xred | 90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f

General

Target

90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
Size

3.5MB
MD5

ebc8627852b666e23093d0e2866a3541
SHA1

c566deae49e311cab73f4c46c52cc007773a2677
SHA256

90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f
SHA512

4c7c3a94e107ebb7d25e677b5e81f90a81bdd1316d8aedf38a09b709ed7890653732d5e32b356a0367f7d800f736f891692aa3185e30ffe492a50db0320717a1
SSDEEP

98304:vnsmtk2aw++l1Nph+3DnftLxTS4YNukVD/z:/LFvh+3rFLxTiYc

Score

10^/10

xred backdoor bootkit discovery evasion persistence trojan

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1336	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
2660	Synaptics.exe
2692	._cache_Synaptics.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
Key opened	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Wine	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
2660	Synaptics.exe
2660	Synaptics.exe
2660	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	._cache_Synaptics.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
File opened for modification	\??\PhysicalDrive0	._cache_Synaptics.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2692	._cache_Synaptics.exe
1336	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2624	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	._cache_Synaptics.exe
1336	._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2624	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 1336	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	31
PID 2308 wrote to memory of 1336	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	31
PID 2308 wrote to memory of 1336	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	31
PID 2308 wrote to memory of 1336	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	31
PID 2308 wrote to memory of 2660	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	32
PID 2308 wrote to memory of 2660	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	32
PID 2308 wrote to memory of 2660	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	32
PID 2308 wrote to memory of 2660	2308	90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe	32
PID 2660 wrote to memory of 2692	2660	Synaptics.exe	33
PID 2660 wrote to memory of 2692	2660	Synaptics.exe	33
PID 2660 wrote to memory of 2692	2660	Synaptics.exe	33
PID 2660 wrote to memory of 2692	2660	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
"C:\Users\Admin\AppData\Local\Temp\90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe"
  2⤵
  - Executes dropped EXE
  - Identifies Wine through registry keys
  - Checks whether UAC is enabled
  - Writes to the Master Boot Record (MBR)
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1336
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Checks whether UAC is enabled
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2692

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Pre-OS Boot

1

T1542

Bootkit

1

T1542.003

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
3.5MB

MD5
ebc8627852b666e23093d0e2866a3541

SHA1
c566deae49e311cab73f4c46c52cc007773a2677

SHA256
90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f

SHA512
4c7c3a94e107ebb7d25e677b5e81f90a81bdd1316d8aedf38a09b709ed7890653732d5e32b356a0367f7d800f736f891692aa3185e30ffe492a50db0320717a1

Download Submit
C:\ProgramData\hulbxxgy.kfg

Filesize
4KB

MD5
c3d39266a9df0e8d161cba655a22e029

SHA1
5032b7cf0172cbf75994db23d318226b8618406c

SHA256
a5148b746ff3125073624d7c25f1111534f21dd1c186ddb0f68d9aab303869fc

SHA512
fdaeb3014e9c2ce57fea3fa04d5dae101bfc85f93f0bbf40f04326cb9def99f00d98dd5124ee924f499b595e8941ad3115f5245be2673137ac2fe153b9b5bb9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dGWRfqKn.xlsm

Filesize
17KB

MD5
af4d37aad8b34471da588360a43e768a

SHA1
83ed64667d4e68ea531b8bcf58aab3ed4a5ca998

SHA256
e7550c3453156531308fda255a198c3710aa4bc7412819c180b103c11e85cef1

SHA512
74f5000038c47b7c909c4ee5740e0e87cac12c9c96fff8b1c7ec749541ee3d4b7efd80f9ac02cd39809dca3f2707d0063fa852a3a541342d93a9d03de08823da

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_90d7154ab0eb04f847f661b17d421142930528bc8e1484e2bd7b7fe51d11254f.exe

Filesize
2.7MB

MD5
16df9ef6f2ce18aac990122ec8de2cc7

SHA1
fcc146696ddc9eead3817aaf2363b78d7fb8394d

SHA256
491f20e8ad54ac6fc9beeabf1c2ce30a9fa1bd630b580fffee26c56589113de5

SHA512
b835542aec29fbd70a8d212da3fec5ead4dea4936dd05a0218b8a6a8f7566326f7bf4245a81dabf5133e6b13cae40a6f69768462dbcc52854c371879da9b5987

Download Submit
memory/1336-22-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download
memory/1336-52-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download
memory/2308-21-0x0000000005860000-0x0000000005D55000-memory.dmp

Filesize
5.0MB

Download
memory/2308-31-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2308-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2308-19-0x0000000005860000-0x0000000005D55000-memory.dmp

Filesize
5.0MB

Download
memory/2624-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2660-43-0x0000000005850000-0x0000000005D45000-memory.dmp

Filesize
5.0MB

Download
memory/2660-44-0x0000000005850000-0x0000000005D45000-memory.dmp

Filesize
5.0MB

Download
memory/2660-53-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2660-56-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2660-62-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2660-65-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2660-88-0x0000000000400000-0x000000000077A000-memory.dmp

Filesize
3.5MB

Download
memory/2692-54-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download
memory/2692-55-0x0000000000400000-0x00000000008F5000-memory.dmp

Filesize
5.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads