xred | 3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897beb

General

Target

3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
Size

900KB
MD5

da622141c7c1c20462583cac67ca7d50
SHA1

dd33f1a243f401360e9d3b43b2fc1643f76828be
SHA256

3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897beb
SHA512

a10f65b6617a3bb984132f481603bd85a36dcd870f38284b2a7450570d5dc82f05ddd530384eba428a2bc8b2a648d5d9eeb3dfe0d82e7de6762ac10aa0fccc47
SSDEEP

12288:sMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9mU6bi9I6VVa:snsJ39LyjbJkQFMhmC+6GD9hIyM

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x0007000000016cd1-83.dat

Executes dropped EXE 3 IoCs

pid	Process
2764	._cache_3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
2264	Synaptics.exe
2004	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
2264	Synaptics.exe
2264	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2588	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2588	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 2764	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	28
PID 2896 wrote to memory of 2764	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	28
PID 2896 wrote to memory of 2764	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	28
PID 2896 wrote to memory of 2764	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	28
PID 2896 wrote to memory of 2264	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	29
PID 2896 wrote to memory of 2264	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	29
PID 2896 wrote to memory of 2264	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	29
PID 2896 wrote to memory of 2264	2896	3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe	29
PID 2264 wrote to memory of 2004	2264	Synaptics.exe	30
PID 2264 wrote to memory of 2004	2264	Synaptics.exe	30
PID 2264 wrote to memory of 2004	2264	Synaptics.exe	30
PID 2264 wrote to memory of 2004	2264	Synaptics.exe	30

C:\Users\Admin\AppData\Local\Temp\3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
"C:\Users\Admin\AppData\Local\Temp\3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Local\Temp\._cache_3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe"
  2⤵
  - Executes dropped EXE
  PID:2764
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2264
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2004

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
900KB

MD5
da622141c7c1c20462583cac67ca7d50

SHA1
dd33f1a243f401360e9d3b43b2fc1643f76828be

SHA256
3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897beb

SHA512
a10f65b6617a3bb984132f481603bd85a36dcd870f38284b2a7450570d5dc82f05ddd530384eba428a2bc8b2a648d5d9eeb3dfe0d82e7de6762ac10aa0fccc47

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_3618cad26e24295609aeee9277174339b47e0b89b6d30f8e3614a019d4897bebN.exe

Filesize
147KB

MD5
2b8e4c792bed0e5882702720bc528ae5

SHA1
e7638b294a4f1409f87e449643a02bbd49a481c8

SHA256
6d7cb027bc6014cb268c49b46049cdff3ba94d07102a65bd053335a28e83d125

SHA512
6cc9457024385c2687b32c5cd49aa45aa21c93c66c78efaa3e9d96e4fd26054fb9a4ef9c4974ca633e5ba63a31f625632aae7097aa6d05b54201c3f383d5a82d

Download Submit
C:\Users\Admin\AppData\Local\Temp\n32ttOo1.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\n32ttOo1.xlsm

Filesize
29KB

MD5
88478fde58fe9afd42555d040f28c7e1

SHA1
7716dff7fc85b17ab0ba709c4bbe3507c3301c39

SHA256
44a7389af06ed7e7343d368a3925dc28e380ccb1470c6812dd802e0e15522bc7

SHA512
a76cf85c8db53d03bf2649fa3dbc4f39315274ee5d81972205e002057eb08d42f015f0b5b8abbce9eb841059e86fa8a2fbf25400092ac885777380835eacf27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\n32ttOo1.xlsm

Filesize
28KB

MD5
e295b083caaa441a6e37910f5b636fd0

SHA1
f68362582a2b17d9d9733cccfa045feaa4a3613e

SHA256
847386de8721a46d99e3b2ac6afddd9b8d557bec150d883cd199a5b656525ee6

SHA512
1c1395f4d03ea7724d1a181ec0e71ae7ae9bd6288cb2cbf5f13baa1b104369eaef75dd08f9fc6c01fdec86159e4a98107b0c16fc903f73603bd276b5c21d10a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\n32ttOo1.xlsm

Filesize
24KB

MD5
2e3c16e6c873dd99764b5ba544836e50

SHA1
69b24861b8463740a006cddfef380c4b31d2ef4a

SHA256
f9ee05d7c1d998fb5e6a1715cc8bbe85091c5a7e5cb751c85269f30c0c8c645c

SHA512
4df6f0a69ca9f35d87a25d3c956577107158939b0011ec43bd1d85cf3485d155cf3f61a622a3752cd2205f5f2bf5025e29b717020986e2fc229674d8420a4a57

Download Submit
memory/2264-101-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2264-134-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2264-102-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download
memory/2588-100-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2588-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2896-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2896-25-0x0000000000400000-0x00000000004E7000-memory.dmp

Filesize
924KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads