xred | 9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4

General

Target

9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Size

1.1MB
MD5

df3901a8f7f3c0dacaccc1d3a6436f40
SHA1

88d2f84d1a472efd09f7b9c7cf8619bd679442df
SHA256

9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4
SHA512

12b1c6ee60007321a1333532411ae7a8717a8f2ae27b14ae390f7e63efbd47a219c5e353b00cfc2ed21537e9b78d3457f67c3d4038e62eed9503723a5fb9a075
SSDEEP

24576:1nsJ39LyjbJkQFMhmC+6GD95PjO7KX53RTh0tFda3K:1nsHyjtk2MYC5GDTrOO53RTqtiK

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1092	._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
2724	Synaptics.exe
1452	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
2724	Synaptics.exe
2724	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2636	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2636	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1092	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	30
PID 2652 wrote to memory of 1092	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	30
PID 2652 wrote to memory of 1092	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	30
PID 2652 wrote to memory of 1092	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	30
PID 2652 wrote to memory of 2724	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	32
PID 2652 wrote to memory of 2724	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	32
PID 2652 wrote to memory of 2724	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	32
PID 2652 wrote to memory of 2724	2652	9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe	32
PID 2724 wrote to memory of 1452	2724	Synaptics.exe	33
PID 2724 wrote to memory of 1452	2724	Synaptics.exe	33
PID 2724 wrote to memory of 1452	2724	Synaptics.exe	33
PID 2724 wrote to memory of 1452	2724	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
"C:\Users\Admin\AppData\Local\Temp\9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1092
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1452

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2636

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
df3901a8f7f3c0dacaccc1d3a6436f40

SHA1
88d2f84d1a472efd09f7b9c7cf8619bd679442df

SHA256
9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4

SHA512
12b1c6ee60007321a1333532411ae7a8717a8f2ae27b14ae390f7e63efbd47a219c5e353b00cfc2ed21537e9b78d3457f67c3d4038e62eed9503723a5fb9a075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7077e982c2cb7718caf2d5afa440ad49

SHA1
fe37d7a8c4e0605b7d57bf2f40675e9b363b1b85

SHA256
9aee296cd2e0871ab8f4af1f5e422d87fdf6a766f6e2d5896c0eaeea2791d9d6

SHA512
61cd8af28f133873c1919e68b3f99ef9fa4551277ecaba8da824d67a0727c1f809240d4c7e912c6430de8425ee47b90560c0e559cfe787766494b25ba3a07578

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAD80.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\St4liopH.xlsm

Filesize
22KB

MD5
31bc2a4b1d240d86830c94c4b9dd17db

SHA1
5e7b04fa5a91bed4f32b4938219f5e739f0b7e72

SHA256
346b405ece88737a5c96d3ab133f011b46d667102e864c55f33ad5e8a0682235

SHA512
24adb5ebac456bc000920f1f15353e4ba2138d3cfec217a31a55adaf73075968687decc08a9f2eae7cd79401d805f731bd746de6ee33c1969c46c5ff1fbd723e

Download Submit
C:\Users\Admin\AppData\Local\Temp\St4liopH.xlsm

Filesize
28KB

MD5
713d9cc572916dac3ed2077a2964fc53

SHA1
d3c79eb0fddcc73aeeb0e31479b2e1b5bad60379

SHA256
2f530c82f2eaaf42e2e2217b3b338caff25f9011017ee3406ff878d38cabe9fe

SHA512
479017c638877e970805d01736bc11a751855a838ba3595637ca8fafd10d77705d1d77196b88ec0618dab60906d7c4021212f47344751248089105c1bf5ecb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\St4liopH.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarADB2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_9a163c810d790d05b4a59c75a7ddd876a8994c4156bee79b55bb4282910d9ea4N.exe

Filesize
324KB

MD5
401d2bb1174f24689d0279ee0d4c4c85

SHA1
6182304eb212b5458f0c6b18c5d8bcd8da18c96a

SHA256
6fc6a0156e6f38b1d61ee39df837fa3f49e9f87807599dc9694582d7d646c23e

SHA512
ee0bedd2029b9aa724af8c2991303402359193132d92e1bea755c12b4c6828fe320a12d05642cf0bb69257fc873ffe12e7a6db53b14d532e18c32374179d229f

Download Submit
memory/2636-145-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2652-28-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2652-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2724-144-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2724-199-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2724-200-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/2724-235-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads