xred | d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146beb

General

Target

d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
Size

1.1MB
MD5

332f4cb497d383a19d37744cc7e22e00
SHA1

00925011527b79967c2b8487d4de46d6033512e9
SHA256

d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146beb
SHA512

4bc07352cfa3829f6f2b9810149a16b12b8353aeb3b21f5809a1aa5d0ce53d04ed11b738fef02ae2b64a6ca1576e15edd7639049219a6373ea8ea36f3fc92025
SSDEEP

12288:tMSApJVYG5lDLyjsb0eOzkv4R7Qnvt35+6G75V9FxKewO79X+27RAlJx8Eport9:tnsJ39LyjbJkQFMn+6GD93AlJx8Eporr

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 3 IoCs

pid	Process
1676	._cache_d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
2096	Synaptics.exe
2844	._cache_Synaptics.exe

Loads dropped DLL 5 IoCs

pid	Process
1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
2096	Synaptics.exe
2096	Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2808	EXCEL.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1676	._cache_d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2808	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1404 wrote to memory of 1676	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	31
PID 1404 wrote to memory of 1676	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	31
PID 1404 wrote to memory of 1676	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	31
PID 1404 wrote to memory of 1676	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	31
PID 1404 wrote to memory of 2096	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	32
PID 1404 wrote to memory of 2096	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	32
PID 1404 wrote to memory of 2096	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	32
PID 1404 wrote to memory of 2096	1404	d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe	32
PID 2096 wrote to memory of 2844	2096	Synaptics.exe	33
PID 2096 wrote to memory of 2844	2096	Synaptics.exe	33
PID 2096 wrote to memory of 2844	2096	Synaptics.exe	33
PID 2096 wrote to memory of 2844	2096	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
"C:\Users\Admin\AppData\Local\Temp\d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404
- C:\Users\Admin\AppData\Local\Temp\._cache_d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1676
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:2844

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
1.1MB

MD5
332f4cb497d383a19d37744cc7e22e00

SHA1
00925011527b79967c2b8487d4de46d6033512e9

SHA256
d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146beb

SHA512
4bc07352cfa3829f6f2b9810149a16b12b8353aeb3b21f5809a1aa5d0ce53d04ed11b738fef02ae2b64a6ca1576e15edd7639049219a6373ea8ea36f3fc92025

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvaZMieO.xlsm

Filesize
23KB

MD5
105ad7cb75b97e7f3298ff88eec5e6ca

SHA1
0cc8c9abefaf43fed0ab2af364907580de04c27c

SHA256
a2983324510e91e4f931529a1f12b20f2cd1ae0383cbc6a7238d7999b996c023

SHA512
613ef084e3e42b364a6cc9e8c7f46bc392a298bbb381194ff873ed85ef7d8692006f353b409ca76bf3083d54351a56e3f093240fc82bb6187c96bae315093623

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvaZMieO.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvaZMieO.xlsm

Filesize
26KB

MD5
b4a81f46353b6858c9847b5b06fea670

SHA1
0dce4537e1e56352fe8512dd8a8c9ffd403d8164

SHA256
b37190059b3742bf4818ecc59c1a0637c2aa14b57d53ac9772c69df77d35a854

SHA512
4e49ac8e9715c121a9ecf51899021a35df75047446090a3569a0d6a5a178ff9252926520b86c61806bddc1489977f296ae3a38621660de8f038e5c93bf2167d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvaZMieO.xlsm

Filesize
28KB

MD5
f3bd1a6f304c60d9a5ff05926659bcbe

SHA1
fa323b13829c19acefae13042df1628b07834d77

SHA256
9bbde630cd0a08d34884c50f79c676a631b2bcccf16de206c7d6007737ca65b4

SHA512
66753940690d71af5d5171a74e21e78adb58eaf5eacfde9f1ab2a95455f7c6aa7a122199594ae96d63cccc0d28bd935df426b3b325c21db1a854cc056191db95

Download Submit
C:\Users\Admin\AppData\Local\Temp\IvaZMieO.xlsm

Filesize
26KB

MD5
3aebb777a254cbc32db84f3874f17497

SHA1
8332eb3f4e66cfbc84e1350c463344321862783a

SHA256
efc222e935a27d1998a618d2bea68e5c297777c8c470d763d1ffda855913cbfd

SHA512
0ef65d9d74907e754e0533d247350f580fe159891e9b2e837341361701717b9d0d7d2fa9b0129925e265d48ffa5f08e8a441e2a7aab62c9331beb1e282900fa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\~$IvaZMieO.xlsm

Filesize
165B

MD5
ff09371174f7c701e75f357a187c06e8

SHA1
57f9a638fd652922d7eb23236c80055a91724503

SHA256
e4ba04959837c27019a2349015543802439e152ddc4baf4e8c7b9d2b483362a8

SHA512
e4d01e5908e9f80b7732473ec6807bb7faa5425e3154d5642350f44d7220af3cffd277e0b67bcf03f1433ac26a26edb3ddd3707715b61d054b979fbb4b453882

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_d4dd7f9d6e297e1e2bc8d1a6a22d42b96713c368eac0a23ae430f0f33b146bebN.exe

Filesize
333KB

MD5
c6377c648ac8775fcc8302c1db14a8aa

SHA1
2b5faa68d1c9ff2572210a6420b39e9b2d4394c9

SHA256
df6589654abfacb1490a9f19e9c0e32623e73f2a1b852e8a8379b7873d03a33a

SHA512
dfb7ea7eb049847f0ebebbd74b4fe39b464b61ca0cb161186f5a40cb8e96978f73df200ce43b0e69a8707150f2026d6171109dbd60cb498aa74465e9d96e909f

Download Submit
memory/1404-25-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/1404-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2096-112-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2096-113-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2096-145-0x0000000000400000-0x0000000000516000-memory.dmp

Filesize
1.1MB

Download
memory/2808-35-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2808-111-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads