xred | 9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68

Analysis

max time kernel
140s
max time network
141s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
04-02-2025 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
Size

900KB
MD5

e982f4be3294ca33f1be17c659c262d5
SHA1

5df5f09fc62adadec4ef6331f6466134027779c6
SHA256

9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68
SHA512

3aaa7f11b4972ccaec5f4f0cd23173e240649d78c16eb38b5540c5dbcc2d4dbd1fde0e115103cdecef7def7baebb9fd3185355dfd0aecdd5683490eda526e5de
SSDEEP

12288:8MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9jBFUNDaSx:8nsJ39LyjbJkQFMhmC+6GD9VFOa4

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000016d3a-104.dat
behavioral1/files/0x0007000000016d43-117.dat
behavioral1/files/0x0009000000016d3a-128.dat

Executes dropped EXE 5 IoCs

pid	Process
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2876	Synaptics.exe
2828	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2796	._cache_Synaptics.exe
2724	._cache_synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2876	Synaptics.exe
2876	Synaptics.exe
2796	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\Resources\Themes\icsys.icn.exe	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2824	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
2796	._cache_Synaptics.exe
2796	._cache_Synaptics.exe
2824	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2608	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	30
PID 2016 wrote to memory of 2608	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	30
PID 2016 wrote to memory of 2608	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	30
PID 2016 wrote to memory of 2608	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	30
PID 2016 wrote to memory of 2876	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	31
PID 2016 wrote to memory of 2876	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	31
PID 2016 wrote to memory of 2876	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	31
PID 2016 wrote to memory of 2876	2016	9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	31
PID 2608 wrote to memory of 2828	2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	32
PID 2608 wrote to memory of 2828	2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	32
PID 2608 wrote to memory of 2828	2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	32
PID 2608 wrote to memory of 2828	2608	._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe	32
PID 2876 wrote to memory of 2796	2876	Synaptics.exe	33
PID 2876 wrote to memory of 2796	2876	Synaptics.exe	33
PID 2876 wrote to memory of 2796	2876	Synaptics.exe	33
PID 2876 wrote to memory of 2796	2876	Synaptics.exe	33
PID 2796 wrote to memory of 2724	2796	._cache_Synaptics.exe	35
PID 2796 wrote to memory of 2724	2796	._cache_Synaptics.exe	35
PID 2796 wrote to memory of 2724	2796	._cache_Synaptics.exe	35
PID 2796 wrote to memory of 2724	2796	._cache_Synaptics.exe	35

C:\Users\Admin\AppData\Local\Temp\9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
"C:\Users\Admin\AppData\Local\Temp\9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Users\Admin\AppData\Local\Temp\._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2608
- - \??\c:\users\admin\appdata\local\temp\._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
    c:\users\admin\appdata\local\temp\._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe
    3⤵
    - Executes dropped EXE
    PID:2828
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - \??\c:\users\admin\appdata\local\temp\._cache_synaptics.exe
      c:\users\admin\appdata\local\temp\._cache_synaptics.exe InjUpdate
      4⤵
      Executes dropped EXE
      PID:2724

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
900KB

MD5
e982f4be3294ca33f1be17c659c262d5

SHA1
5df5f09fc62adadec4ef6331f6466134027779c6

SHA256
9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68

SHA512
3aaa7f11b4972ccaec5f4f0cd23173e240649d78c16eb38b5540c5dbcc2d4dbd1fde0e115103cdecef7def7baebb9fd3185355dfd0aecdd5683490eda526e5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe

Filesize
147KB

MD5
5709f37da09ff8cfe06b91a8d369fa21

SHA1
54d55606b527252b1852277fb2766a1d8503fb96

SHA256
2c0de1143a89a879eb1ae1f3b4030af453cc017c3f298c52376f9615f29214eb

SHA512
7ef5505e89c62188a61713054da153c84ff613ed8d3a4c28529195c2ac624d993b5fdfb957da119adaac8ee9d28088b89911756e1cae18c5525442a36db1165a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNU2Anjd.xlsm

Filesize
23KB

MD5
b597669dab8ea538e9e19f0cbf48fb95

SHA1
b15f226706e244a709caaeba2138c5bca0a148d7

SHA256
5f05cb5b10aa786bee3aa53f8548690185c9db8fd7086543a4a828ed8c5ecf5f

SHA512
5dc3a7734235400883226131c3f7bbb12583c1367d4b02c71f2bbf315abab796e79ac963bc86367e2e9e5081bf58b4785de614ec90e8f15edcc326615401c8ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNU2Anjd.xlsm

Filesize
30KB

MD5
b22f2944fcf3c55f67ba85acd1df3a6b

SHA1
c8a5252a5e628b41f77d57aa4130d58619ba3dbf

SHA256
cc0a690c77e39d958d0d34cc87076f670b2e1a3f71cc56d23975b415ec01073a

SHA512
f8aadc307622c0546339c5c3f110d0ed922bed3692154cf393e3f457897f67725a68149b4032007908221f57bf6e7f4bf67e8cad84cb29e21b56368f453db5fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNU2Anjd.xlsm

Filesize
29KB

MD5
00d0d94c375280434fabacdfe4a3c631

SHA1
9782e5c5d71a6661482fcd4024965b5f32a3b127

SHA256
447ffd9ccb22c3ad772f3dc70144e9b949a30fb09b5a30c0396a15b5a469b95d

SHA512
de81ed7e31d57a6870046c7538e573fe1137602fe6feeb42483e832c5cd1f42fda9e7c9746da021ff0d5cab249a2f5530f3d6b20659d7927c7715077451914c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNU2Anjd.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\UNU2Anjd.xlsm

Filesize
27KB

MD5
ea270a89429038a77175d34acc312888

SHA1
0c00ec5cb30c23d2de8378c3eb6b82b188f4f147

SHA256
3862fb460a8c2539aaedd52c09e176fb4ce17d963b08e371945a4e68aca55104

SHA512
eb24af1cbb52a2e424bfdc0b287ba5b7652cf61bcb2c0d7b7222c631f889d524eb4f7a2892c326886d055aa33175120cdb11a2e7b26db36ce851decaa60d4b29

Download Submit
C:\Users\Admin\Downloads\~$RegisterLock.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
C:\Windows\Resources\Themes\icsys.icn.exe

Filesize
135KB

MD5
8c8444fbeb7cd8aed2edb25013aeb201

SHA1
46c9055fbee194cb16b3d492da0079c5097f1ff9

SHA256
9ac2a97cb7e857535d3950de4e9baf774405359fd92438c7c0e5184e47a3e6e1

SHA512
1f5f5515659bdd5f8181603275df96b8b6ab5c1578b50bf656274625bc1cbb2de9d49601a9e87af0bb2723615a942eaf16edb15140ee188c31ead505f1ab6fec

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_9415d6f9d3f5e8b108523a3db1131b793777b2cd03b65d47d6f5c0d1ede65b68.exe

Filesize
12KB

MD5
868decf198eac73b07cc29551c737763

SHA1
de1c7291eabfdda5a0a085424a9c0127db94093e

SHA256
a98a9bd6ce8e4a1309d8d1594bc60f6d84ff69d0803091ee95519c0a6622570d

SHA512
95bed54e6652a2fa29576bd9b3453c9518ec003e5a327fecd8044062e5110afac58aafb3cbeece7c3f930e3ef2fb597c2e94e3ea8a11a2aeec0063a362edab4d

Download Submit
memory/2016-17-0x0000000003ED0000-0x0000000003EEF000-memory.dmp

Filesize
124KB

Download
memory/2016-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2016-30-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2608-18-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2608-137-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2796-138-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2824-56-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2876-45-0x0000000004000000-0x000000000401F000-memory.dmp

Filesize
124KB

Download
memory/2876-136-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2876-139-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2876-171-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2876-173-0x0000000004000000-0x000000000401F000-memory.dmp

Filesize
124KB

Download