xred | 1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978

General

Target

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Size

3.2MB
MD5

bf99986ff3cfde75edf8a2433e217970
SHA1

4d8852179b0f8e8f361be7c20e47de0c9f41bfd5
SHA256

1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978
SHA512

321a3125d417257128dc6475dffcf369242fd84d75fa2fca83608e74002bcafba01f79087e9d191252c542477034667e2bf13509ff79272d0cc831da9b4315fc
SSDEEP

49152:DnsHyjtk2MYC5GDkVCZ7CYG91YEzNIbd18dStQyfvE0Z3R0nxiIq2dd0ZyWmX4:Dnsmtk2a9CZ7CXQEzNwABKtQRq2RX4

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	._cache_Synaptics.exe
File created	C:\Windows\SysWOW64\drivers\mbamtestfile.dat	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	._cache_Synaptics.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
4616	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
3100	Synaptics.exe
3184	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\mbamtestfile.dat	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
File created	C:\Program Files (x86)\mbamtestfile.dat	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4616	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
4616	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
3184	._cache_Synaptics.exe
3184	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4616	._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
3184	._cache_Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4616	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	90
PID 4416 wrote to memory of 4616	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	90
PID 4416 wrote to memory of 4616	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	90
PID 4416 wrote to memory of 3100	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	91
PID 4416 wrote to memory of 3100	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	91
PID 4416 wrote to memory of 3100	4416	1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe	91
PID 3100 wrote to memory of 3184	3100	Synaptics.exe	93
PID 3100 wrote to memory of 3184	3100	Synaptics.exe	93
PID 3100 wrote to memory of 3184	3100	Synaptics.exe	93

C:\Users\Admin\AppData\Local\Temp\1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
"C:\Users\Admin\AppData\Local\Temp\1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe"
  2⤵
  - Drops file in Drivers directory
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:4616
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3100
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Drops file in Drivers directory
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in Program Files directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3212,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
1⤵
PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\mbamtestfile.dat

Filesize
6B

MD5
9f06243abcb89c70e0c331c61d871fa7

SHA1
fde773a18bb29f5ed65e6f0a7aa717fd1fa485d4

SHA256
837ccb607e312b170fac7383d7ccfd61fa5072793f19a25e75fbacb56539b86b

SHA512
b947b99d1baddd347550c9032e9ab60b6be56551cf92c076b38e4e11f436051a4af51c47e54f8641316a720b043641a3b3c1e1b01ba50445ea1ba60bfd1b7a86

Download Submit
C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.2MB

MD5
bf99986ff3cfde75edf8a2433e217970

SHA1
4d8852179b0f8e8f361be7c20e47de0c9f41bfd5

SHA256
1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978

SHA512
321a3125d417257128dc6475dffcf369242fd84d75fa2fca83608e74002bcafba01f79087e9d191252c542477034667e2bf13509ff79272d0cc831da9b4315fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_1bd6d53193b00c142b2df83f3f1454c2cb66139cfa53f824215d5c00dc92d978.exe

Filesize
2.5MB

MD5
4e19e70399076ab58d1160d0fa2664ec

SHA1
e7ca7e0f1895c6bf60a14d6fbb0ccd4fb10a3134

SHA256
b9ee60f31be0b7dc3f814c8abbc7caacb6a3e1dc7eb1504b8e831dd42277f8d8

SHA512
f6338b52cb5a80d960e6b1ec72a28538614782a75d0270cb89e911160c0a0e8e3a4d0f93fb902c70c37cc5f4da0529043776e2c0b59287096f976addb7e584d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\mbsetup.log

Filesize
2KB

MD5
47ee0716da85133a99d27d847110e374

SHA1
c7231f19a6723991a974dd5462dbfb07c3e79004

SHA256
9c60c265b10c23bd1d7049bb95eeacc978743f1e58008d4febbdbab197152862

SHA512
14d3a44cacb531d153f3a078e9c0edc8663e87e9f5bc3c758e0505f0b7f69a80287554782d83795647e28a95708316fb52437b852275bd453e535719e93a483a

Download Submit
memory/3100-128-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3100-201-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/3100-203-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/3100-208-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/3100-227-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download
memory/4416-0-0x00000000025E0000-0x00000000025E1000-memory.dmp

Filesize
4KB

Download
memory/4416-126-0x0000000000400000-0x000000000073B000-memory.dmp

Filesize
3.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads