xred | c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da

General

Target

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Size

3.5MB
MD5

419261a8cdf19560d4a39ab434ee5270
SHA1

dabae0f912f2d85f74f4461fb4dd813e6fe1b3d5
SHA256

c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da
SHA512

6ec51e4ea5d66b3fe39528f8074414e46f4212033308b57921a7b56570d45c8b60e18d19ac090c171239a423f5e65fa9ea035a26671286aea262616569437878
SSDEEP

49152:insHyjtk2MYC5GDrzKT4qsEEXJeHuvokx7vDKo80wkSu2l/qtSupzeB/:insmtk2a+K1rOvoqa/Vr/uteB/

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 3 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0005000000018792-72.dat
behavioral1/files/0x0007000000018c1a-85.dat
behavioral1/files/0x0009000000018c1a-108.dat

Executes dropped EXE 3 IoCs

pid	Process
2368	._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
1740	Synaptics.exe
2720	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
1740	Synaptics.exe
1740	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2720	._cache_Synaptics.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2720	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2420	EXCEL.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2068 wrote to memory of 2368	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2068 wrote to memory of 2368	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2068 wrote to memory of 2368	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2068 wrote to memory of 2368	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	30
PID 2068 wrote to memory of 1740	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	32
PID 2068 wrote to memory of 1740	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	32
PID 2068 wrote to memory of 1740	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	32
PID 2068 wrote to memory of 1740	2068	c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe	32
PID 1740 wrote to memory of 2720	1740	Synaptics.exe	33
PID 1740 wrote to memory of 2720	1740	Synaptics.exe	33
PID 1740 wrote to memory of 2720	1740	Synaptics.exe	33
PID 1740 wrote to memory of 2720	1740	Synaptics.exe	33
PID 2720 wrote to memory of 2236	2720	._cache_Synaptics.exe	36
PID 2720 wrote to memory of 2236	2720	._cache_Synaptics.exe	36
PID 2720 wrote to memory of 2236	2720	._cache_Synaptics.exe	36
PID 2720 wrote to memory of 3024	2720	._cache_Synaptics.exe	38
PID 2720 wrote to memory of 3024	2720	._cache_Synaptics.exe	38
PID 2720 wrote to memory of 3024	2720	._cache_Synaptics.exe	38
PID 2720 wrote to memory of 2968	2720	._cache_Synaptics.exe	40
PID 2720 wrote to memory of 2968	2720	._cache_Synaptics.exe	40
PID 2720 wrote to memory of 2968	2720	._cache_Synaptics.exe	40
PID 2720 wrote to memory of 1292	2720	._cache_Synaptics.exe	42
PID 2720 wrote to memory of 1292	2720	._cache_Synaptics.exe	42
PID 2720 wrote to memory of 1292	2720	._cache_Synaptics.exe	42

C:\Users\Admin\AppData\Local\Temp\c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
"C:\Users\Admin\AppData\Local\Temp\c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe"
  2⤵
  - Executes dropped EXE
  PID:2368
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\Windows\system32\java.exe
      "C:\Windows\system32\java.exe" -version
      4⤵
      PID:2236
  - - C:\Program Files\Java\jdk1.7.0_80\bin\java.exe
      "C:\Program Files\Java\jdk1.7.0_80\bin\java.exe" -version
      4⤵
      PID:3024
  - - C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe
      "C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe" -version
      4⤵
      PID:2968
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -version
      4⤵
      PID:1292

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
419261a8cdf19560d4a39ab434ee5270

SHA1
dabae0f912f2d85f74f4461fb4dd813e6fe1b3d5

SHA256
c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176da

SHA512
6ec51e4ea5d66b3fe39528f8074414e46f4212033308b57921a7b56570d45c8b60e18d19ac090c171239a423f5e65fa9ea035a26671286aea262616569437878

Download Submit
C:\Users\Admin\AppData\Local\Temp\eB4hEWRt.xlsm

Filesize
23KB

MD5
e857a3e20ffd55c67770d8679b1e9ac0

SHA1
eeffe5266077803543acac6e9b347800731b3f46

SHA256
85731807f17d6a4f8315f673420136a7739c1c8865dff6971b18dbd04a6de19b

SHA512
9d04f4c20a38658cb1daac9f842f42f2f8406df96ee532a79c5ca1d7e49fca7f271837d5d85fbfe7ecd3c10181f15ccce2c755c274ef8c115cca9f1b1237bb3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eB4hEWRt.xlsm

Filesize
26KB

MD5
ef064f1fb85d266809ac234209a4f4f5

SHA1
453376e8b0894e1855586d550b844e1e0a9e75dc

SHA256
d8176d4614dd37d37588c681fd6266071cf8d4dae94b1e9f2bd3a34f16dc325b

SHA512
8ab531f1b133a56f714f1d390f918ffe1ae0dd4182aa17f7108b5d8f61f8916f76e436580273e019abf17bce86f15d48b68964d010e872f5647a860bfa9017b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\eB4hEWRt.xlsm

Filesize
26KB

MD5
2a5f3256da118b1919e646656fab445f

SHA1
8295e16aad83ecca397d7469dca462c721d2b005

SHA256
a367aa7e5a8134d1c901f6f52cc8ad7aa70406bcc6470c8e5bdf22294c7762fb

SHA512
22d1d49a8813b9a6e3469b8ecae0fcd34eb99cd373595b23a07128d03499153305dd55751fa31917272810e3088dc1624f1c9ed3131895d1d9633a493286abe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\eB4hEWRt.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\eB4hEWRt.xlsm

Filesize
25KB

MD5
57c5da7b8307e8345830b50defd81e16

SHA1
a9a4f8fb86f88b2cb927a7fef81a8561f0cae17d

SHA256
128d13bd658b9c3948a884b689f42c58dcfb33970679601d5f5e0063fb7a3bfc

SHA512
20e0fc596976796f430cc176c837c8386b7e5b6d0c406e29419c11e93c042090383920663ca4e56dcc2bd8715770ee4a2231f562ad4f66a2ee56cd4b72bac55f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$eB4hEWRt.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c414b0f8befd8e0a57bb386fa68d5cea17d21b3c5f2cb1e44474cae46f1176daN.exe

Filesize
2.8MB

MD5
e9580249182c0d7e81ee1c30154731b4

SHA1
7a9ca8f420d59b3cd45c188ce0f87bcae91e8d20

SHA256
03342485feb128ab14e35d84d9f48d428c9d8774b145dcd8d520baacd4aef92b

SHA512
c29d7947b07bbc03b66709257e9509761abba992a30bb1a60e09c31eca764314b95dca11a28e0ffc1b93c62548c06660fa05821ab6a74137cbed8185581a19a2

Download Submit
memory/1292-148-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1740-169-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1740-171-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/1740-204-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2068-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2068-25-0x0000000000400000-0x0000000000785000-memory.dmp

Filesize
3.5MB

Download
memory/2236-150-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2368-88-0x000000001BC70000-0x000000001BED0000-memory.dmp

Filesize
2.4MB

Download
memory/2368-28-0x0000000001070000-0x0000000001338000-memory.dmp

Filesize
2.8MB

Download
memory/2420-112-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2420-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2720-114-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/2720-113-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/2720-117-0x000000001AFB0000-0x000000001B058000-memory.dmp

Filesize
672KB

Download
memory/2720-170-0x0000000000A80000-0x0000000000A8A000-memory.dmp

Filesize
40KB

Download
memory/2720-36-0x0000000000C40000-0x0000000000F08000-memory.dmp

Filesize
2.8MB

Download
memory/2968-166-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/3024-167-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads