xred | a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9

General

Target

a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
Size

1.2MB
MD5

b8827e4fa6149576aa16cbcf9ff30819
SHA1

fc43eee5eff356d8b66cd0e493d990262d1dcc61
SHA256

a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9
SHA512

975a3e56df9fd37b2fb82211caa7d7271ff067a35f1fab271a26bf34c9c864bac775fa09815c37e591d38db914731cf6fb4309700daa1ae19a43aeb24ae3e65f
SSDEEP

24576:TnsJ39LyjbJkQFMhmC+6GD9ANDbqUo5uCMiJ0vH:TnsHyjtk2MYC5GD+Nto5uCAv

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
2840	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
1044	Synaptics.exe
1108	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
1044	Synaptics.exe
1044	Synaptics.exe
1044	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe

UPX packed file 26 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x00080000000120ff-4.dat	upx
behavioral1/memory/2840-21-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-236-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-274-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-275-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-278-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-283-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-285-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-286-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-288-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-293-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-295-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-296-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-298-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-301-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-304-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-305-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-307-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-334-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-336-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-337-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-339-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-340-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-342-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/2840-343-0x0000000000400000-0x0000000000557000-memory.dmp	upx
behavioral1/memory/1108-345-0x0000000000400000-0x0000000000557000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs	._cache_Synaptics.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Save Directory = "\\"	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	._cache_Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TypedURLs	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Save Directory = "\\"	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2860	EXCEL.EXE

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2840	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
2840	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
2840	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
2840	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
2840	._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
1108	._cache_Synaptics.exe
1108	._cache_Synaptics.exe
1108	._cache_Synaptics.exe
1108	._cache_Synaptics.exe
1108	._cache_Synaptics.exe
2860	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 2840	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	28
PID 1820 wrote to memory of 2840	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	28
PID 1820 wrote to memory of 2840	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	28
PID 1820 wrote to memory of 2840	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	28
PID 1820 wrote to memory of 1044	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	29
PID 1820 wrote to memory of 1044	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	29
PID 1820 wrote to memory of 1044	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	29
PID 1820 wrote to memory of 1044	1820	a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe	29
PID 1044 wrote to memory of 1108	1044	Synaptics.exe	30
PID 1044 wrote to memory of 1108	1044	Synaptics.exe	30
PID 1044 wrote to memory of 1108	1044	Synaptics.exe	30
PID 1044 wrote to memory of 1108	1044	Synaptics.exe	30

C:\Users\Admin\AppData\Local\Temp\a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
"C:\Users\Admin\AppData\Local\Temp\a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1044
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1108

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.2MB

MD5
b8827e4fa6149576aa16cbcf9ff30819

SHA1
fc43eee5eff356d8b66cd0e493d990262d1dcc61

SHA256
a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9

SHA512
975a3e56df9fd37b2fb82211caa7d7271ff067a35f1fab271a26bf34c9c864bac775fa09815c37e591d38db914731cf6fb4309700daa1ae19a43aeb24ae3e65f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Browser.ini

Filesize
23B

MD5
5671ad767fc7e1af34132342e9ad06c1

SHA1
575fdcb80b55a91e62e6687937038d0ca909bc2d

SHA256
80e49c644396b856544a0ea6e0962c8d9fb4f8c499a249880d2ac8c30579accd

SHA512
5b7f7bcf14eaa9a2f500711bac3a8d9c3f7adc0c2c2cafbfe6e4d1e406c1b3b7f00df3e0dd85a0e531f4d4d1d58298e77c4d9c0bb976e86e5a191e80ca010974

Download Submit
C:\Users\Admin\AppData\Local\Temp\Browser.ini

Filesize
61B

MD5
94771a318b9920c00c1cd5bdd89bfc14

SHA1
e5042d31ebb328008fc9d9b1312f97068a372534

SHA256
753337fbe05fa5374b6cf05b24de90ab179bf00e00432da7a78ac8fd5a9cd0e2

SHA512
23af3006e5f5e20e78d9ab30a92a0131ac32c6c19290f8365efd7e53a911ded34d3e84d5881093ab7b9c30d1ff3c854b87f67d6413ff6d0796a33f42475a5d92

Download Submit
C:\Users\Admin\AppData\Local\Temp\Browser.ini

Filesize
73B

MD5
ce40fde7e86c626a1d1511fe13924328

SHA1
339b4326770fe23fe841150d9a4b6dbcf44cb691

SHA256
45bb8dc8db3083bd93c21d1a5607e8432133181a211a79ebce92a7ad18cd1b71

SHA512
e03dcdbec0bcb2f94262a5017b4768d94b21567f44b5f4cc58eb1d8f52fef68be2f130bb5286cbb5992a1835332ad6c6c4d525f1011a6e7b6a21be42a57fa6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ne6TjFY7.xlsm

Filesize
17KB

MD5
8f3c7fbc1e051b36696dbd67e8ed4249

SHA1
b6b3e8ff0aecce4e85ca9819cce2c9cce7a14c67

SHA256
8a53a911752049160273f080c9631f519692de0aecd081b7b7c0239c5656f387

SHA512
4ecb5f18cee44ef986845c49b2aa84c115180e277b866c4ebf9ccda94c0992cb2d2f8c0123ad0fb5558f63e0b37d6547f5e5971832ee44c55edd44521dd950a5

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_a07db5ee88458ada018809f1b8cc5b2fc605fc0502d0af51172dcfe870b55be9.exe

Filesize
485KB

MD5
9894a7298ad832b8ef73e749a9acf4ab

SHA1
039aa843dbe090f0ea785ae04cf125abbcf4f28f

SHA256
128fc38fe26637a05405cbe3031b017a2ab12956877fc575efc709a2f920c86a

SHA512
3394e82423c1d5392154295cd1627fef99a6a8cf73a88799170bc845767edb06e6d87c45f1a0bd5635c96666d75a23140e5e04b5a2a6675eb86654dd9cf9e615

Download Submit
memory/1044-276-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1044-335-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1044-232-0x00000000054D0000-0x0000000005627000-memory.dmp

Filesize
1.3MB

Download
memory/1044-233-0x00000000054D0000-0x0000000005627000-memory.dmp

Filesize
1.3MB

Download
memory/1044-287-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1044-284-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/1108-298-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-342-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-336-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-304-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-236-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-339-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-285-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-278-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-295-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-288-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-345-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1108-307-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/1820-19-0x00000000055B0000-0x0000000005707000-memory.dmp

Filesize
1.3MB

Download
memory/1820-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1820-174-0x0000000000400000-0x000000000053C000-memory.dmp

Filesize
1.2MB

Download
memory/2840-286-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-340-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-296-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-305-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-293-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-283-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-334-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-21-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-337-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-275-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-301-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-274-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2840-343-0x0000000000400000-0x0000000000557000-memory.dmp

Filesize
1.3MB

Download
memory/2860-279-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads