xred | 3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e

General

Target

3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
Size

4.6MB
MD5

d8734a9286d0a51bc1f0a37ddfc35344
SHA1

75a5954e9762a09d6dfd638907a416b8f2bfb656
SHA256

3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e
SHA512

51c7d06a0cabc7ddbb22400b510c9abb7695de43da20c83bac4efb06f3b4466dce9cd23c87e17649c478e8386116fe1dc0a9af575fe2694104e8f129231919dc
SSDEEP

49152:knsHyjtk2MYC5GDd1GtQfUZ53MQD7typ+VeQWwbM7FDC/5xKyzKC8aJBVE2+ofHZ:knsmtk2aStCtD7tNPKyuC53+2+ofh/wi

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
288	._cache_3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
2948	Synaptics.exe
2376	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
2948	Synaptics.exe
2948	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2616	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 288	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	28
PID 2828 wrote to memory of 288	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	28
PID 2828 wrote to memory of 288	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	28
PID 2828 wrote to memory of 288	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	28
PID 2828 wrote to memory of 2948	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	29
PID 2828 wrote to memory of 2948	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	29
PID 2828 wrote to memory of 2948	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	29
PID 2828 wrote to memory of 2948	2828	3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe	29
PID 2948 wrote to memory of 2376	2948	Synaptics.exe	30
PID 2948 wrote to memory of 2376	2948	Synaptics.exe	30
PID 2948 wrote to memory of 2376	2948	Synaptics.exe	30
PID 2948 wrote to memory of 2376	2948	Synaptics.exe	30

C:\Users\Admin\AppData\Local\Temp\3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
"C:\Users\Admin\AppData\Local\Temp\3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Users\Admin\AppData\Local\Temp\._cache_3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:288
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2948
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2376

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
d8734a9286d0a51bc1f0a37ddfc35344

SHA1
75a5954e9762a09d6dfd638907a416b8f2bfb656

SHA256
3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e

SHA512
51c7d06a0cabc7ddbb22400b510c9abb7695de43da20c83bac4efb06f3b4466dce9cd23c87e17649c478e8386116fe1dc0a9af575fe2694104e8f129231919dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHPME6ZF.xlsm

Filesize
24KB

MD5
4afe93c2d65f481e64c67db9b1f2ed0e

SHA1
ee548251b7c2c522f99ef18652ae517e76b40038

SHA256
1216d62456b41954afd850167a1136cd0818b174b5a3a64194eb2b089296b304

SHA512
c7f370f28cc643a44606b86925ae268688c3a98b3078be2896673bd7c18437b73c4f2e062a4fdbb5c096a388796da66b74d30f950a752598a9488625c9b94a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHPME6ZF.xlsm

Filesize
29KB

MD5
c150a362cd811551fc5ba2f178bcd474

SHA1
abe69ce060c62db89b0bf47f7ee6bc3410b57f1f

SHA256
ec2937017a690a480764c23ff57fd1d7b0be644d55edfe2d7260c13346636521

SHA512
bb2322978f9568461fcf914cce307a9777bec27716023547c926793b9b94ee425ee30ab34245b36c89410d00d4ad2f495d6bd8021b7297ed61c7315ec8778fa0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHPME6ZF.xlsm

Filesize
28KB

MD5
9cd28646d72bcbd5d9f2265b337246c9

SHA1
a4d2f7e7a5dbcafea6f405d8094a33822132d77d

SHA256
087b6bf7a58f7524c011815898ebc798bcb356b9fe53fa0415c47bd2ddfda272

SHA512
ddf6b632243f40eab7657441cb3d35f95659db8df351a3df4ffdb63e2029912718b256ab47d9ffcab00bcc92abdb287dbb884a00cf603750a2263c846740c2e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\HHPME6ZF.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_3386bdb8aa5d8fe70de357c179018803da064ac6478ba810b915f29aa229462e.exe

Filesize
3.9MB

MD5
8ccc41b8aff48c2d933603cc6209260a

SHA1
d84f1fef3a8b029cd14d2015ec88f804186d94f8

SHA256
83c2d22f495011f4a4524791c38382b8011803e2e50c274e6d02a510cd6b6baf

SHA512
856c08cb392a09c48306c83ad917f312f1b9ede90aa60253752c4d35d5525301d0c958d6bcb535d4ffcc9faab5638140103a1b7f81f2539b3acc6c9b7bbcafab

Download Submit
memory/2616-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2616-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2828-25-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2828-0-0x00000000003B0000-0x00000000003B1000-memory.dmp

Filesize
4KB

Download
memory/2948-103-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2948-104-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2948-134-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download
memory/2948-137-0x0000000000400000-0x00000000008A4000-memory.dmp

Filesize
4.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads