xred | 43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780

General

Target

file.exe
Size

1.0MB
MD5

eaba5b2c3b6607177112ec5f26438ba3
SHA1

d0572bad54faca6af612763c6835feb160a3dcd2
SHA256

43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780
SHA512

b767a6f167a0153628ae0bdb468eef4d4311e48a58ff4774843ee36321c48823a24be5c9d0d399800a19733a46ead5109cd54e728e6a260107212647a5f60d9c
SSDEEP

24576:6nsJ39LyjbJkQFMhmC+6GD9DukDF4zARUwSp:6nsHyjtk2MYC5GDFuRzmUd

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 4 IoCs

pid	Process
2740	._cache_file.exe
2672	Synaptics.exe
2908	dxwsetup.exe
1996	._cache_Synaptics.exe

Loads dropped DLL 16 IoCs

pid	Process
2312	file.exe
2740	._cache_file.exe
2740	._cache_file.exe
2740	._cache_file.exe
2312	file.exe
2312	file.exe
2740	._cache_file.exe
2908	dxwsetup.exe
2908	dxwsetup.exe
2908	dxwsetup.exe
2908	dxwsetup.exe
2672	Synaptics.exe
2672	Synaptics.exe
1996	._cache_Synaptics.exe
1996	._cache_Synaptics.exe
1996	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	._cache_file.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET74A3.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET74A3.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\SET74A4.tmp	dxwsetup.exe
File created	C:\Windows\SysWOW64\directx\websetup\SET74A4.tmp	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\directx\websetup\dsetup32.dll	dxwsetup.exe
File opened for modification	C:\Windows\SysWOW64\DirectX\WebSetup	dxwsetup.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\DirectX.log	dxwsetup.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	dxwsetup.exe
File opened for modification	C:\Windows\security\logs\scecomp.log	dxwsetup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dxwsetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_file.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2288	EXCEL.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2908	dxwsetup.exe
Token: SeRestorePrivilege	2908	dxwsetup.exe
Token: SeRestorePrivilege	2908	dxwsetup.exe
Token: SeRestorePrivilege	2908	dxwsetup.exe
Token: SeRestorePrivilege	2908	dxwsetup.exe
Token: SeRestorePrivilege	2908	dxwsetup.exe
Token: SeRestorePrivilege	2908	dxwsetup.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2288	EXCEL.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2740	2312	file.exe	30
PID 2312 wrote to memory of 2672	2312	file.exe	31
PID 2312 wrote to memory of 2672	2312	file.exe	31
PID 2312 wrote to memory of 2672	2312	file.exe	31
PID 2312 wrote to memory of 2672	2312	file.exe	31
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2740 wrote to memory of 2908	2740	._cache_file.exe	32
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33
PID 2672 wrote to memory of 1996	2672	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Users\Admin\AppData\Local\Temp\._cache_file.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_file.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:1996

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.0MB

MD5
eaba5b2c3b6607177112ec5f26438ba3

SHA1
d0572bad54faca6af612763c6835feb160a3dcd2

SHA256
43555b4a8bd82abd7e7b1f279b4f31afb5a230ce4246be6fda4fdd5e7263c780

SHA512
b767a6f167a0153628ae0bdb468eef4d4311e48a58ff4774843ee36321c48823a24be5c9d0d399800a19733a46ead5109cd54e728e6a260107212647a5f60d9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.inf

Filesize
477B

MD5
ad8982eaa02c7ad4d7cdcbc248caa941

SHA1
4ccd8e038d73a5361d754c7598ed238fc040d16b

SHA256
d63c35e9b43eb0f28ffc28f61c9c9a306da9c9de3386770a7eb19faa44dbfc00

SHA512
5c805d78bafff06c36b5df6286709ddf2d36808280f92e62dc4c285edd9176195a764d5cf0bb000da53ca8bbf66ddd61d852e4259e3113f6529e2d7bdbdd6e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\luiblpfG.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_file.exe

Filesize
281KB

MD5
fd6057b33e15a553ddc5d9873723ce8f

SHA1
f90efb623b5abea70af63c470daa8674444fb1df

SHA256
111aeddc6a6dbf64b28cb565aa12af9ee3cc0a56ce31e4da0068cf6b474c3288

SHA512
d894630c9a4bdb767e9f16d1b701acbdf011e721768ba0dc7a24e6d82a4d062a7ca253b1b334edba38c06187104351203a92c017838bdd9f13905cde30f7d94d

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dxwsetup.exe

Filesize
487KB

MD5
eaa6b5ee297982a6a396354814006761

SHA1
780bf9a61c080a335e8712c5544fcbf9c7bdcd72

SHA256
d298fd82a39b2385a742ba1992466e081bea0f49e19ece6b2c87c7c262e1fcee

SHA512
ebdc887b6b334b7560f85ab2ebd29dc1f3a2dedac7f70042594f2a9bc128b6fca0a0e7704318ed69b7acf097e962533b3ce07713ef80e8acfe09374c13302999

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup.dll

Filesize
87KB

MD5
0a23038ea472ffc938366ef4099d6635

SHA1
6499d741776dc4a446c22ea11085842155b34176

SHA256
8f2c455c9271290dcde2f68589cf825f9134beecb7e8b7e2ecbcabeab792280a

SHA512
dcc1c2ea86fd3a7870cd0369fa42f63d493895c546dcdd492ee19079a0d0696d689bbfe7b686d4fa549841896a54e673fc4581b80783d7aa255dfad765b9dc88

Download Submit
\Windows\SysWOW64\directx\websetup\dsetup32.dll

Filesize
1.7MB

MD5
7672509436485121135c2a0e30b9e9ff

SHA1
f557022a9f42fe1303078093e389f21fb693c959

SHA256
d7ea3cf1b9b639010005e503877026597a743d1068ae6a453ce77cc202796fea

SHA512
e46ff68c4a532017f8ab15b1e46565508f6285b72c7a1cbe964ed5e75320c8e14587d01fee61b3966f43636bfe74cebd21f7665b4a726281e771cf9230e69863

Download Submit
memory/2288-85-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2312-0-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/2312-39-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2672-130-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download
memory/2672-165-0x0000000000400000-0x0000000000509000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads