xred | 845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

General

Target

845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Size

4.6MB
MD5

823444545911fd17e953437b7c712f2f
SHA1

6d1c0b1c3caade86c13196a0763538d0ee29322e
SHA256

845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d
SHA512

51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b
SSDEEP

49152:gnsHyjtk2MYC5GDfmrE906DDnrvpjFGO+LFPPYK6Ii1+0UfWUWveO1b9Uqi1dP8B:gnsmtk2aWmrE906DDnjpREFgBIi9/

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000016df8-97.dat
behavioral1/files/0x0006000000016df5-80.dat

Executes dropped EXE 4 IoCs

pid	Process
2936	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2576	Synaptics.exe
2112	._cache_Synaptics.exe
1860	._cache_Synaptics.exe

Loads dropped DLL 14 IoCs

pid	Process
2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2936	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2936	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2936	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
2576	Synaptics.exe
2576	Synaptics.exe
2112	._cache_Synaptics.exe
2112	._cache_Synaptics.exe
2112	._cache_Synaptics.exe
1860	._cache_Synaptics.exe
1860	._cache_Synaptics.exe
1860	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_Synaptics.exe
File opened for modification	C:\Windows\ccmsetup\._cache_Synaptics.exe.download	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\._cache_Synaptics.exe.download	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\._cache_Synaptics.exe	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1408	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1408	EXCEL.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2936	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	30
PID 2248 wrote to memory of 2576	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	31
PID 2248 wrote to memory of 2576	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	31
PID 2248 wrote to memory of 2576	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	31
PID 2248 wrote to memory of 2576	2248	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	31
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33
PID 2576 wrote to memory of 2112	2576	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
"C:\Users\Admin\AppData\Local\Temp\845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2248
- C:\Users\Admin\AppData\Local\Temp\._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2936
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2576
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:2112

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1408

C:\Windows\ccmsetup\._cache_Synaptics.exe
"C:\Windows\ccmsetup\._cache_Synaptics.exe" /runservice INJUPDATE="InjUpdate"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
823444545911fd17e953437b7c712f2f

SHA1
6d1c0b1c3caade86c13196a0763538d0ee29322e

SHA256
845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

SHA512
51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qDsZNy1.xlsm

Filesize
26KB

MD5
6dc70a4abd0fdfe9bdb36e922432ac0c

SHA1
7dd0ce2ec335dba623c316c51da83234ee50f611

SHA256
eb3d62255f4c7aec148dc9053aa1d2be4d0f8df8f266e565e7a8c62d400582af

SHA512
b56ad0a5c0a0ba64d69ac4181e01a7ef41c3610b29832b22b981f7faab73e593173c1e8d3158ea4ccb6b8bbf0f26db687730bbfabc571b5f9a35d5fd97186adc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qDsZNy1.xlsm

Filesize
29KB

MD5
7204a28d09492aa9d2543bc0d41f6200

SHA1
8f0970a97df7df58a7467386847d11f2e27ed769

SHA256
c61246fb5981182cdde7b6a051777ffa6967d031c16d4d609ae413fd5515bb2d

SHA512
d32e09422c8516e2de303325716a55e2f96d630dbf086f7f74094f2cd008b29e72976616a118ed0e8ebe3a9c8af7b142ffebdb30bd7b09b10283266a9605ab84

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qDsZNy1.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Windows\ccmsetup\Logs\ccmsetup.log

Filesize
26KB

MD5
4aae31861e60f88097b518a000e4fec0

SHA1
bc519e41ff1308c81af355f83694aa66556ba7e5

SHA256
af77d21bc0072e74f1af98ce6445b594dbb2bca903885e5a69e40adc249bfbef

SHA512
59255057c6c867842171f5b842c6ca3cd787dd209a7a9004a30823fb92106b3045b03114ede3b4d7f3bab6a1ec9caf9762e6e7b3dda8b9bd1a0482f38517dd19

Download Submit
C:\Windows\ccmsetup\Logs\ccmsetup.log

Filesize
14KB

MD5
816b0c0dff1e8aa24e6bd9477f216b2d

SHA1
f37db0daa0748b17e82beb53c69d31c360cfe2cb

SHA256
4fbdffa77baea069965943f4624af145662d1280d82171064998ef150e53722e

SHA512
019420abeada1fd7b540510253c9b35b6892358d1c0d0586d7d711877e1e4843c4f46b1c80396808cd0f44d6ab9420fc2aa8b39c9d5086610ed000d10f60b241

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe

Filesize
3.9MB

MD5
169e238a8e29445c319f934362361d28

SHA1
824e61de77da1e91b4bbb09c92e6908e80d4143d

SHA256
63fb838c9604c2af8d8bc17a48d2d745f389ad984cc2ab5e0765d5b27c91a710

SHA512
a7fcaa91c5de184956605d403e1881b0f62076b01c0c6d03b5dbd42e9b8ca704ae59362b3d46f966c213e7b1e915da95d681db9cb6063923a50b76a55427f2ba

Download Submit
memory/1408-45-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2248-29-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2248-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2576-112-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2576-113-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/2576-147-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads