xred | 893b9d81483e83b7839cdda24fbfdc39044e0616cb7dad89c0a90f7cd9d69572

General

Target

58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Size

2.8MB
MD5

58b15dd5817b876fbd2c3230319bd8c0
SHA1

48234469c4688977f0942c09261d19c7b320e8b1
SHA256

893b9d81483e83b7839cdda24fbfdc39044e0616cb7dad89c0a90f7cd9d69572
SHA512

256da494e46eea70eb9d6ab2117aa4da0c52e3e55aeaca8b5faf7fa46db1f1ad06bb71b276982ff897049ae12d7a3a6e40490359d33ccab470c4877cd5361ea2
SSDEEP

49152:ZnsHyjtk2MYC5GDoy68c4iZ9ds5bk69oVqxZmQq+osEt5gqckXfmHyxCKQpQ01sF:Znsmtk2ah9ds5bk69oilq+osM5gqckMi

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
3100	._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
3852	Synaptics.exe
2912	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1188 wrote to memory of 3100	1188	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe	84
PID 1188 wrote to memory of 3100	1188	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe	84
PID 1188 wrote to memory of 3100	1188	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe	84
PID 1188 wrote to memory of 3852	1188	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe	85
PID 1188 wrote to memory of 3852	1188	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe	85
PID 1188 wrote to memory of 3852	1188	58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe	85
PID 3852 wrote to memory of 2912	3852	Synaptics.exe	87
PID 3852 wrote to memory of 2912	3852	Synaptics.exe	87
PID 3852 wrote to memory of 2912	3852	Synaptics.exe	87

C:\Users\Admin\AppData\Local\Temp\58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1188
- C:\Users\Admin\AppData\Local\Temp\._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3100
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3852
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.8MB

MD5
58b15dd5817b876fbd2c3230319bd8c0

SHA1
48234469c4688977f0942c09261d19c7b320e8b1

SHA256
893b9d81483e83b7839cdda24fbfdc39044e0616cb7dad89c0a90f7cd9d69572

SHA512
256da494e46eea70eb9d6ab2117aa4da0c52e3e55aeaca8b5faf7fa46db1f1ad06bb71b276982ff897049ae12d7a3a6e40490359d33ccab470c4877cd5361ea2

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_58b15dd5817b876fbd2c3230319bd8c0_NeikiAnalytics.exe

Filesize
2.1MB

MD5
b1e4704df1509a6bfb646b1f9783a250

SHA1
88f5fb9e6c937bc0536bdd250fe4e920f1e51f48

SHA256
346269cf5d28b4ee005119c30fb28237082647d0424ec1f0bfc6d35ae8d0b48b

SHA512
879dc7e48c9371a1b90f637b7b16ebe341bc3dcbb1392249d64422f73e953f894993869ffd02927995ce81c6abe1a104a642b6488c101b43001c1e4530366f06

Download Submit
memory/1188-0-0x0000000002670000-0x0000000002671000-memory.dmp

Filesize
4KB

Download
memory/1188-128-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3852-129-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3852-190-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3852-192-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/3852-209-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download
memory/3852-216-0x0000000000400000-0x00000000006D7000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads