xred | 1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc

General

Target

1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
Size

829KB
MD5

e60d708e062dfc68d4110ad676a056d0
SHA1

e7116b561ebe31a1acecaddb49825b5385168aa3
SHA256

1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc
SHA512

2bbefe5455815ac3b6776182437694e981d627d2addd46b3ac4b10ecbb37fcf2aa2261c5d7cb3be6756c7b17f134651ca9ee27595fd05ecbb1e5d00cf3cab167
SSDEEP

12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9px4DyNL:pnsJ39LyjbJkQFMhmC+6GD91x

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1048	._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
300	Synaptics.exe
2816	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
300	Synaptics.exe
300	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
3012	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3012	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1048	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	30
PID 2132 wrote to memory of 1048	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	30
PID 2132 wrote to memory of 1048	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	30
PID 2132 wrote to memory of 1048	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	30
PID 2132 wrote to memory of 300	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	32
PID 2132 wrote to memory of 300	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	32
PID 2132 wrote to memory of 300	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	32
PID 2132 wrote to memory of 300	2132	1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe	32
PID 300 wrote to memory of 2816	300	Synaptics.exe	33
PID 300 wrote to memory of 2816	300	Synaptics.exe	33
PID 300 wrote to memory of 2816	300	Synaptics.exe	33
PID 300 wrote to memory of 2816	300	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
"C:\Users\Admin\AppData\Local\Temp\1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe"
  2⤵
  - Executes dropped EXE
  PID:1048
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:300
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2816

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
829KB

MD5
e60d708e062dfc68d4110ad676a056d0

SHA1
e7116b561ebe31a1acecaddb49825b5385168aa3

SHA256
1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654cc

SHA512
2bbefe5455815ac3b6776182437694e981d627d2addd46b3ac4b10ecbb37fcf2aa2261c5d7cb3be6756c7b17f134651ca9ee27595fd05ecbb1e5d00cf3cab167

Download Submit
C:\Users\Admin\AppData\Local\Temp\iyMxQyKi.xlsm

Filesize
17KB

MD5
8f3c7fbc1e051b36696dbd67e8ed4249

SHA1
b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

SHA256
8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

SHA512
4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_1780b674a95a4e57c241ea10150c7117db2bd6366c0515db354bcd52859654ccN.exe

Filesize
75KB

MD5
2f9366f62dcd6e73dc3520c65bbf95da

SHA1
792d846d45dee9d2f732b242c6f5c843fb27cb17

SHA256
bd848b8d9ab1a6dafea89c0fb7647dd68a8356634e378fc2bdf46f44e05f699f

SHA512
ee0ac811acbc031bd05442cf21eec537788e46763d6e8380f4a6b56abc6e6cd22868755d2b8bda3a1ed55545de1ecfa83e1ad2e66a13a30e314e5144ae8a257e

Download Submit
memory/300-39-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/300-40-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/300-65-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/300-73-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2132-0-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/2132-24-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/3012-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads