xred | c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3

General

Target

c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
Size

2.6MB
MD5

7458a184805e2e995d577d41ece13f53
SHA1

b0115ea082e2bc9828dfd584476641e10f836e87
SHA256

c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3
SHA512

2dc6be3c6a57046e4dbe6524365fbe091b6dfb8b2018dc764354926fd96211dcd46aa6006a0416ea4db9498134aa29550526aba88cdc0014f956de1a0415fffb
SSDEEP

49152:wnsHyjtk2MYC5GD++xIXVqMlQ9BxMRW/R49SPpB7vxhotliTQo4yfGw5A2t:wnsmtk2aLLlQzuW/R49SPpDQo4yfGc

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2428	._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2752	Synaptics.exe
2956	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2752	Synaptics.exe
2752	Synaptics.exe
2752	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2892	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2892	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 2428	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 1076 wrote to memory of 2428	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 1076 wrote to memory of 2428	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 1076 wrote to memory of 2428	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 1076 wrote to memory of 2752	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 1076 wrote to memory of 2752	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 1076 wrote to memory of 2752	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 1076 wrote to memory of 2752	1076	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 2752 wrote to memory of 2956	2752	Synaptics.exe	33
PID 2752 wrote to memory of 2956	2752	Synaptics.exe	33
PID 2752 wrote to memory of 2956	2752	Synaptics.exe	33
PID 2752 wrote to memory of 2956	2752	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
"C:\Users\Admin\AppData\Local\Temp\c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Users\Admin\AppData\Local\Temp\._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe"
  2⤵
  - Executes dropped EXE
  PID:2428
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2956

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.6MB

MD5
7458a184805e2e995d577d41ece13f53

SHA1
b0115ea082e2bc9828dfd584476641e10f836e87

SHA256
c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3

SHA512
2dc6be3c6a57046e4dbe6524365fbe091b6dfb8b2018dc764354926fd96211dcd46aa6006a0416ea4db9498134aa29550526aba88cdc0014f956de1a0415fffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlZq64VQ.xlsm

Filesize
26KB

MD5
a57fbdcfb256743c7451c44330752c04

SHA1
d802e578efe18add731dd8205522b5c516c539ea

SHA256
84ebf9eccc6f1db0c73361f0ed96da795e2138b1d66219e6ef0175306ac35257

SHA512
e2b89350fbae25cc631b28d1f84211c4169934f839f49de48c6ac61f2fbc1c949ed67208c1bf2b2dba3fcffc05b49583635a25c059c55da7688277ded955d399

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlZq64VQ.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\dlZq64VQ.xlsm

Filesize
23KB

MD5
6be185c2d5e612531da534cef64e87f1

SHA1
f279be2f2171ac3937734ae0825465d81447897a

SHA256
c893a395e6b16807f346b8b9684163d0f8f78a0d59116afd8b30582e121f9478

SHA512
a675d19e54118a18fe5b249d82435ac32e1dbd771e33fcc95fe222929dc8c25d2c28ecb46ba85f316fb963d19c89af869acfd755d6853f873c98118bfada43a1

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe

Filesize
1.9MB

MD5
7064bc533038322c72261ae1aa27a220

SHA1
9e7e750d68786b918c7e89b715bf28d289ef4852

SHA256
2d79edec941579e025c94d1cac84615dc4f8de5beb41987d7f5e8aa811425f48

SHA512
5a4c0722b5fb7ff98beeb32db547c1fca65482eb78420335cf451b8a2ea0c8b415786a8ec3c92bc690bd4f26a067675edebac0d27bccaac1015cfa693e6b77e3

Download Submit
memory/1076-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1076-28-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2752-96-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2752-97-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2752-129-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2892-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2892-95-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads