xred | a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787

General

Target

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
Size

909KB
MD5

0e6ec9ec9f29d501775d5a17d25187ce
SHA1

ee7f42912c234290de0b68516bfc904e469779b7
SHA256

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787
SHA512

db7d22445171e8426ff89e0af694c2f111f82f1e101359c6d6edb81d8b7925931937dc623a5c96ea87f0c06f886f48aeb471e6c0b338394378a96e9e48bb5ed9
SSDEEP

12288:JMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9VfZoj:JnsJ39LyjbJkQFMhmC+6GD9dZI

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred
Executes dropped EXE 3 IoCs

Processes:

._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exeSynaptics.exe._cache_Synaptics.exe

pid process

2260 ._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2284 Synaptics.exe
2800 ._cache_Synaptics.exe

pid	process
2260	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2284	Synaptics.exe
2800	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

Processes:

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exeSynaptics.exe

pid	process
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
2284	Synaptics.exe
2284	Synaptics.exe
2284	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exeSynaptics.exe._cache_Synaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1784 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1784 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1784	EXCEL.EXE

pid	process
1784	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exeSynaptics.exe

description	pid	process	target process
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
PID 2132 wrote to memory of 2260	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	Synaptics.exe
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	Synaptics.exe
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	Synaptics.exe
PID 2132 wrote to memory of 2284	2132	a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe	Synaptics.exe
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	._cache_Synaptics.exe
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	._cache_Synaptics.exe
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	._cache_Synaptics.exe
PID 2284 wrote to memory of 2800	2284	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
"C:\Users\Admin\AppData\Local\Temp\a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2260
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2800

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
909KB

MD5
0e6ec9ec9f29d501775d5a17d25187ce

SHA1
ee7f42912c234290de0b68516bfc904e469779b7

SHA256
a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787

SHA512
db7d22445171e8426ff89e0af694c2f111f82f1e101359c6d6edb81d8b7925931937dc623a5c96ea87f0c06f886f48aeb471e6c0b338394378a96e9e48bb5ed9

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
23KB

MD5
2fbf0f918d28cac2c04076b99d79a331

SHA1
e6002031e2fa55cf291cbae6c07f6dade1d902b2

SHA256
ae5fdd781bb8418bcc52bf70950a5aea1c6517df98cbeadf201a9f07263441e0

SHA512
0f9aacb93ede2666f17a2deaed75f4366d7d8a1886c363739f8df9d34b9250bf88579e52db465128c74782cca3f61cf7f6d5fd9bee11789ce8b43e486dd24a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
27KB

MD5
52b05ffb8cd380a2393a82df2767fda2

SHA1
f74878977a5e47ce477ad2184dc758e6b854242d

SHA256
16d288d77336a4ce53088959ca0c05fb4e522a29d3e646dc0912ae1b4c1c8618

SHA512
1b0fa41fa97a3a766cdc07df03dce9d1c279a8cc3e4adbdcba6fdd628506e030da6bf3a4e21174d6c7f739ff4dae03cf00cf14ef007f1aacf09cd55ba901682f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHrB1D4V.xlsm

Filesize
25KB

MD5
ac32e87f3c3e36ea914b72eb2137ebe7

SHA1
214927f209c3c3716beceee99d7581e56d57a7eb

SHA256
3349600f560b6fe851df45b74816948e0d5423530740b723c39f5add4751b387

SHA512
367ccf52ade3db8e1f87779e64dd608b85cc2d84d2098715fcc55df21c07aa3b2019c494161002f526958ef5a00ff8eec27cfe7b2921a024b7d533d5c4381e5d

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a217f02dd014c88863d619f1d2169ae2f5f38b2ec4c1d7c00f2378d94e5dc787.exe

Filesize
156KB

MD5
731452ed72c2147c5e1235168e5d63e6

SHA1
d32694976aad49c9421c271fa38066c03ba8c71f

SHA256
e87b413a981544b0d5ffd0fcbc505d7da49de4b382a1711ec93195330277f612

SHA512
9c91753e0c099f6a10da5eb0a89dfb680474956ee0f1f1d8a06a9b00d8fff7cf45bd0bff720ed6c982bd9b544a1b88774639a6aba1d1903ab0a261a8bd3945e9

Download Submit
memory/1784-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2132-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2132-28-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2284-108-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2284-109-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2284-143-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads