xred | 7f16106f3354a65fc749737905b77df7bbefa28bf8bbc966dc1f8c53fa4660f2

General

Target

ratt.exe
Size

753KB
MD5

b753207b14c635f29b2abf64f603570a
SHA1

8a40e828224f22361b09494a556a20db82fc97b9
SHA256

7f16106f3354a65fc749737905b77df7bbefa28bf8bbc966dc1f8c53fa4660f2
SHA512

0dd32803b95d53badd33c0c84df1002451090ff5f74736680e3a53a0bfc0e723eee7d795626bc10a1fb431de7e6e276c5a66349ef385a8b92b48425b0bdd036f
SSDEEP

12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9IFr:ansJ39LyjbJkQFMhmC+6GD92

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

ratt.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation ratt.exe
Executes dropped EXE 1 IoCs

Processes:

Synaptics.exe

pid process

1708 Synaptics.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4074627901-37362009-3519777259-1000\Control Panel\International\Geo\Nation	ratt.exe

pid	process
1708	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ratt.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	ratt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

Synaptics.exeratt.exeratt.exeratt.exeratt.exeratt.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ratt.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 1 IoCs

Processes:

ratt.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ ratt.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

644 EXCEL.EXE
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE
644 EXCEL.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	ratt.exe

pid	process
644	EXCEL.EXE

pid	process
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE
644	EXCEL.EXE

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

ratt.exe

description	pid	process	target process
PID 2764 wrote to memory of 1708	2764	ratt.exe	Synaptics.exe
PID 2764 wrote to memory of 1708	2764	ratt.exe	Synaptics.exe
PID 2764 wrote to memory of 1708	2764	ratt.exe	Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\ratt.exe
"C:\Users\Admin\AppData\Local\Temp\ratt.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2764
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1708

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:644

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:472

C:\Users\Admin\Desktop\ratt.exe
"C:\Users\Admin\Desktop\ratt.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:3252

C:\Users\Admin\Desktop\ratt.exe
"C:\Users\Admin\Desktop\ratt.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:4080

C:\Users\Admin\Desktop\ratt.exe
"C:\Users\Admin\Desktop\ratt.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1876

C:\Users\Admin\Desktop\ratt.exe
"C:\Users\Admin\Desktop\ratt.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
b753207b14c635f29b2abf64f603570a

SHA1
8a40e828224f22361b09494a556a20db82fc97b9

SHA256
7f16106f3354a65fc749737905b77df7bbefa28bf8bbc966dc1f8c53fa4660f2

SHA512
0dd32803b95d53badd33c0c84df1002451090ff5f74736680e3a53a0bfc0e723eee7d795626bc10a1fb431de7e6e276c5a66349ef385a8b92b48425b0bdd036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\90E75E00

Filesize
23KB

MD5
f1c52448f71609746d9385eda9e00a5a

SHA1
20accb488c29da104e29ccf8154e74699d0ba303

SHA256
5e3a278827b682b31254f0bdc17de5ca93cd4931a19c9c8071274610702f3a55

SHA512
39ffc9228707b7a7dac2feac1de9e4db1d0dfa925cc6246dc57ef6f5939b32519449fd6c9738c6d1e4037105a54fe553b008f7fc0082dd11ee2d715d0014fe9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\aria-debug-3592.log

Filesize
470B

MD5
e3f7ffbef1c036899982e2dffcdc1083

SHA1
d7c33e4576e063cddb2a5b6adf28c34f708d0fd3

SHA256
ea14c32928f6db451f3287b9c9938669e31de94c9127c751bb5c7879c827ade5

SHA512
4aa22d4b9c85cc8a5e887ca33f15f2496cec86e287c90b2cd0279e904aa5ae4c5c9a3fd4b29d9ea7c4cab04bd3f664990af7c23cfc542db822a6ed7df567dd83

Download Submit
C:\Users\Admin\AppData\Local\Temp\chrome_installer.log

Filesize
6KB

MD5
694ccbefad900cfcb2892276424ac0ad

SHA1
0f2878177a754b12928c9098edeb10e438fc0f6e

SHA256
ac2c34d5f69b42de470209235da5f249ccf99b15a45ca805cc41e9d170bf529c

SHA512
b45c0bbe6ca5ca445302757660aa3bf8e217a2716ba8d4a0241eae74794e080d30f86e263c68d90f2cf382640da52fc78b9d11c3bca0617ca5ab0e7351a7d7f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
249cf062a84cfb6b1f71d6c3a511efe6

SHA1
5f41ae3203b65831c354782bc3ac5f66e535c17a

SHA256
27b628c0b215488ff161f83819171af36258f2a7643d4bb897c173f00cdf19d8

SHA512
a9de21719bc3315fb5492fb76a3592f51d189cb48dfd05ada5fd6731338c07d41fb99afece2b5a109890e646659d7c69eb0df27102f3817c502636ea35b42734

Download Submit
C:\Users\Admin\AppData\Local\Temp\mozilla-temp-files

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sX2KPgpe.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/644-24-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-22-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-10-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-11-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-12-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-13-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-14-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-15-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-16-0x00007FFF64C60000-0x00007FFF64C70000-memory.dmp

Filesize
64KB

Download
memory/644-9-0x00007FFF66D70000-0x00007FFF66D80000-memory.dmp

Filesize
64KB

Download
memory/644-17-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-18-0x00007FFF64C60000-0x00007FFF64C70000-memory.dmp

Filesize
64KB

Download
memory/644-21-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-26-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-25-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-4-0x00007FFF66D70000-0x00007FFF66D80000-memory.dmp

Filesize
64KB

Download
memory/644-23-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-28-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-27-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-5-0x00007FFFA6D8D000-0x00007FFFA6D8E000-memory.dmp

Filesize
4KB

Download
memory/644-20-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-19-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/644-8-0x00007FFF66D70000-0x00007FFF66D80000-memory.dmp

Filesize
64KB

Download
memory/644-6-0x00007FFF66D70000-0x00007FFF66D80000-memory.dmp

Filesize
64KB

Download
memory/644-7-0x00007FFF66D70000-0x00007FFF66D80000-memory.dmp

Filesize
64KB

Download
memory/644-70-0x00007FFFA6D8D000-0x00007FFFA6D8E000-memory.dmp

Filesize
4KB

Download
memory/644-71-0x00007FFFA6CF0000-0x00007FFFA6EE8000-memory.dmp

Filesize
2.0MB

Download
memory/1708-72-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1708-76-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/1708-69-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1708-3-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1876-143-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2644-146-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2764-0-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/2764-2-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/3252-140-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/4080-142-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads