xred | 615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746

General

Target

615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
Size

1.3MB
MD5

c4a9ab5a790b832b96b707d256e9dad7
SHA1

72bfcbb367044788f44cddc9f3fd74e092a1a1f3
SHA256

615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746
SHA512

8e0e56ffc6e92400e85bb4fe86231c2a2469a49499c0e1f641a8a8396b6f0944514815ca87bb5dc53bdc3f32587f7379641e30befb7c3ca730b6935b990564bc
SSDEEP

24576:VnsJ39LyjbJkQFMhmC+6GD9Mq93X8lL39+c8dZV8eGvBPaqcnHSEkP:VnsHyjtk2MYC5GDaLtt8eRpPalkP

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2756	._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2964	Synaptics.exe
2676	._cache_Synaptics.exe

Loads dropped DLL 11 IoCs

pid	Process
2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2756	._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2756	._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2756	._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
2964	Synaptics.exe
2964	Synaptics.exe
2676	._cache_Synaptics.exe
2676	._cache_Synaptics.exe
2676	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2876	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2676	._cache_Synaptics.exe
2756	._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2876	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2756	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	31
PID 2844 wrote to memory of 2964	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	32
PID 2844 wrote to memory of 2964	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	32
PID 2844 wrote to memory of 2964	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	32
PID 2844 wrote to memory of 2964	2844	615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe	32
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33
PID 2964 wrote to memory of 2676	2964	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
"C:\Users\Admin\AppData\Local\Temp\615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Users\Admin\AppData\Local\Temp\._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:2756
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2676

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
c4a9ab5a790b832b96b707d256e9dad7

SHA1
72bfcbb367044788f44cddc9f3fd74e092a1a1f3

SHA256
615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746

SHA512
8e0e56ffc6e92400e85bb4fe86231c2a2469a49499c0e1f641a8a8396b6f0944514815ca87bb5dc53bdc3f32587f7379641e30befb7c3ca730b6935b990564bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\eYpod1rA.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_615ee4b033133f32ffd2f7b60fbe5e220359ee0752ada1318ace6656a77c8746.exe

Filesize
616KB

MD5
c4fbf506845fa34deccda9ae929bd7c8

SHA1
d97c656f9edd0e15dbd52bca96d4b80aeaee6cb7

SHA256
8748f4ceb7863297f6479e41a3a4e566f0ee1b47de02b323aafc74e04d131af7

SHA512
9a72f60bd37cdb14676f4c38b31f6466e1eec0e1ee2348aaeb6570bb1d9d24a4773c0a5c54c41186d2f829d146e29177287c6fa7b4cf90c73b1226da12028d7d

Download Submit
memory/2676-106-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-63-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-121-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-67-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-118-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-115-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-112-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-109-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-52-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-103-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-55-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-72-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-45-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2676-60-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-53-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-107-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-119-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-58-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-64-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-116-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-101-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-70-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-43-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-104-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-113-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-61-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-50-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2756-110-0x0000000000400000-0x00000000004A4000-memory.dmp

Filesize
656KB

Download
memory/2844-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2844-29-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2876-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2964-51-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2964-102-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2964-54-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download
memory/2964-44-0x0000000000400000-0x000000000055D000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads