xred | ad86268bcd24388139c8461b34b70c01464bd9cbb4828ba0c4a7b9a8f9d74146

General

Target

abb4b042d87302cbba97a73a891a15b0N.exe
Size

817KB
MD5

abb4b042d87302cbba97a73a891a15b0
SHA1

e57928cda4542df058f205a6ee7d1287afa0e941
SHA256

ad86268bcd24388139c8461b34b70c01464bd9cbb4828ba0c4a7b9a8f9d74146
SHA512

d431d61e17838561a6368e9b6e192ade6cec3a85199771cb9cae21c82328688938e9239a122d76e59220bf762202a7148997ca98f7ba6f684aa3931f14f09d23
SSDEEP

12288:BMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Oajx0F:BnsJ39LyjbJkQFMhmC+6GD9HdC

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2760	._cache_abb4b042d87302cbba97a73a891a15b0N.exe
2796	Synaptics.exe
2564	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2840	abb4b042d87302cbba97a73a891a15b0N.exe
2840	abb4b042d87302cbba97a73a891a15b0N.exe
2840	abb4b042d87302cbba97a73a891a15b0N.exe
2840	abb4b042d87302cbba97a73a891a15b0N.exe
2796	Synaptics.exe
2796	Synaptics.exe
2796	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	abb4b042d87302cbba97a73a891a15b0N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_abb4b042d87302cbba97a73a891a15b0N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	abb4b042d87302cbba97a73a891a15b0N.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2600	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2600	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2760	2840	abb4b042d87302cbba97a73a891a15b0N.exe	30
PID 2840 wrote to memory of 2760	2840	abb4b042d87302cbba97a73a891a15b0N.exe	30
PID 2840 wrote to memory of 2760	2840	abb4b042d87302cbba97a73a891a15b0N.exe	30
PID 2840 wrote to memory of 2760	2840	abb4b042d87302cbba97a73a891a15b0N.exe	30
PID 2840 wrote to memory of 2796	2840	abb4b042d87302cbba97a73a891a15b0N.exe	32
PID 2840 wrote to memory of 2796	2840	abb4b042d87302cbba97a73a891a15b0N.exe	32
PID 2840 wrote to memory of 2796	2840	abb4b042d87302cbba97a73a891a15b0N.exe	32
PID 2840 wrote to memory of 2796	2840	abb4b042d87302cbba97a73a891a15b0N.exe	32
PID 2796 wrote to memory of 2564	2796	Synaptics.exe	33
PID 2796 wrote to memory of 2564	2796	Synaptics.exe	33
PID 2796 wrote to memory of 2564	2796	Synaptics.exe	33
PID 2796 wrote to memory of 2564	2796	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\abb4b042d87302cbba97a73a891a15b0N.exe
"C:\Users\Admin\AppData\Local\Temp\abb4b042d87302cbba97a73a891a15b0N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Users\Admin\AppData\Local\Temp\._cache_abb4b042d87302cbba97a73a891a15b0N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_abb4b042d87302cbba97a73a891a15b0N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2564

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
817KB

MD5
abb4b042d87302cbba97a73a891a15b0

SHA1
e57928cda4542df058f205a6ee7d1287afa0e941

SHA256
ad86268bcd24388139c8461b34b70c01464bd9cbb4828ba0c4a7b9a8f9d74146

SHA512
d431d61e17838561a6368e9b6e192ade6cec3a85199771cb9cae21c82328688938e9239a122d76e59220bf762202a7148997ca98f7ba6f684aa3931f14f09d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\6W88XKvr.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\6W88XKvr.xlsm

Filesize
24KB

MD5
b533968127108ef2ae8ac56b7f5b1daa

SHA1
8269bbea0be02119a388f108d8c0a2f5e4112fb2

SHA256
007e2b5928c52277ec91e1be3eb842ddba6bff966c26a42838e0112acb444647

SHA512
180dbe0ef17f9f3aaeee94112646ee1be59f90471ea4f2a5ecab21d05d81c59f2f13d00638b08ef736c88a2246ef10f3e88d796523ffcf3b022e6dedc89b1a4d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_abb4b042d87302cbba97a73a891a15b0N.exe

Filesize
64KB

MD5
059203fd4737e90742a19626a06906df

SHA1
3189fbf7b6b0952404bbca0c8b6205603b861771

SHA256
0c8d17e077a7d547613c61fdf7328356430eacb83237dc3d440283ad56e79909

SHA512
f1ec330ad0258b00bb027906f524e8824a0cb222d60c4f6d43207f36afb8bd76d2152505ed06f229f2e7508ac8f8a844d1277aaae70878cf2a561756fb2acaa7

Download Submit
memory/2564-42-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2600-43-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-20-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2796-86-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2796-121-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2840-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2840-29-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads