xred | 24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92

General

Target

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
Size

832KB
MD5

ca36e1d2e23a63107904f1590ae87cf0
SHA1

fe08e68d52e0c7ccbe8b687e1053f16f0fda45d7
SHA256

24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92
SHA512

5802641ef67b1445960d70e47ae3aeb84c9f9344ff61988efd7aacf56add1ac59255c827a68128644e86bb3145c0bbd853d437b69d0a4f40465e64160040a4dc
SSDEEP

12288:0MSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ylQG3QG:0nsJ39LyjbJkQFMhmC+6GD9Gf3x

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2916	._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
3020	Synaptics.exe
2500	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
3020	Synaptics.exe
3020	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2508	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2508	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	30
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	30
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	30
PID 2548 wrote to memory of 2916	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	30
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	32
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	32
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	32
PID 2548 wrote to memory of 3020	2548	24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe	32
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	33
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	33
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	33
PID 3020 wrote to memory of 2500	3020	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
"C:\Users\Admin\AppData\Local\Temp\24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Users\Admin\AppData\Local\Temp\._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe"
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2500

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
832KB

MD5
ca36e1d2e23a63107904f1590ae87cf0

SHA1
fe08e68d52e0c7ccbe8b687e1053f16f0fda45d7

SHA256
24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92

SHA512
5802641ef67b1445960d70e47ae3aeb84c9f9344ff61988efd7aacf56add1ac59255c827a68128644e86bb3145c0bbd853d437b69d0a4f40465e64160040a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
27KB

MD5
6c924ddef0d8f4094aa1dfa34a4e1622

SHA1
ad005cfca68e7722032ae6eb97f711bcd820c2ce

SHA256
2275d030c147df8f50fa2269dd436b7cdd03c2fe31e97a0f26ab8ad256e3f58e

SHA512
50c73df2868cb55153173e92b006cf17bbe6aa685daf274070b00596f2a15a5b06f5dd08b77f872a64e89a86db80ba1b100f2e10d471151af11190caf5ca39e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
28KB

MD5
096523f6e99358df37b7c170a14aa59c

SHA1
9bad9fd51204dc1a4a086c2d585be37c1593f87e

SHA256
19cd1de9e9e8bf2233165d4e70ea2e7f27b137839801f1c9364ed8766a264304

SHA512
cd4e82a1f13c67ca0905c9c32de46916509fe0660e6e285e749cb49adc37dbcaeb1930043813699a4105f34d3d06b5a00b0a9083c81344273d392ffd5566185d

Download Submit
C:\Users\Admin\AppData\Local\Temp\DkKfD6ST.xlsm

Filesize
29KB

MD5
bb444b104a290f66f028c528438e0654

SHA1
67b0d94a2cd0207bbf487550b6bacb6e221a42cc

SHA256
966140ca90e609a06f0b526f49f0b7711492fd51bc3d77f1953ac06075d997a0

SHA512
391346fa53c12b57149c6f2ed9118012b96b61edb3d6bb1c71af772705c764ee81eb1b9155b9856e09ba6ca2ce8ad53672a3eb26c55ecef68b3b9a0972caf1be

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_24c16ef46a0314d0877317d87f55e226e88c66a2842d09052175795ddb09ad92N.exe

Filesize
78KB

MD5
262fd671d34e41e6cdf4b8ffae4c1011

SHA1
6f244ef47b797dc21443e6671abe8a8931636edb

SHA256
bef10a4fb86619de02eeaacac5b3e8698b5015640dccc885727580525c487855

SHA512
8ebb974a4a33a8ce3b49d221c59e31775beb8f1929fecb9a28bad4757227964cc8055b48b7680a8b5176219eb24e193eae05db24a522ed07e30b8873747805b3

Download Submit
memory/2508-107-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2508-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2548-5-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

Filesize
64KB

Download
memory/2548-31-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/2548-29-0x0000000003D00000-0x0000000003DD6000-memory.dmp

Filesize
856KB

Download
memory/2548-27-0x0000000003D00000-0x0000000003DD6000-memory.dmp

Filesize
856KB

Download
memory/2548-1-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2548-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-37-0x0000000004F40000-0x0000000004F50000-memory.dmp

Filesize
64KB

Download
memory/3020-28-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-108-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-109-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-110-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/3020-144-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads