xred | f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750

General

Target

f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Size

1.3MB
MD5

2935d17373e419c7624ab17139690a8c
SHA1

792e8f46fa12ac247f3c4b4b0a00b37a57861a53
SHA256

f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750
SHA512

0c7a602e1c669f0641d4203202f0dc5cc190ddc0f83314fc99240cf765d7fbcf971348cd19c7e65e3d4075f9e450fa659fb499e8c7e6d5bb90db1a034c5c4ea3
SSDEEP

24576:xnsJ39LyjbJkQFMhmC+6GM9OVTdNHKMognTF0vGAAu2wH:xnsHyjtk2MYC5GMaTddn1nSvgvk

Score

10^/10

xred backdoor discovery persistence upx

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
2760	._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
1016	Synaptics.exe
3988	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x000c000000023b4f-5.dat	upx
behavioral2/memory/2760-43-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-137-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-142-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-139-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-143-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-145-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-146-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-148-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-149-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-151-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-152-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-154-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-156-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-164-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-177-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-179-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-180-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-182-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-183-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-185-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-186-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-188-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-189-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-191-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-192-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-194-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-195-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-197-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/2760-198-0x0000000000400000-0x0000000000632000-memory.dmp	upx
behavioral2/memory/3988-200-0x0000000000400000-0x0000000000632000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	5080	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	5080	AUDIODG.EXE

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2760	2196	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	83
PID 2196 wrote to memory of 2760	2196	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	83
PID 2196 wrote to memory of 2760	2196	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	83
PID 2196 wrote to memory of 1016	2196	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	84
PID 2196 wrote to memory of 1016	2196	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	84
PID 2196 wrote to memory of 1016	2196	f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe	84
PID 1016 wrote to memory of 3988	1016	Synaptics.exe	86
PID 1016 wrote to memory of 3988	1016	Synaptics.exe	86
PID 1016 wrote to memory of 3988	1016	Synaptics.exe	86

C:\Users\Admin\AppData\Local\Temp\f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
"C:\Users\Admin\AppData\Local\Temp\f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Users\Admin\AppData\Local\Temp\._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2760
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x374 0x3fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.3MB

MD5
2935d17373e419c7624ab17139690a8c

SHA1
792e8f46fa12ac247f3c4b4b0a00b37a57861a53

SHA256
f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750

SHA512
0c7a602e1c669f0641d4203202f0dc5cc190ddc0f83314fc99240cf765d7fbcf971348cd19c7e65e3d4075f9e450fa659fb499e8c7e6d5bb90db1a034c5c4ea3

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_f5a785284f3bf646d8ed6333d73958f7250995aff2b9976e547ada503d2b7750.exe

Filesize
585KB

MD5
706939c469346bef9b84c822abcf7b31

SHA1
bc87860064ecd909c9f9569b1fce0785db06ecc7

SHA256
e64fdd9dd992efceb24951c882b3dcce36d9ee22c09eea4e3af8ecedf4d65bf9

SHA512
c2b90981442467032a7b88844f5057b24d1d44def11b867e83939626f6b1093f5c6814af408f62b06ffdec91308798e1c597712e591103080c93fad32eedd084

Download Submit
memory/1016-140-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1016-178-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/1016-103-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/1016-138-0x0000000000610000-0x0000000000611000-memory.dmp

Filesize
4KB

Download
memory/2196-102-0x0000000000400000-0x0000000000555000-memory.dmp

Filesize
1.3MB

Download
memory/2196-0-0x00000000022F0000-0x00000000022F1000-memory.dmp

Filesize
4KB

Download
memory/2760-137-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-149-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-139-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-143-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-195-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-146-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-192-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-198-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-189-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-152-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-180-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-156-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-186-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-43-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-177-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/2760-183-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-154-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-182-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-179-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-185-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-164-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-188-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-151-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-191-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-148-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-194-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-145-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-197-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-142-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download
memory/3988-200-0x0000000000400000-0x0000000000632000-memory.dmp

Filesize
2.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads