xred | 24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92

General

Target

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
Size

832KB
MD5

ca36e1d2e23a63107904f1590ae87cf0
SHA1

fe08e68d52e0c7ccbe8b687e1053f16f0fda45d7
SHA256

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92
SHA512

5802641ef67b1445960d70e47ae3aeb84c9f9344ff61988efd7aacf56add1ac59255c827a68128644e86bb3145c0bbd853d437b69d0a4f40465e64160040a4dc
SSDEEP

12288:0MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ylQG3QG:0nsJ39LyjbJkQFMhmC+6GD9Gf3x

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Executes dropped EXE 3 IoCs

Processes:

._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exeSynaptics.exe._cache_Synaptics.exe

pid process

2916 ._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
3020 Synaptics.exe
2500 ._cache_Synaptics.exe

pid	process
2916	._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
3020	Synaptics.exe
2500	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

Processes:

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exeSynaptics.exe

pid	process
2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
3020	Synaptics.exe
3020	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exeSynaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

2508 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

2508 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
2508	EXCEL.EXE

pid	process
2508	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exeSynaptics.exe

description	pid	process	target process
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	Synaptics.exe
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	Synaptics.exe
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	Synaptics.exe
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	Synaptics.exe
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	._cache_Synaptics.exe
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	._cache_Synaptics.exe
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	._cache_Synaptics.exe
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
"C:\Users\Admin\AppData\Local\Temp\24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2500

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
832KB

MD5
ca36e1d2e23a63107904f1590ae87cf0

SHA1
fe08e68d52e0c7ccbe8b687e1053f16f0fda45d7

SHA256
24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92

SHA512
5802641ef67b1445960d70e47ae3aeb84c9f9344ff61988efd7aacf56add1ac59255c827a68128644e86bb3145c0bbd853d437b69d0a4f40465e64160040a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
27KB

MD5
6c924ddef0d8f4094aa1dfa34a4e1622

SHA1
ad005cfca68e7722032ae6eb97f711bcd820c2ce

SHA256
2275d030c147df8f50fa2269dd436b7cdd03c2fe31e97a0f26ab8ad256e3f58e

SHA512
50c73df2868cb55153173e92b006cf17bbe6aa685daf274070b00596f2a15a5b06f5dd08b77f872a64e89a86db80ba1b100f2e10d471151af11190caf5ca39e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
28KB

MD5
096523f6e99358df37b7c170a14aa59c

SHA1
9bad9fd51204dc1a4a086c2d585be37c1593f87e

SHA256
19cd1de9e9e8bf2233165d4e70ea2e7f27b137839801f1c9364ed8766a264304

SHA512
cd4e82a1f13c67ca0905c9c32de46916509fe0660e6e285e749cb49adc37dbcaeb1930043813699a4105f34d3d06b5a00b0a9083c81344273d392ffd5566185d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
29KB

MD5
bb444b104a290f66f028c528438e0654

SHA1
67b0d94a2cd0207bbf487550b6bacb6e221a42cc

SHA256
966140ca90e609a06f0b526f49f0b7711492fd51bc3d77f1953ac06075d997a0

SHA512
391346fa53c12b57149c6f2ed9118012b96b61edb3d6bb1c71af772705c764ee81eb1b9155b9856e09ba6ca2ce8ad53672a3eb26c55ecef68b3b9a0972caf1be

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe

Filesize
78KB

MD5
262fd671d34e41e6cdf4b8ffae4c1011

SHA1
6f244ef47b797dc21443e6671abe8a8931636edb

SHA256
bef10a4fb86619de02eeaacac5b3e8698b5015640dccc885727580525c487855

SHA512
8ebb974a4a33a8ce3b49d221c59e31775beb8f1929fecb9a28bad4757227964cc8055b48b7680a8b5176219eb24e193eae05db24a522ed07e30b8873747805b3

Download Submit
memory/2508-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2508-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-5-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

Filesize
64KB

Download
memory/2548-31-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2548-29-0x0000000003D00000-0x0000000003DD6000-memory.dmp

Filesize
856KB

Download
memory/2548-27-0x0000000003D00000-0x0000000003DD6000-memory.dmp

Filesize
856KB

Download
memory/2548-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2548-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-37-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3020-28-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-108-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-109-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-110-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-144-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads