xred | 6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74

General

Target

6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
Size

791KB
MD5

dab1a32878623619a3dd6c4d6fffac60
SHA1

a8cc9664fdd54d21bbb743f751688d411ce48c86
SHA256

6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74
SHA512

02f4409f461b3a621bf94ba4421c3d44fac6116f4768dacc3686827ab6c76281b7b6b62fd79c317a24e7ea05dca2236c11234718696bfc40c912f02e2d936649
SSDEEP

12288:WMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9rhwxQj:WnsJ39LyjbJkQFMhmC+6GD9x

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1480	._cache_6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
844	Synaptics.exe
3024	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
844	Synaptics.exe
844	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2684	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2684	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2708 wrote to memory of 1480	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	30
PID 2708 wrote to memory of 1480	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	30
PID 2708 wrote to memory of 1480	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	30
PID 2708 wrote to memory of 1480	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	30
PID 2708 wrote to memory of 844	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	31
PID 2708 wrote to memory of 844	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	31
PID 2708 wrote to memory of 844	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	31
PID 2708 wrote to memory of 844	2708	6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe	31
PID 844 wrote to memory of 3024	844	Synaptics.exe	32
PID 844 wrote to memory of 3024	844	Synaptics.exe	32
PID 844 wrote to memory of 3024	844	Synaptics.exe	32
PID 844 wrote to memory of 3024	844	Synaptics.exe	32

C:\Users\Admin\AppData\Local\Temp\6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
"C:\Users\Admin\AppData\Local\Temp\6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2708
- C:\Users\Admin\AppData\Local\Temp\._cache_6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe"
  2⤵
  - Executes dropped EXE
  PID:1480
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:844
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    PID:3024

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
791KB

MD5
dab1a32878623619a3dd6c4d6fffac60

SHA1
a8cc9664fdd54d21bbb743f751688d411ce48c86

SHA256
6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74

SHA512
02f4409f461b3a621bf94ba4421c3d44fac6116f4768dacc3686827ab6c76281b7b6b62fd79c317a24e7ea05dca2236c11234718696bfc40c912f02e2d936649

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqgV87XB.xlsm

Filesize
23KB

MD5
233bacefe93e3c6a0fc7865f38754617

SHA1
f04e5251b5c5447c433d2891730281ad52b32093

SHA256
7be724467444e315a9e36475dc4651e5544b10fa9db752b6371c95f69d491aa2

SHA512
8ab8a008f07b9b709f372008ec2382e6bd2e752dd45606d78b9306f6471ca5773ab4123c4d1d3466453e1c1694c29a4ea7bdb4d7a2546ae5e8512e07b9c7a240

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqgV87XB.xlsm

Filesize
27KB

MD5
4823e5ff56ee2d1ab8554db48032353f

SHA1
85b9740ed522819f7127c1ceeaa486432566f848

SHA256
db9527577da3f0733bed4a1533741ddbb09182fe3502eb574e3eb5e89bb6bfcc

SHA512
f9393616ec7791c80683133ea5066886ba3a93ce7ade2d2eafed5df1b8e9601057f4fbf6d385ce47e612ed2efbf8cb1bac6354c1c4f6e8c3bc5703c9158fe3bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqgV87XB.xlsm

Filesize
28KB

MD5
e0abcc295faf9f85b45c4983f568f931

SHA1
2ad45b3c35941bc1d7163a0a30dc0c8504ebea5b

SHA256
13356c9e7f7626279ff7cf7c3031946bb4bc97aa0542d1a6f7f65643e97aacd8

SHA512
a2fe56d52d3e24a798054af554b5fe781e95511d6cd82aa2d87f1926cd8e180001f898e112db62fc4f04bf01feedd4ea67f4cf79dbb0d406627505f87f9d7935

Download Submit
C:\Users\Admin\AppData\Local\Temp\PqgV87XB.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_6becf1febf4e3a857d271297adfab9af608fcf2974cbedb3bd64a84a4c191d74.exe

Filesize
38KB

MD5
10b1a298e7938276427bc270c496db77

SHA1
a21396d8bcabf6f9d0c7650114ddcd7703d91786

SHA256
e1c02df86676d04ed75ba6303b53b61c15adb6aec672ac349c2f06454a594e1e

SHA512
0593e2ecc997a1d41fea322567c80bc79380bc0421ff3d4be891d7a37c4922039fbf1d3e6e7ec13dd1487b0eb8951ad0c81a842ca0fc197926e67c686bb86a1d

Download Submit
memory/844-137-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/844-105-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/844-104-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/844-37-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/1480-28-0x0000000001010000-0x0000000001020000-memory.dmp

Filesize
64KB

Download
memory/2684-38-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2684-103-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2708-0-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2708-25-0x0000000000400000-0x00000000004CC000-memory.dmp

Filesize
816KB

Download
memory/3024-36-0x0000000001050000-0x0000000001060000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads