xred | 45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82

General

Target

45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
Size

1.3MB
MD5

1c57588fc91149d23692c22215fc880b
SHA1

4d0d0bddebce16a9f210d29ed3b77c7c80e8adb8
SHA256

45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82
SHA512

04bae18355138db465cca6910aaa662a539a11e08ef3b81c3cbdfcd07864d874336aa7e055de2569290705deb614b1e9a2784e71c5da57ae618fb8080e42bfff
SSDEEP

24576:insJ39LyjbJkQFMhmC+6GD9pNcwgM0LTJ821LEsNYSCZXnAIpQ2:insHyjtk2MYC5GDTNcwGTJ821MnlpQ2

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1548	._cache_45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
2852	Synaptics.exe
2572	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
2852	Synaptics.exe
2852	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
572	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
572	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1596 wrote to memory of 1548	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	28
PID 1596 wrote to memory of 1548	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	28
PID 1596 wrote to memory of 1548	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	28
PID 1596 wrote to memory of 1548	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	28
PID 1596 wrote to memory of 2852	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	30
PID 1596 wrote to memory of 2852	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	30
PID 1596 wrote to memory of 2852	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	30
PID 1596 wrote to memory of 2852	1596	45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe	30
PID 2852 wrote to memory of 2572	2852	Synaptics.exe	31
PID 2852 wrote to memory of 2572	2852	Synaptics.exe	31
PID 2852 wrote to memory of 2572	2852	Synaptics.exe	31
PID 2852 wrote to memory of 2572	2852	Synaptics.exe	31

C:\Users\Admin\AppData\Local\Temp\45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
"C:\Users\Admin\AppData\Local\Temp\45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1596
- C:\Users\Admin\AppData\Local\Temp\._cache_45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe"
  2⤵
  - Executes dropped EXE
  PID:1548
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2572

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
1c57588fc91149d23692c22215fc880b

SHA1
4d0d0bddebce16a9f210d29ed3b77c7c80e8adb8

SHA256
45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82

SHA512
04bae18355138db465cca6910aaa662a539a11e08ef3b81c3cbdfcd07864d874336aa7e055de2569290705deb614b1e9a2784e71c5da57ae618fb8080e42bfff

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN48dyIK.xlsm

Filesize
20KB

MD5
878c290e739f19951dafc8c57b419196

SHA1
cf2e0ed6bd21708246cf75e50838791823033bdb

SHA256
ae0f59096eefb926552b20375a495e70673b8b22d0ae43a396f63a0129f416dc

SHA512
70b2779ec0b94fdc4f36e2053698467827f879892bc62f80fe91352321addd7aad49f654c622a260ae55f5628d82317e2f9a723afb0c14e838bb0ef9c5d75b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN48dyIK.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN48dyIK.xlsm

Filesize
23KB

MD5
72dd08310b060e608af81e2c93581fc7

SHA1
c9dd087aa0c3de8b85962609d383fb7c7cc0bb18

SHA256
0524df3664469e8792152877f77d66a5f5fb37af3189f8a560ca2e5cbcd5d64d

SHA512
1ddee650dc8bc1da0cefbeb08c7cc5cafeb22cabffb9bb5ad85ffb9acb0de078dfff8a9b6eec82fc72bbb08a16011d18e33ea453aa5b4b85bbec933fedf0fc70

Download Submit
C:\Users\Admin\AppData\Local\Temp\qN48dyIK.xlsm

Filesize
24KB

MD5
06cca62fdfea3e3ee1878b423978cd55

SHA1
a7896a1a4ece4a8f1fd4ece73c2bfe9926a87417

SHA256
7beaa4f538139f16452f3ddca7fbe1a7350fadf28caa50bdbe95a5588d9e95b7

SHA512
53426ce2bbd8de8e5597ff09992d567d87315e01ac4ca78ce4a4e4b9dac12046407dc617127fdc0233a0b1a5f1108a83638bbee91acd2f2284e7995cd5f5173b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_45dc416be5e520da0ba38a91149ed8202bbfd734ea3e441b28d396e386cecc82.exe

Filesize
555KB

MD5
654324db428290b8ed5c1847446f7168

SHA1
12aa78662b4e7a61d5a69f4844a1b93afef352cb

SHA256
7980a2d30cfa536e89ef3f96d32a6cb1896b59e304b55a3480cf7d0d68e40e11

SHA512
3d2d9defdd692ebb2bac303473ba0192c257d40c662057489c8baa825090398a7deb0c1fd446f0e631db4d683f096fe99309f110f75dc14a678ed5b0aba49c8c

Download Submit
memory/572-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/572-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1596-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1596-25-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2852-36-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2852-35-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2852-104-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2852-105-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download
memory/2852-139-0x0000000000400000-0x000000000054D000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads