xred | 460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52

General

Target

460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
Size

821KB
MD5

77cce601dcb17562a0793683a73f99e8
SHA1

4e640f5a5be72a37ddefbfbb56dbe1515b18f805
SHA256

460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52
SHA512

6d8c557ed1a87bc5a867a0366aa9b87132fe7a5c43a8a4320ae14b2dc9a3df8d3bab82cfbebcacd47b8c7ba06c5ca5943f4fd7ca9a3240cb6076b276d3cdb104
SSDEEP

12288:VMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9O9wroT:VnsJ39LyjbJkQFMhmC+6GD9Hu

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2556	._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2908	Synaptics.exe
2792	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
2908	Synaptics.exe
2908	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2360	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2360	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2556	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2076 wrote to memory of 2556	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2076 wrote to memory of 2556	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2076 wrote to memory of 2556	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	30
PID 2076 wrote to memory of 2908	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2076 wrote to memory of 2908	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2076 wrote to memory of 2908	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2076 wrote to memory of 2908	2076	460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe	32
PID 2908 wrote to memory of 2792	2908	Synaptics.exe	33
PID 2908 wrote to memory of 2792	2908	Synaptics.exe	33
PID 2908 wrote to memory of 2792	2908	Synaptics.exe	33
PID 2908 wrote to memory of 2792	2908	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
"C:\Users\Admin\AppData\Local\Temp\460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe"
  2⤵
  - Executes dropped EXE
  PID:2556
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2908
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2792

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
821KB

MD5
77cce601dcb17562a0793683a73f99e8

SHA1
4e640f5a5be72a37ddefbfbb56dbe1515b18f805

SHA256
460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52

SHA512
6d8c557ed1a87bc5a867a0366aa9b87132fe7a5c43a8a4320ae14b2dc9a3df8d3bab82cfbebcacd47b8c7ba06c5ca5943f4fd7ca9a3240cb6076b276d3cdb104

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDRy2f7E.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDRy2f7E.xlsm

Filesize
31KB

MD5
efe4d4590a2283cc4b632a1e3ff2a460

SHA1
158739aab237ac9e6f3c2c07b7f2ed2ccbdaf2e8

SHA256
2da4e7c2c61491b93fcbf04b1bb6d38a0595a9bdbf8224e61ef1d50887edf2e6

SHA512
7bd9523a5779636f46aa19dde2a728dc07bc1551f2176548a5db7e203399ed67e3dadc0eae77f6b3fb49ba424e621be19bcc2de17258d9dc8c2c21e8e9efe081

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDRy2f7E.xlsm

Filesize
24KB

MD5
9a594a85de59ff7372a28ae51dd07207

SHA1
c73e1478aee57196c2be5ac698eedf0bc44cd819

SHA256
aa27b708a291b6f2547c1ff5651dc258ae994a342fa14c81e7d9b6e2d74b96f1

SHA512
83a8530e244e1ac177c877f64a2cd0746156828e78f3225f92d86feb4fe46a65a199d8aac1e5a1ffc191cfad5e1970adff41566e7cb3908fb225c5fbcc4f412d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDRy2f7E.xlsm

Filesize
26KB

MD5
f0b74d7cbf23d0635e5eb9a5a397bae4

SHA1
9e643052590aafdb5c6021faf22492a813d4cf65

SHA256
fa3cd4f571f4b760b8ae57104dcbd9a8391647a7fd9be12790b2abc93b5f6bb0

SHA512
184afd7a38cceb52567a482e3efdf2b49a48b0a9d9f4f01e462dc57e2a2759eb9aa5feb07446ea9e136db36a5f316e2540d4e2feb288d6877df7afcc6282c86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDRy2f7E.xlsm

Filesize
26KB

MD5
ac4c0468a0d7ebd805d8d653047182ed

SHA1
9fcacac51de7bab35b5fd457649a382e470891f8

SHA256
2d8495ddf54400b35d1cae9d91d2b8c58cee50e06325c792e5cddb38b22e1301

SHA512
9d61c9a301a3523a5701d701c622fb08eea3856822b068c53f007409ccd453ceb0b33d897fe4f2783dc7ebd0f4c0cca7efbca6b8451c93f32cd7aa9db665b117

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$TDRy2f7E.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_460cbafa67c21c251c83679cfb251dd505ee91faa1cbd7d88c1f812cb472bd52.exe

Filesize
67KB

MD5
75cba417114e4da36613a30fc692fb23

SHA1
b06fa3146b4feb1f6465b7c6489f4fc63e79a20c

SHA256
405f451da226def25b8a6372c354a5642db81d4d9829aabaac00156d3d0dffbf

SHA512
8ed3e6e47ec7406b07f2acd7662f91b22dbd1d043174acad51937e77c10b06aa04c0e4e754e69c12435c45a0c1577df14083ba5a63e50ff16e0f634713c257d1

Download Submit
memory/2076-25-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2076-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2360-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2360-113-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2556-28-0x0000000000E30000-0x0000000000E44000-memory.dmp

Filesize
80KB

Download
memory/2792-36-0x00000000010A0000-0x00000000010B4000-memory.dmp

Filesize
80KB

Download
memory/2908-114-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2908-115-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2908-116-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download
memory/2908-147-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads