xred | f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf

General

Target

f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
Size

829KB
MD5

72e95291904617709bd084ddc40514cc
SHA1

8235fdde80b1adc76e98e29d796675d6747c1b29
SHA256

f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf
SHA512

55615ac6ca7abe09f66266fbbd9681cf0f60994f6ca996fcfde7f9b93ce87ce631c1e7ec943f46e5079cf8a493f0cbecf64952122d2f0943082ecd9678538779
SSDEEP

12288:pMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9px4DyNT:pnsJ39LyjbJkQFMhmC+6GD91p

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1716	._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
2712	Synaptics.exe
2852	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
2712	Synaptics.exe
2712	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2728	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2728	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2960 wrote to memory of 1716	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	30
PID 2960 wrote to memory of 1716	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	30
PID 2960 wrote to memory of 1716	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	30
PID 2960 wrote to memory of 1716	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	30
PID 2960 wrote to memory of 2712	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	32
PID 2960 wrote to memory of 2712	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	32
PID 2960 wrote to memory of 2712	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	32
PID 2960 wrote to memory of 2712	2960	f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe	32
PID 2712 wrote to memory of 2852	2712	Synaptics.exe	33
PID 2712 wrote to memory of 2852	2712	Synaptics.exe	33
PID 2712 wrote to memory of 2852	2712	Synaptics.exe	33
PID 2712 wrote to memory of 2852	2712	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
"C:\Users\Admin\AppData\Local\Temp\f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2960
- C:\Users\Admin\AppData\Local\Temp\._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe"
  2⤵
  - Executes dropped EXE
  PID:1716
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2852

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
829KB

MD5
72e95291904617709bd084ddc40514cc

SHA1
8235fdde80b1adc76e98e29d796675d6747c1b29

SHA256
f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf

SHA512
55615ac6ca7abe09f66266fbbd9681cf0f60994f6ca996fcfde7f9b93ce87ce631c1e7ec943f46e5079cf8a493f0cbecf64952122d2f0943082ecd9678538779

Download Submit
C:\Users\Admin\AppData\Local\Temp\J31DFyqG.xlsm

Filesize
17KB

MD5
8f3c7fbc1e051b36696dbd67e8ed4249

SHA1
b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

SHA256
8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

SHA512
4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_f4b7463799d57bfabb9c0e0cf8a4e1a3a7dad4daba97c552af1728a4f5bf9ebf.exe

Filesize
75KB

MD5
2f9366f62dcd6e73dc3520c65bbf95da

SHA1
792d846d45dee9d2f732b242c6f5c843fb27cb17

SHA256
bd848b8d9ab1a6dafea89c0fb7647dd68a8356634e378fc2bdf46f44e05f699f

SHA512
ee0ac811acbc031bd05442cf21eec537788e46763d6e8380f4a6b56abc6e6cd22868755d2b8bda3a1ed55545de1ecfa83e1ad2e66a13a30e314e5144ae8a257e

Download Submit
memory/2712-39-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2712-40-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2712-45-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2712-72-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2728-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2960-0-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2960-25-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads