xred | 845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

General

Target

845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Size

4.6MB
MD5

823444545911fd17e953437b7c712f2f
SHA1

6d1c0b1c3caade86c13196a0763538d0ee29322e
SHA256

845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d
SHA512

51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b
SSDEEP

49152:gnsHyjtk2MYC5GDfmrE906DDnrvpjFGO+LFPPYK6Ii1+0UfWUWveO1b9Uqi1dP8B:gnsmtk2aWmrE906DDnjpREFgBIi9/

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 4 IoCs

pid	Process
2008	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
1324	Synaptics.exe
4868	._cache_Synaptics.exe
2152	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ccmsetup\._cache_Synaptics.exe	._cache_Synaptics.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
File opened for modification	C:\Windows\ccmsetup\Logs\ccmsetup.log	._cache_Synaptics.exe
File opened for modification	C:\Windows\ccmsetup\._cache_Synaptics.exe.download	._cache_Synaptics.exe
File created	C:\Windows\ccmsetup\._cache_Synaptics.exe.download	._cache_Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2008	816	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	83
PID 816 wrote to memory of 2008	816	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	83
PID 816 wrote to memory of 2008	816	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	83
PID 816 wrote to memory of 1324	816	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	84
PID 816 wrote to memory of 1324	816	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	84
PID 816 wrote to memory of 1324	816	845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe	84
PID 1324 wrote to memory of 4868	1324	Synaptics.exe	87
PID 1324 wrote to memory of 4868	1324	Synaptics.exe	87
PID 1324 wrote to memory of 4868	1324	Synaptics.exe	87

C:\Users\Admin\AppData\Local\Temp\845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
"C:\Users\Admin\AppData\Local\Temp\845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Local\Temp\._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  PID:2008
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4868

C:\Windows\ccmsetup\._cache_Synaptics.exe
"C:\Windows\ccmsetup\._cache_Synaptics.exe" /runservice INJUPDATE="InjUpdate"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
4.6MB

MD5
823444545911fd17e953437b7c712f2f

SHA1
6d1c0b1c3caade86c13196a0763538d0ee29322e

SHA256
845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d

SHA512
51692b5d995081627364345ff73d2f16c573a1cdbccf6130e0ee76417decdf2b57bf09d8c242c709642e9c40d2482e6ccd6ecda99c932b10fac1d8ac44d3367b

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_845b6f57d33b26dd409ae897707e4a5141991df780983593965983d95c06c67d.exe

Filesize
3.9MB

MD5
169e238a8e29445c319f934362361d28

SHA1
824e61de77da1e91b4bbb09c92e6908e80d4143d

SHA256
63fb838c9604c2af8d8bc17a48d2d745f389ad984cc2ab5e0765d5b27c91a710

SHA512
a7fcaa91c5de184956605d403e1881b0f62076b01c0c6d03b5dbd42e9b8ca704ae59362b3d46f966c213e7b1e915da95d681db9cb6063923a50b76a55427f2ba

Download Submit
C:\Windows\ccmsetup\Logs\ccmsetup.log

Filesize
11KB

MD5
4716a0253286fcd2892d45c420ed7419

SHA1
68ac33261b80de9230d5b1cb1fee054c99fa8084

SHA256
c9e6c617674ea7730ec76d90bea89d9a8a2c6010c371c76e0334eae18f13c7ea

SHA512
5f8d7b3a2d9fcb654736b4ecef7d203be03d6a56a92d19b9ff0902538c1db239393a467cfb391ffda7e96f18099d33f5b52b094b44467611c203e7c35970f5b4

Download Submit
C:\Windows\ccmsetup\Logs\ccmsetup.log

Filesize
15KB

MD5
e7908932984af8655b65fc86d2651487

SHA1
fc13ae2ad4a952ec6385f6d8d9b22ce0551ed2db

SHA256
ff451098d9685b540d750d025eb36ec490cce3a1f7809882969cc597bad5895b

SHA512
5cca15300ef805891df9668ab4e8fca4fb101c64e6cc2f601665b0b415b72b588c8ef02fa3dffcd7f973de923d512baa4152f7c22379e3fe0589d39fdaf9a1a6

Download Submit
memory/816-0-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/816-127-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/1324-202-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download
memory/1324-227-0x0000000000400000-0x00000000008AC000-memory.dmp

Filesize
4.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads