xred | c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3

General

Target

c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
Size

2.6MB
MD5

7458a184805e2e995d577d41ece13f53
SHA1

b0115ea082e2bc9828dfd584476641e10f836e87
SHA256

c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3
SHA512

2dc6be3c6a57046e4dbe6524365fbe091b6dfb8b2018dc764354926fd96211dcd46aa6006a0416ea4db9498134aa29550526aba88cdc0014f956de1a0415fffb
SSDEEP

49152:wnsHyjtk2MYC5GD++xIXVqMlQ9BxMRW/R49SPpB7vxhotliTQo4yfGw5A2t:wnsmtk2aLLlQzuW/R49SPpDQo4yfGc

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2748	._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2920	Synaptics.exe
2316	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
2920	Synaptics.exe
2920	Synaptics.exe
2920	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1948	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 2748	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 2648 wrote to memory of 2748	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 2648 wrote to memory of 2748	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 2648 wrote to memory of 2748	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	30
PID 2648 wrote to memory of 2920	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 2648 wrote to memory of 2920	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 2648 wrote to memory of 2920	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 2648 wrote to memory of 2920	2648	c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe	32
PID 2920 wrote to memory of 2316	2920	Synaptics.exe	33
PID 2920 wrote to memory of 2316	2920	Synaptics.exe	33
PID 2920 wrote to memory of 2316	2920	Synaptics.exe	33
PID 2920 wrote to memory of 2316	2920	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
"C:\Users\Admin\AppData\Local\Temp\c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe"
  2⤵
  - Executes dropped EXE
  PID:2748
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2316

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.6MB

MD5
7458a184805e2e995d577d41ece13f53

SHA1
b0115ea082e2bc9828dfd584476641e10f836e87

SHA256
c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3

SHA512
2dc6be3c6a57046e4dbe6524365fbe091b6dfb8b2018dc764354926fd96211dcd46aa6006a0416ea4db9498134aa29550526aba88cdc0014f956de1a0415fffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbRpoj6X.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbRpoj6X.xlsm

Filesize
24KB

MD5
97100159161626328a31ccf7a2c80612

SHA1
b4a47a3d66f0fba542c2e1c18e63ba719f39ad86

SHA256
663a36a53f0d6f25d1fa2fdf5d368aac5839b4fdef99d92207b13fd070744c9e

SHA512
a0e51d20314efde498383f747560d04e58871e093ce15223eecb41c131cdda3fa080762e522a08906d7addde7410817dc9c5e01c29957895f22f91e169401bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbRpoj6X.xlsm

Filesize
26KB

MD5
39bf995a99b70be10065158d6b0a41e0

SHA1
21337b94728aa23bbf039228c6a1a8f29165145b

SHA256
123665c6a1604cf1333f16d9366c641aa8b3f070fd8851e66e61b6b1810c1425

SHA512
4f6ced5d083ca06ba6fecbb90af5ba7fb8ff61ade7b2cfaacf27fcea9785bcaf39ae4ef6f4d2e9e6ed582e14915bc3730967ddbc8cf69ab84d0db8c7111a93ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbRpoj6X.xlsm

Filesize
27KB

MD5
73cec6f65a2f2cfb2ed83840ebf37523

SHA1
6e4f43847dcd47d3fec1ac8693cb041785168732

SHA256
828171c0134bf4f0de3880eb6a000a8cb67c8de8f4b4cbe89165f5391f1a5a54

SHA512
e56a0bb72d41f81431042e52a46c15d369d08ed5f7ea45c1839188230190995241052564fa714129c7658f87a3f7d84d9bd5c3fa6385103210bc05107f4f1c88

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbRpoj6X.xlsm

Filesize
26KB

MD5
22b48a16afcdfb40097c360db2a364e8

SHA1
2ac03e1a8fbf987568778183d5284be4947cedfa

SHA256
75fc123ab065dfb7338c6063759d771c06f441000f832e9a4743cf708a914aa3

SHA512
e73ba1c46dc8795b3c1f461286f279759fb0c9725ed61bdf1f987f418b6d74fec04c14f80fd7c5a70209e60b291cea7051a9822da9049d1a5a6b9a6325a60926

Download Submit
C:\Users\Admin\Desktop\~$RepairMount.xlsx

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_c423541994bded6860c3e90f00202cf498c3d433575493d49c9f9f8ce44dedd3.exe

Filesize
1.9MB

MD5
7064bc533038322c72261ae1aa27a220

SHA1
9e7e750d68786b918c7e89b715bf28d289ef4852

SHA256
2d79edec941579e025c94d1cac84615dc4f8de5beb41987d7f5e8aa811425f48

SHA512
5a4c0722b5fb7ff98beeb32db547c1fca65482eb78420335cf451b8a2ea0c8b415786a8ec3c92bc690bd4f26a067675edebac0d27bccaac1015cfa693e6b77e3

Download Submit
memory/1948-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2648-28-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2648-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2920-119-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2920-120-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/2920-154-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads