xred | c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da

General

Target

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Size

3.5MB
MD5

419261a8cdf19560d4a39ab434ee5270
SHA1

dabae0f912f2d85f74f4461fb4dd813e6fe1b3d5
SHA256

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da
SHA512

6ec51e4ea5d66b3fe39528f8074414e46f4212033308b57921a7b56570d45c8b60e18d19ac090c171239a423f5e65fa9ea035a26671286aea262616569437878
SSDEEP

49152:insHyjtk2MYC5GDrzKT4qsEEXJeHuvokx7vDKo80wkSu2l/qtSupzeB/:insmtk2a+K1rOvoqa/Vr/uteB/

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

Processes:

._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe._cache_Synaptics.exe

pid	Process
2164	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
2844	Synaptics.exe
2676	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe

pid	Process
2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
2844	Synaptics.exe
2844	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exeEXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2652	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

._cache_Synaptics.exe

description	pid	Process
Token: SeDebugPrivilege	2676	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

._cache_Synaptics.exe

pid	Process
2676	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid	Process
2652	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exeSynaptics.exe._cache_Synaptics.exe

description	pid	Process	procid_target
PID 2088 wrote to memory of 2164	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2088 wrote to memory of 2164	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2088 wrote to memory of 2164	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2088 wrote to memory of 2164	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2088 wrote to memory of 2844	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	31
PID 2088 wrote to memory of 2844	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	31
PID 2088 wrote to memory of 2844	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	31
PID 2088 wrote to memory of 2844	2088	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	31
PID 2844 wrote to memory of 2676	2844	Synaptics.exe	32
PID 2844 wrote to memory of 2676	2844	Synaptics.exe	32
PID 2844 wrote to memory of 2676	2844	Synaptics.exe	32
PID 2844 wrote to memory of 2676	2844	Synaptics.exe	32
PID 2676 wrote to memory of 1672	2676	._cache_Synaptics.exe	35
PID 2676 wrote to memory of 1672	2676	._cache_Synaptics.exe	35
PID 2676 wrote to memory of 1672	2676	._cache_Synaptics.exe	35
PID 2676 wrote to memory of 2444	2676	._cache_Synaptics.exe	37
PID 2676 wrote to memory of 2444	2676	._cache_Synaptics.exe	37
PID 2676 wrote to memory of 2444	2676	._cache_Synaptics.exe	37
PID 2676 wrote to memory of 2248	2676	._cache_Synaptics.exe	39
PID 2676 wrote to memory of 2248	2676	._cache_Synaptics.exe	39
PID 2676 wrote to memory of 2248	2676	._cache_Synaptics.exe	39
PID 2676 wrote to memory of 2176	2676	._cache_Synaptics.exe	41
PID 2676 wrote to memory of 2176	2676	._cache_Synaptics.exe	41
PID 2676 wrote to memory of 2176	2676	._cache_Synaptics.exe	41

C:\Users\Admin\AppData\Local\Temp\c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
"C:\Users\Admin\AppData\Local\Temp\c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe"
  2⤵
  - Executes dropped EXE
  PID:2164
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2676
  - - C:\Windows\system32\java.exe
      "C:\Windows\system32\java.exe" -version
      4⤵
      PID:1672
  - - C:\Program Files\Java\jdk1.7.0_80\bin\java.exe
      "C:\Program Files\Java\jdk1.7.0_80\bin\java.exe" -version
      4⤵
      PID:2444
  - - C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe" -version
      4⤵
      PID:2248
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -version
      4⤵
      PID:2176

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
419261a8cdf19560d4a39ab434ee5270

SHA1
dabae0f912f2d85f74f4461fb4dd813e6fe1b3d5

SHA256
c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da

SHA512
6ec51e4ea5d66b3fe39528f8074414e46f4212033308b57921a7b56570d45c8b60e18d19ac090c171239a423f5e65fa9ea035a26671286aea262616569437878

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXFfpAVo.xlsm

Filesize
23KB

MD5
91e8f9b8730c26776de08ae057aa8748

SHA1
596cfecc818cd89e822fa80948a771eb2ba460df

SHA256
1eb272d114ad4081078cbc57f8d5de44a4c63b850d7b28c8278a19be1be2cac3

SHA512
aa3c1211d4d4152ad6e6d58ae289d40bac059e24a3cb42dce894d54a060ea334e5ee84d2188316f89cd113b1e1a6241f9d003899207fca67d045665e9bb199e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXFfpAVo.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\xXFfpAVo.xlsm

Filesize
22KB

MD5
69292abab7a01d0d6f610050f890be7a

SHA1
ee0c2798c0b64356cee67496016860947ee84fd9

SHA256
7eed19c57e525bd3d58488c8b9a4d32333b68b3b4e5ed914a794cc0e0b5bc6af

SHA512
cad7b21a802a5fc1be4f243d0d6503b53a070508a1c0d72c1274ce1c0f7c4c9f312221b8247da3bcd8f56957fd2d54ce7151734ec6ac703339d8fcc792244f49

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

Filesize
2.8MB

MD5
e9580249182c0d7e81ee1c30154731b4

SHA1
7a9ca8f420d59b3cd45c188ce0f87bcae91e8d20

SHA256
03342485feb128ab14e35d84d9f48d428c9d8774b145dcd8d520baacd4aef92b

SHA512
c29d7947b07bbc03b66709257e9509761abba992a30bb1a60e09c31eca764314b95dca11a28e0ffc1b93c62548c06660fa05821ab6a74137cbed8185581a19a2

Download Submit
memory/1672-131-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2088-26-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2088-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2164-17-0x0000000000EC0000-0x0000000001188000-memory.dmp

Filesize
2.8MB

Download
memory/2164-40-0x000000001BB80000-0x000000001BDE0000-memory.dmp

Filesize
2.4MB

Download
memory/2176-128-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2444-143-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2652-92-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2652-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2676-90-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/2676-89-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/2676-95-0x000000001B120000-0x000000001B1C8000-memory.dmp

Filesize
672KB

Download
memory/2676-36-0x0000000000080000-0x0000000000348000-memory.dmp

Filesize
2.8MB

Download
memory/2676-148-0x0000000000730000-0x000000000073A000-memory.dmp

Filesize
40KB

Download
memory/2844-147-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2844-149-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2844-184-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads