xred | 638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd

General

Target

638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
Size

763KB
MD5

23219ff2313840466608bb1884d67eba
SHA1

dc48cb39642912d394cb1ef919f9a0bb6263bd34
SHA256

638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd
SHA512

54a84bfd61ac39d7896bedb4323ba2c2cc916c418fa276d25d764cff29fbc382ae6a509c36a545e2fdc0c8cd20b89e85ca470fee653203528740d2100444f2c7
SSDEEP

12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9OpJ:mnsJ39LyjbJkQFMhmC+6GD9w

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1736	._cache_638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
3008	Synaptics.exe
2780	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
3008	Synaptics.exe
3008	Synaptics.exe
3008	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2760	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2760	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 1736	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	29
PID 2340 wrote to memory of 1736	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	29
PID 2340 wrote to memory of 1736	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	29
PID 2340 wrote to memory of 1736	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	29
PID 2340 wrote to memory of 3008	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	31
PID 2340 wrote to memory of 3008	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	31
PID 2340 wrote to memory of 3008	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	31
PID 2340 wrote to memory of 3008	2340	638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe	31
PID 3008 wrote to memory of 2780	3008	Synaptics.exe	32
PID 3008 wrote to memory of 2780	3008	Synaptics.exe	32
PID 3008 wrote to memory of 2780	3008	Synaptics.exe	32
PID 3008 wrote to memory of 2780	3008	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
"C:\Users\Admin\AppData\Local\Temp\638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\._cache_638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe"
  2⤵
  - Executes dropped EXE
  PID:1736
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:2780

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
763KB

MD5
23219ff2313840466608bb1884d67eba

SHA1
dc48cb39642912d394cb1ef919f9a0bb6263bd34

SHA256
638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd

SHA512
54a84bfd61ac39d7896bedb4323ba2c2cc916c418fa276d25d764cff29fbc382ae6a509c36a545e2fdc0c8cd20b89e85ca470fee653203528740d2100444f2c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihrrtPDI.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihrrtPDI.xlsm

Filesize
24KB

MD5
306a5357967af8dcb15293c9843d44d7

SHA1
be0e7f416abb916ddedc13299d51e354f14fc914

SHA256
23190116676b614c347ca2c55ea84c535255e8aea901fd7821b2d455223ec474

SHA512
ef9b013999b4c6ee47ce4ff0e21915276807adf267a7dd5131f0e80b7413b1f41f89ef6f85547afee26909d086118cb7c8a98068b68dc3a8e869c17491988165

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihrrtPDI.xlsm

Filesize
27KB

MD5
b598bc020e1ab76ff520b5f15beb178c

SHA1
678190b96a1d5e4bbf984392bd6bba52ee53645c

SHA256
cbd86c6790a5da3b6bc494e045da0d02d03f38074e7e6cdbe8a974c8c8446e48

SHA512
d8cac719b07cc35ba0d761b9283b2220f88fe3fa0561fb91db9b919d30f8e91963302220440a4508c0bd60f1c6b99e74b1740765c0a9087a161cbd4ca36abdf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ihrrtPDI.xlsm

Filesize
21KB

MD5
33456bcb6e3a0fb4eb5ef48ddf00b3da

SHA1
54433eda9bdf1a11891db8c1cab358be9d0124da

SHA256
492d956d0360695f901c75658dee32138960a6f1bd7780159ee90aa896ade76d

SHA512
711f7baac3b70d0a2b051f94caf45c967454cf8e52b229c6f3732abe2e5b14dcdb83abb255ba295ad3e79d65744b00c7ef53024a85eadb4e775cdf4e1fd1252b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_638989a9ef21412dc2100178428699122e4fdf7c55e62d57ce2b8ca536bbfbcd.exe

Filesize
10KB

MD5
03f7dfea9010460e2c654c05048621b0

SHA1
9db23949e7bd1e8e529ac06b5e688f6e7aa7f05d

SHA256
6b587c03adcb2b7d0e4091f2add33ffba29df5314e0d60e5ad2fafadbcc0ddcf

SHA512
9ab5afa8c0e68a3222220e7ff1f0fb37958619473975762b42d1f993aacdc64a9efa1a488bd3d5279930fba1274d909e63e8fa6b5750d39c270b88ba2f0938ef

Download Submit
memory/2340-28-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/2340-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2760-41-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2760-106-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/3008-107-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3008-108-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download
memory/3008-140-0x0000000000400000-0x00000000004C5000-memory.dmp

Filesize
788KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads