xred | a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787

General

Target

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
Size

909KB
MD5

0e6ec9ec9f29d501775d5a17d25187ce
SHA1

ee7f42912c234290de0b68516bfc904e469779b7
SHA256

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787
SHA512

db7d22445171e8426ff89e0af694c2f111f82f1e101359c6d6edb81d8b7925931937dc623a5c96ea87f0c06f886f48aeb471e6c0b338394378a96e9e48bb5ed9
SSDEEP

12288:JMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VfZoj:JnsJ39LyjbJkQFMhmC+6GD9dZI

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2260	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2284	Synaptics.exe
2800	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2284	Synaptics.exe
2284	Synaptics.exe
2284	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1784	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1784	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	30
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	30
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	30
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	30
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	32
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	32
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	32
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	32
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	33
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	33
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	33
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
"C:\Users\Admin\AppData\Local\Temp\a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
909KB

MD5
0e6ec9ec9f29d501775d5a17d25187ce

SHA1
ee7f42912c234290de0b68516bfc904e469779b7

SHA256
a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787

SHA512
db7d22445171e8426ff89e0af694c2f111f82f1e101359c6d6edb81d8b7925931937dc623a5c96ea87f0c06f886f48aeb471e6c0b338394378a96e9e48bb5ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
23KB

MD5
2fbf0f918d28cac2c04076b99d79a331

SHA1
e6002031e2fa55cf291cbae6c07f6dade1d902b2

SHA256
ae5fdd781bb8418bcc52bf70950a5aea1c6517df98cbeadf201a9f07263441e0

SHA512
0f9aacb93ede2666f17a2deaed75f4366d7d8a1886c363739f8df9d34b9250bf88579e52db465128c74782cca3f61cf7f6d5fd9bee11789ce8b43e486dd24a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
27KB

MD5
52b05ffb8cd380a2393a82df2767fda2

SHA1
f74878977a5e47ce477ad2184dc758e6b854242d

SHA256
16d288d77336a4ce53088959ca0c05fb4e522a29d3e646dc0912ae1b4c1c8618

SHA512
1b0fa41fa97a3a766cdc07df03dce9d1c279a8cc3e4adbdcba6fdd628506e030da6bf3a4e21174d6c7f739ff4dae03cf00cf14ef007f1aacf09cd55ba901682f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
25KB

MD5
ac32e87f3c3e36ea914b72eb2137ebe7

SHA1
214927f209c3c3716beceee99d7581e56d57a7eb

SHA256
3349600f560b6fe851df45b74816948e0d5423530740b723c39f5add4751b387

SHA512
367ccf52ade3db8e1f87779e64dd608b85cc2d84d2098715fcc55df21c07aa3b2019c494161002f526958ef5a00ff8eec27cfe7b2921a024b7d533d5c4381e5d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe

Filesize
156KB

MD5
731452ed72c2147c5e1235168e5d63e6

SHA1
d32694976aad49c9421c271fa38066c03ba8c71f

SHA256
e87b413a981544b0d5ffd0fcbc505d7da49de4b382a1711ec93195330277f612

SHA512
9c91753e0c099f6a10da5eb0a89dfb680474956ee0f1f1d8a06a9b00d8fff7cf45bd0bff720ed6c982bd9b544a1b88774639a6aba1d1903ab0a261a8bd3945e9

Download Submit
memory/1784-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2132-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2132-28-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2284-108-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2284-109-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2284-143-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads