xred | a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836

General

Target

a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
Size

1.2MB
MD5

0361518d060074e934efe721e3afa63b
SHA1

a31315055d0701ab60db814948b24fcf2b4d7402
SHA256

a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836
SHA512

544011d8a3d3549e26cc42d491a720e5e282f07971d12320375c881d68372e75d4a99507a34174047ecee50474ad63d8afac7b351be59d5b179585b2b7ad9149
SSDEEP

12288:DMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9wpHlFVIW6jiznKMvSiA9p:DnsJ39LyjbJkQFMhmC+6GD9Hjag

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2052	._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
2088	Synaptics.exe
3008	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
2088	Synaptics.exe
2088	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3008	._cache_Synaptics.exe
3008	._cache_Synaptics.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2052	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	31
PID 2644 wrote to memory of 2052	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	31
PID 2644 wrote to memory of 2052	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	31
PID 2644 wrote to memory of 2052	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	31
PID 2644 wrote to memory of 2088	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	32
PID 2644 wrote to memory of 2088	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	32
PID 2644 wrote to memory of 2088	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	32
PID 2644 wrote to memory of 2088	2644	a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	32
PID 2052 wrote to memory of 2852	2052	._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	33
PID 2052 wrote to memory of 2852	2052	._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	33
PID 2052 wrote to memory of 2852	2052	._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe	33
PID 2088 wrote to memory of 3008	2088	Synaptics.exe	34
PID 2088 wrote to memory of 3008	2088	Synaptics.exe	34
PID 2088 wrote to memory of 3008	2088	Synaptics.exe	34
PID 2088 wrote to memory of 3008	2088	Synaptics.exe	34

C:\Users\Admin\AppData\Local\Temp\a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
"C:\Users\Admin\AppData\Local\Temp\a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2052 -s 636
    3⤵
    PID:2852
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3008

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
0361518d060074e934efe721e3afa63b

SHA1
a31315055d0701ab60db814948b24fcf2b4d7402

SHA256
a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836

SHA512
544011d8a3d3549e26cc42d491a720e5e282f07971d12320375c881d68372e75d4a99507a34174047ecee50474ad63d8afac7b351be59d5b179585b2b7ad9149

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lWfWOWh.xlsm

Filesize
23KB

MD5
77cf5090d17969a40695cd7b97d45e16

SHA1
099f50741db1d3828ed1368af93decfef13ec89c

SHA256
562c25895924d42ac631a869f303680100213e0e9d7c21dae9f957eeef5385eb

SHA512
365d9755ce42579acb35859319deba77de8da32716336cf9370201abe458c0d3e93e8b7f1f827d34d0cb39a2f6c53ca5a06861a2492b2d22c38e8ec385ad8051

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lWfWOWh.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lWfWOWh.xlsm

Filesize
26KB

MD5
8c029838ad7ecb5d06a6d02f4a14aabb

SHA1
49e4445dafec3c48f368db695ff8f473c468949c

SHA256
988b9a934c0c8bd34ed975e8a87227ec4c192abe73d1d1439d2f456718495b28

SHA512
880923e189d692e1885a1543262f945ddf808d5ead42d7440709ea4d4d0282e508d1e906e4800a6bcfbc57cd6663f8c7d68268db53f98362831d936f857d554a

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lWfWOWh.xlsm

Filesize
28KB

MD5
f077aa9b7eaa561933ed645b0ed9b2ea

SHA1
676a017bcac345b463be671716d51b16dfd4a0e4

SHA256
1f2028a4bc60288bbbbcd6c5b558fc99221ed6c8cd243877ff422fa5d8c4e094

SHA512
5a74b3b49776f2948692cc12a8a6e9a5de4fc4e88e99f5759c652cacc7c4197f7615e0a4f810840b16ea39c2e5e5144b2e556bfe97111afb1d2a86480526564f

Download Submit
C:\Users\Admin\AppData\Local\Temp\5lWfWOWh.xlsm

Filesize
26KB

MD5
475d095d119712617177e48973f54459

SHA1
4017a38442fea210182ad96e6a6f8009af0dcea0

SHA256
d0be7a16c0ebbab3a2b169160302cb64f096132d682e1e460d1b348e943bcc40

SHA512
467330a81ef475f7ae44faa467e00c69ae917a4d268a46e3cc12a258598426dd42043ce4d3741929eeb890363314a7b5c3924708fff34b57d2cdc982274c047b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$5lWfWOWh.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a4f8e9f9354a8c8fc3e4087650888331088564cc5d815a0df1a0445a6661e836.exe

Filesize
464KB

MD5
e38df80bf8404eea3733a08d6d6cb0b3

SHA1
ebe4d0062220e79b0f9dfe41ff84a2f842e93a37

SHA256
cabf7dd3cbb0f59818edbb2ab4273e37d7f5645ed7ab4cce74b488730fcb115c

SHA512
e878deeb0b2150c1f3e189d86ff22bbc2ce9156a1c2ca879bff86a9c3d550c72442d48ad3f8a60bf95dca3748c12dfa6cc624b9f1f62a92fe3acef2327b70413

Download Submit
memory/2052-17-0x00000000002C0000-0x000000000033A000-memory.dmp

Filesize
488KB

Download
memory/2088-114-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2088-115-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2088-137-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2088-148-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2616-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2644-26-0x0000000000400000-0x0000000000536000-memory.dmp

Filesize
1.2MB

Download
memory/2644-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/3008-36-0x0000000000DC0000-0x0000000000E3A000-memory.dmp

Filesize
488KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads