xred | 68d41d21c16bae85f9a857511a5a1b3ccc28adc3721b82b17262e0e64f5a53f2

General

Target

System Volume Information.exe
Size

823KB
MD5

c2cdae15750e17383ec3b4225bf32a9f
SHA1

e743955ba3d7c6edaf4dae0400b990b271839eb7
SHA256

68d41d21c16bae85f9a857511a5a1b3ccc28adc3721b82b17262e0e64f5a53f2
SHA512

8ef7aa545deb4e7a106b4e92744319522021aa8992a801e3330d5a0bbdefafb11571a3594dd38670916eda44387dfdbb208f9977a587e12ef3b5f38b4ebbdd51
SSDEEP

12288:ZMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9xEBpij:ZnsJ39LyjbJkQFMhmC+6GD92e

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Executes dropped EXE 3 IoCs

Processes:

._cache_System Volume Information.exeSynaptics.exe._cache_Synaptics.exe

pid process

2332 ._cache_System Volume Information.exe
2664 Synaptics.exe
2844 ._cache_Synaptics.exe
Loads dropped DLL 5 IoCs

Processes:

System Volume Information.exeSynaptics.exe

pid process

2256 System Volume Information.exe
2256 System Volume Information.exe
2256 System Volume Information.exe
2664 Synaptics.exe
2664 Synaptics.exe

pid	process
2332	._cache_System Volume Information.exe
2664	Synaptics.exe
2844	._cache_Synaptics.exe

pid	process
2256	System Volume Information.exe
2256	System Volume Information.exe
2256	System Volume Information.exe
2664	Synaptics.exe
2664	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

System Volume Information.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	System Volume Information.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

System Volume Information.exeSynaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	System Volume Information.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2592 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2592 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2592	EXCEL.EXE

pid	process
2592	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

System Volume Information.exeSynaptics.exe

description	pid	process	target process
PID 2256 wrote to memory of 2332	2256	System Volume Information.exe	._cache_System Volume Information.exe
PID 2256 wrote to memory of 2332	2256	System Volume Information.exe	._cache_System Volume Information.exe
PID 2256 wrote to memory of 2332	2256	System Volume Information.exe	._cache_System Volume Information.exe
PID 2256 wrote to memory of 2332	2256	System Volume Information.exe	._cache_System Volume Information.exe
PID 2256 wrote to memory of 2664	2256	System Volume Information.exe	Synaptics.exe
PID 2256 wrote to memory of 2664	2256	System Volume Information.exe	Synaptics.exe
PID 2256 wrote to memory of 2664	2256	System Volume Information.exe	Synaptics.exe
PID 2256 wrote to memory of 2664	2256	System Volume Information.exe	Synaptics.exe
PID 2664 wrote to memory of 2844	2664	Synaptics.exe	._cache_Synaptics.exe
PID 2664 wrote to memory of 2844	2664	Synaptics.exe	._cache_Synaptics.exe
PID 2664 wrote to memory of 2844	2664	Synaptics.exe	._cache_Synaptics.exe
PID 2664 wrote to memory of 2844	2664	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\System Volume Information.exe
"C:\Users\Admin\AppData\Local\Temp\System Volume Information.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2256
- C:\Users\Admin\AppData\Local\Temp\._cache_System Volume Information.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_System Volume Information.exe"
  2⤵
  - Executes dropped EXE
  PID:2332
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2844

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
823KB

MD5
c2cdae15750e17383ec3b4225bf32a9f

SHA1
e743955ba3d7c6edaf4dae0400b990b271839eb7

SHA256
68d41d21c16bae85f9a857511a5a1b3ccc28adc3721b82b17262e0e64f5a53f2

SHA512
8ef7aa545deb4e7a106b4e92744319522021aa8992a801e3330d5a0bbdefafb11571a3594dd38670916eda44387dfdbb208f9977a587e12ef3b5f38b4ebbdd51

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZtVrtfG.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZtVrtfG.xlsm

Filesize
26KB

MD5
7e350e0bddc04aa87dac5432aadfbaae

SHA1
97ca161d69dbd4d54bbc1f16f1460534b2a68e59

SHA256
780b9cb4ef2c7d63901ea5e74acb5e26d17e61cf74caca66d4599bcb18a0d854

SHA512
4eabce662a6dd59921c284842abcdc51fcd7835d1ade0f077aa1c67986343a4df4037bb6100e727c0c6f73ec176cb6d13321cfc588813a6bc62f52c35d3094a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZtVrtfG.xlsm

Filesize
28KB

MD5
9449ef902ec7b632aad7908122ac1ba3

SHA1
c08a402657b0bb3520fac7b9cbca7334054f3cb3

SHA256
4fbe256a61c2fb59e64d0e99256c847c528fe3a8b388b38831d2111d74c38beb

SHA512
347bbc05c1e8ecf6773fffa6a55c07e2ff8068287bfbe76eea7fbe1e517d599abf206439d624da812bb39d5cc415cf0b24756c339724d89ae6c4fb8f8dc6d8ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZtVrtfG.xlsm

Filesize
23KB

MD5
6feed09a2ab1628a79d9d7b64527cab4

SHA1
dcd7898e0434cb03f2a0baef0d509499c85af126

SHA256
e6859b52a0b99ef68de3ed3b7a57b5a4868c4c2955e8039d53c3b7178825e115

SHA512
c19c704539ef6665181ec04d217c68d449870ca888a7f3478bb685128937d2de153cab104dc616c811604cd49dd00d83fd6cd88e8f588fb5bfc1c3072f092011

Download Submit
C:\Users\Admin\AppData\Local\Temp\hZtVrtfG.xlsm

Filesize
26KB

MD5
24b20df78666118ed81eda871b1e447d

SHA1
98243ab6a8d4e47c7c31dd69eb492e72f5ffad9f

SHA256
458c0a1e0e8100e9c9d033dde9451a0050d6ebdd479cb93c23d3b7217d119dac

SHA512
e5bacbe4acfc03f2c8e1c1e2c5a6268880d1ba352931d7d039f26a3d612ba5aea7da24cb054a46a5bb1aaa12b0e029c9f0e4c3006944c8516f17690f5cce7e03

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$hZtVrtfG.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_System Volume Information.exe

Filesize
69KB

MD5
f2b28d713c51ab91e3452f7f98416123

SHA1
039b9b9562971d19e2ebdcd27d209ff26575b94c

SHA256
29b58fcac5050f4c966a71c1ce147f33e221ff34ba3b1bfa6433e208ac708c14

SHA512
48d389f477a77eb16389dc011e0e89ba93d28f3fb81fec3d00c3b606ab4d0cc27b45d945265e170172445da46028a7e69451dbf19b34a2e4c6d6b5987eb3eda8

Download Submit
memory/2256-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2256-25-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2592-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2592-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2664-112-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download
memory/2664-145-0x0000000000400000-0x00000000004D4000-memory.dmp

Filesize
848KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads