xred | 460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52

General

Target

460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
Size

821KB
MD5

77cce601dcb17562a0793683a73f99e8
SHA1

4e640f5a5be72a37ddefbfbb56dbe1515b18f805
SHA256

460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52
SHA512

6d8c557ed1a87bc5a867a0366aa9b87132fe7a5c43a8a4320ae14b2dc9a3df8d3bab82cfbebcacd47b8c7ba06c5ca5943f4fd7ca9a3240cb6076b276d3cdb104
SSDEEP

12288:VMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9O9wroT:VnsJ39LyjbJkQFMhmC+6GD9Hu

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00070000000193b5-72.dat

Executes dropped EXE 3 IoCs

pid	Process
2732	._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2700	Synaptics.exe
2784	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2700	Synaptics.exe
2700	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1996	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1996	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2732	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2188 wrote to memory of 2732	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2188 wrote to memory of 2732	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2188 wrote to memory of 2732	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2188 wrote to memory of 2700	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2188 wrote to memory of 2700	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2188 wrote to memory of 2700	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2188 wrote to memory of 2700	2188	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2700 wrote to memory of 2784	2700	Synaptics.exe	33
PID 2700 wrote to memory of 2784	2700	Synaptics.exe	33
PID 2700 wrote to memory of 2784	2700	Synaptics.exe	33
PID 2700 wrote to memory of 2784	2700	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
"C:\Users\Admin\AppData\Local\Temp\460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe"
  2⤵
  - Executes dropped EXE
  PID:2732
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2784

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1996

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
821KB

MD5
77cce601dcb17562a0793683a73f99e8

SHA1
4e640f5a5be72a37ddefbfbb56dbe1515b18f805

SHA256
460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52

SHA512
6d8c557ed1a87bc5a867a0366aa9b87132fe7a5c43a8a4320ae14b2dc9a3df8d3bab82cfbebcacd47b8c7ba06c5ca5943f4fd7ca9a3240cb6076b276d3cdb104

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe

Filesize
67KB

MD5
75cba417114e4da36613a30fc692fb23

SHA1
b06fa3146b4feb1f6465b7c6489f4fc63e79a20c

SHA256
405f451da226def25b8a6372c354a5642db81d4d9829aabaac00156d3d0dffbf

SHA512
8ed3e6e47ec7406b07f2acd7662f91b22dbd1d043174acad51937e77c10b06aa04c0e4e754e69c12435c45a0c1577df14083ba5a63e50ff16e0f634713c257d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeCw128d.xlsm

Filesize
29KB

MD5
0f9dabc6d97d271fee5333005f413674

SHA1
8b1759a62c01c213e09f51e4b9d189f8fd9c4b36

SHA256
2b62d419635018dc513465775bfc1891c0d32d794d0a637d15ae1f8f57b9e3b6

SHA512
d7a5faf0b1902ee1ca9e01215cb9a06d4238e17834116c2168f1981715a8a5e6762b9d4914e0e66d4339c82c11b7278d26cece461ef394c9e03d2b44c679b62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeCw128d.xlsm

Filesize
24KB

MD5
6d5d6570f8c3b8a054603f9bbb24e055

SHA1
bc481a405b6837c0e6a8de4a00c653fe01d7e0f2

SHA256
56b69403636b88d3a3cae9a72c26121648ab307deccfd726782d2d0e50b03b1d

SHA512
51eada99d71bee23aba1b51e061a37f939882c5d7b1b1f086cd754ccf76d942b52b2fa0bc45af91b0f6b3e96eed77ede4d8924cc87814ec742b96b47c86bd4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeCw128d.xlsm

Filesize
30KB

MD5
4cfbc390b5b0b920f8dcfb60585c153c

SHA1
81f590fe6ad99326108730ebe63a0be1d395f214

SHA256
f6e1f4be6b666f4814f2c7e2ad87681fe61f001c8574948d0273a4d2d68494f2

SHA512
06c449553b248577e3f8792ef823cb71fbb76032f2f58726b746a0099117975a73739c2572dc0b2238562fe60e573f1a13068ff38f0b3c8ceba43c691c244cf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FeCw128d.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/1996-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1996-102-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2188-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2188-25-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2700-103-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2700-138-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2732-28-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/2784-36-0x0000000001280000-0x0000000001294000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads