xred | a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f

General

Target

a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
Size

4.8MB
MD5

f7c623ad74078ffd82447806577acf96
SHA1

c8e03d7169e3031610b6fcccc4603201ad8eda07
SHA256

a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f
SHA512

a04bde8210ac4a0c7a8627c345439d10749c4964467ad3735554f7f881497fd208c6003001650f962de78bbf93af292d43ca33605a67181f6b361ca7408268aa
SSDEEP

98304:ansmtk2aQzI+VNHtad8rAiCQDE+KOzG5En1QIonPrW29hKXj:ULV1HtadtPQDEfEn1QIbMc

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\u29OqRXS.xlsm
C:\Users\Admin\AppData\Local\Temp\u29OqRXS.xlsm

Executes dropped EXE 3 IoCs

Processes:

._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exeSynaptics.exe._cache_Synaptics.exe

pid process

2756 ._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
2812 Synaptics.exe
3068 ._cache_Synaptics.exe

pid	process
2756	._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
2812	Synaptics.exe
3068	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

Processes:

a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exeSynaptics.exe

pid	process
2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
2812	Synaptics.exe
2812	Synaptics.exe
2812	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exeSynaptics.exeEXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

EXCEL.EXE

description ioc process

Key opened \REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor EXCEL.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1124 EXCEL.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

EXCEL.EXE

pid process

1124 EXCEL.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

pid	process
1124	EXCEL.EXE

pid	process
1124	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exeSynaptics.exe

description	pid	process	target process
PID 2640 wrote to memory of 2756	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
PID 2640 wrote to memory of 2756	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
PID 2640 wrote to memory of 2756	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
PID 2640 wrote to memory of 2756	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
PID 2640 wrote to memory of 2812	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	Synaptics.exe
PID 2640 wrote to memory of 2812	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	Synaptics.exe
PID 2640 wrote to memory of 2812	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	Synaptics.exe
PID 2640 wrote to memory of 2812	2640	a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe	Synaptics.exe
PID 2812 wrote to memory of 3068	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2812 wrote to memory of 3068	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2812 wrote to memory of 3068	2812	Synaptics.exe	._cache_Synaptics.exe
PID 2812 wrote to memory of 3068	2812	Synaptics.exe	._cache_Synaptics.exe

C:\Users\Admin\AppData\Local\Temp\a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
"C:\Users\Admin\AppData\Local\Temp\a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2640
- C:\Users\Admin\AppData\Local\Temp\._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe"
  2⤵
  - Executes dropped EXE
  PID:2756
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:3068

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.8MB

MD5
f7c623ad74078ffd82447806577acf96

SHA1
c8e03d7169e3031610b6fcccc4603201ad8eda07

SHA256
a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f

SHA512
a04bde8210ac4a0c7a8627c345439d10749c4964467ad3735554f7f881497fd208c6003001650f962de78bbf93af292d43ca33605a67181f6b361ca7408268aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\u29OqRXS.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\u29OqRXS.xlsm

Filesize
31KB

MD5
44f8832e8351d1836d20bc6b0af9b70b

SHA1
b47715870ba59340511ff937e748bfdf4d531814

SHA256
9ddc078cd17e3c4b4cce7d4e86a6e0382deaebcf52a5da694c8dbc234386c1d6

SHA512
e7029d2b3950e6954337d0b69921c7b94e8b8c3d094ef84897e1cf39d9e3db3399dea0af6059b9da7fd172980ce81904f411b85e6ecb16da91973d0c693d73f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\u29OqRXS.xlsm

Filesize
24KB

MD5
91a904049312b527ae3fe8cd92b83f90

SHA1
9e338551c8d32dcb0f1007586b889d8bb1f63ae3

SHA256
4cfcf5868db973ad8d7d22280349e4d58bdf79c0f6f93bbc6518275fba25ddef

SHA512
bd98289f2386e00292096c988e544b55d9c8ed53f599d119731bb35e9fbb57ee436f793c15a9650b13c4b85aaf24103986909ea1a0fcf3d9c2b799c3297c3e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\u29OqRXS.xlsm

Filesize
28KB

MD5
cfbaaa713b6fdb73c85b55e557d8c643

SHA1
558078d4a6e93f23901b86f122163191592f9bd9

SHA256
260486300cb77c72f273987c0c2d26a63798f7e5d2d7adc98f88814b84721a35

SHA512
9a46c168044b31d7f9511c9649a83232f2c28f772e20b2a804c75db0619bedebb7f94490db7c2e5d344642f357cf6635b65fc796e53c2486b5019a3063730ec8

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a06e6256221e14f584d88a7593c62e1c0bb3ae9df83e93326ea242a303e6532f.exe

Filesize
4.0MB

MD5
07244a2c002ffdf1986b454429eace0b

SHA1
d7cd121caac2f5989aa68a052f638f82d4566328

SHA256
e9522e6912a0124c0a8c9ff9bb3712b474971376a4eb4ca614bb1664a2b4abcf

SHA512
4a09db85202723a73703c5926921fef60c3dddae21528a01936987306c5e7937463f94a2f4a922811de1f76621def2a8a597a8b38a719dd24e6ff3d4e07492ca

Download Submit
memory/1124-42-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1124-105-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2640-28-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2640-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2812-41-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2812-106-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2812-107-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2812-134-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download
memory/2812-142-0x0000000000400000-0x00000000008CB000-memory.dmp

Filesize
4.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads