/1624-35-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1624-127-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1624-128-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1624-160-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2492-25-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2492-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2624-36-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads