xred | b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408

General

Target

Synaptics.exe
Size

753KB
MD5

45011233f584317d3450a81d260c2a15
SHA1

ae512c745c512cb52112e6369741a14584a1fd95
SHA256

b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408
SHA512

39e6b275060bebdccd1c1bfef8f1d62a90839a260bb45355a999a38de28d4a6133a7f02585b07f866afa92d6c6a03b4c66f101e11050f7d3b05f9f2cd40af75e
SSDEEP

12288:aMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9Izr:ansJ39LyjbJkQFMhmC+6GD9I

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 1 IoCs

pid	Process
2880	Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	Synaptics.exe
2128	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2832	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2832	EXCEL.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2880	2128	Synaptics.exe	30
PID 2128 wrote to memory of 2880	2128	Synaptics.exe	30
PID 2128 wrote to memory of 2880	2128	Synaptics.exe	30
PID 2128 wrote to memory of 2880	2128	Synaptics.exe	30

C:\Users\Admin\AppData\Local\Temp\Synaptics.exe
"C:\Users\Admin\AppData\Local\Temp\Synaptics.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2128
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2880

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
753KB

MD5
45011233f584317d3450a81d260c2a15

SHA1
ae512c745c512cb52112e6369741a14584a1fd95

SHA256
b0d2a065d7a88c63b0664cd41dc439559ea004fdda06aa6ad3c2ea6cbcf2c408

SHA512
39e6b275060bebdccd1c1bfef8f1d62a90839a260bb45355a999a38de28d4a6133a7f02585b07f866afa92d6c6a03b4c66f101e11050f7d3b05f9f2cd40af75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\5OnF2rFk.xlsm

Filesize
23KB

MD5
dcca0b6799ddd8d07d004b98e9f4a69e

SHA1
8ee13ae4e79bf1959f14933b3e7f7935e68b3c06

SHA256
5a4c002d9ce89ff59cbc1fad99c0e60c9450fe0fef5d291f32458ff2a3f72f89

SHA512
e965e4b2da4be69404f74ca5385b10d4bc9048342c42aa8c509ec248f16950c8a1230c1329798dbd7f0ba02c25b82a8c2272824c53a82c32de1d1225560552e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5OnF2rFk.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\5OnF2rFk.xlsm

Filesize
26KB

MD5
7ba9b6b169d023555b3bf88f96f8d5c4

SHA1
4cdf53d75eb2f612486014e28ca1a533ed4b0bcc

SHA256
d9c6d87060225f0d5708844c6d3c69666f46346dd5d60225e4899acbd66e57d2

SHA512
766fec1e40b5bf97db78357e7e0e5857dbc06c68f7c327481d153dbf4808be910714969592c18cb8c729c01e3c018b7611129bc5772338c71dfeb0c3c4769249

Download Submit
C:\Users\Admin\AppData\Local\Temp\5OnF2rFk.xlsm

Filesize
24KB

MD5
e1099a250a0ba54eb838636d11a2f7da

SHA1
87bc855e1a01cce29377863267c649544fe4ec9d

SHA256
b4512a0c9cf7b16df28859531059cb15ac0b106824cfa51695ad8ec3b65959b6

SHA512
26a41d048ed1c9cf66726848b975ce01c98b3ae173175f2705584abb1bd2eb4cb9f64de2f2eb763e78d4bcf360c286e46faad7fc329d11c4339b60dbd80e33d1

Download Submit
memory/2128-14-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2128-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2832-82-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2832-16-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2880-15-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2880-84-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2880-83-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2880-85-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download
memory/2880-118-0x0000000000400000-0x00000000004C2000-memory.dmp

Filesize
776KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads