xred | d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4c

General

Target

d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
Size

791KB
MD5

c5f1c27b7b103c4403fc0e454dbcb510
SHA1

c056768fb4cfe1c63821183276caba710e972fb7
SHA256

d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4c
SHA512

dc24e3df394e7242a7b54d9b54d15bb3da9327ce27a9b3975d48b1800442a75caa25c6db39a62624a5ed60663f62d23be591f6192fbd07fc36cc8a42e9c7164f
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9rHwxQj:WnsJ39LyjbJkQFMhmC+6GD9D

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 2 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x000600000001a4a5-85.dat
behavioral1/files/0x000800000001a4a5-107.dat

Executes dropped EXE 3 IoCs

pid	Process
1752	._cache_d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
1796	Synaptics.exe
948	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
1796	Synaptics.exe
1796	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2804	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 1752	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	31
PID 752 wrote to memory of 1752	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	31
PID 752 wrote to memory of 1752	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	31
PID 752 wrote to memory of 1752	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	31
PID 752 wrote to memory of 1796	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	32
PID 752 wrote to memory of 1796	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	32
PID 752 wrote to memory of 1796	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	32
PID 752 wrote to memory of 1796	752	d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe	32
PID 1796 wrote to memory of 948	1796	Synaptics.exe	33
PID 1796 wrote to memory of 948	1796	Synaptics.exe	33
PID 1796 wrote to memory of 948	1796	Synaptics.exe	33
PID 1796 wrote to memory of 948	1796	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
"C:\Users\Admin\AppData\Local\Temp\d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:752
- C:\Users\Admin\AppData\Local\Temp\._cache_d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe"
  2⤵
  - Executes dropped EXE
  PID:1752
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1796
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:948

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
791KB

MD5
c5f1c27b7b103c4403fc0e454dbcb510

SHA1
c056768fb4cfe1c63821183276caba710e972fb7

SHA256
d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4c

SHA512
dc24e3df394e7242a7b54d9b54d15bb3da9327ce27a9b3975d48b1800442a75caa25c6db39a62624a5ed60663f62d23be591f6192fbd07fc36cc8a42e9c7164f

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFTVIWBz.xlsm

Filesize
21KB

MD5
d345f8cc1a9aae22e5aa79522743036e

SHA1
ca29e5bd193efb8a986e946e893103763e766d7d

SHA256
8f28a18f4cd5e127cd4b76f0508dfd6620c233a0b686833c1693498886e6b2d4

SHA512
0fa7e5f3ca3105fadc55d2debc1e42e8ab26bfd633d906be9548e1e54c6b7b0a7803ce81358fb0a6eb36ce7d2f2b029663156242a4530f157cd5cd392532f6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFTVIWBz.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFTVIWBz.xlsm

Filesize
25KB

MD5
3b0ab10f0706898ad119291514531f35

SHA1
0bfbb5e76cb264bf2389308548ba89b43f37db34

SHA256
e6826764671703b6f376f89b8000f2942d5a808ea3f7c165ac3198a0b469c2ab

SHA512
f8a2d1d7bf5daf931dfba4b186a2a43bb6283ebfe1d0c946ed1510fbf86d14925c245e2b5eb360a95a81e1fce219c2baf6c2ca84e0dad928612e3ac8d18f43b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFTVIWBz.xlsm

Filesize
25KB

MD5
95adbe63e52984671dda8243750e412c

SHA1
c7b188fc3cc0a68abaf3690c84c89b5b35e67d54

SHA256
774d40c5a5ea95c4a6383e4b2b641a8ef60b51017d8e4f8a1df30c12b3b91a86

SHA512
3638f0968d20647ab61fb2cb6f5918bba326d008b95dd1c71d01a862ad7fa89ba0f02fea7e73a8d56591462aeffb4aedcc292b2b37e4a47f186ea3c399b68467

Download Submit
C:\Users\Admin\AppData\Local\Temp\WFTVIWBz.xlsm

Filesize
27KB

MD5
ec0d2fa0b9bd2b5a81d78a8867e3ad82

SHA1
c26f8837937d1a42c47621ca4988933b4f2481b9

SHA256
c21e3167fa25b1295e2ba52cc6251b6a42d9144a50a86944e8042a92952a7b67

SHA512
a900eafbed6b2087f3f9186dddf25aa03e199e2df0a16deceb9407cdb2c479754a8e8d0b8b154f04c5f34ac274d1b2f22c86d804fa8d257a84ac72aeb1e40490

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$WFTVIWBz.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_d5d35d86e76c300a23a9584d1c4a6f3d5ec08bc9b2ac842a264d450eb646ea4cN.exe

Filesize
38KB

MD5
10b1a298e7938276427bc270c496db77

SHA1
a21396d8bcabf6f9d0c7650114ddcd7703d91786

SHA256
e1c02df86676d04ed75ba6303b53b61c15adb6aec672ac349c2f06454a594e1e

SHA512
0593e2ecc997a1d41fea322567c80bc79380bc0421ff3d4be891d7a37c4922039fbf1d3e6e7ec13dd1487b0eb8951ad0c81a842ca0fc197926e67c686bb86a1d

Download Submit
memory/752-25-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/752-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/948-36-0x00000000002A0000-0x00000000002B0000-memory.dmp

Filesize
64KB

Download
memory/1752-28-0x0000000000A20000-0x0000000000A30000-memory.dmp

Filesize
64KB

Download
memory/1796-112-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1796-113-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1796-145-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/2804-37-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2804-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads