xred | 031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25

General

Target

031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
Size

758KB
MD5

0f26f5fd169878b2bffa2e359db64ca7
SHA1

91005b2391739d0355bfc4aa9b48378313ad80e3
SHA256

031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25
SHA512

5526b5fc7f4f02d63ad7acf02f914355d4bb476344d9b2866e08d709ee25babdadae21fc314e68b0e07b476b211eac5efdf701d2e495795952cced34f4096935
SSDEEP

12288:mMSApJVYG5lDLyjsb0eOzkv4R7QnvUUilQ35+6G75V9ifj:mnsJ39LyjbJkQFMhmC+6GD9q

Score

10^/10

xred backdoor discovery macro persistence

Malware Config

Extracted

Family

xred

C2

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral1/files/0x00060000000196a1-94.dat

Executes dropped EXE 3 IoCs

pid	Process
2804	._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
2740	Synaptics.exe
2780	._cache_Synaptics.exe

Loads dropped DLL 11 IoCs

pid	Process
2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
2568	dw20.exe
2568	dw20.exe
2568	dw20.exe
2740	Synaptics.exe
2740	Synaptics.exe
2920	dw20.exe
2920	dw20.exe
2920	dw20.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dw20.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2336	EXCEL.EXE

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2336	EXCEL.EXE

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2804	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	30
PID 2236 wrote to memory of 2804	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	30
PID 2236 wrote to memory of 2804	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	30
PID 2236 wrote to memory of 2804	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	30
PID 2236 wrote to memory of 2740	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	32
PID 2236 wrote to memory of 2740	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	32
PID 2236 wrote to memory of 2740	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	32
PID 2236 wrote to memory of 2740	2236	031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	32
PID 2804 wrote to memory of 2568	2804	._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	33
PID 2804 wrote to memory of 2568	2804	._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	33
PID 2804 wrote to memory of 2568	2804	._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	33
PID 2804 wrote to memory of 2568	2804	._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe	33
PID 2740 wrote to memory of 2780	2740	Synaptics.exe	34
PID 2740 wrote to memory of 2780	2740	Synaptics.exe	34
PID 2740 wrote to memory of 2780	2740	Synaptics.exe	34
PID 2740 wrote to memory of 2780	2740	Synaptics.exe	34
PID 2780 wrote to memory of 2920	2780	._cache_Synaptics.exe	36
PID 2780 wrote to memory of 2920	2780	._cache_Synaptics.exe	36
PID 2780 wrote to memory of 2920	2780	._cache_Synaptics.exe	36
PID 2780 wrote to memory of 2920	2780	._cache_Synaptics.exe	36

C:\Users\Admin\AppData\Local\Temp\031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
"C:\Users\Admin\AppData\Local\Temp\031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Users\Admin\AppData\Local\Temp\._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
    dw20.exe -x -s 400
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2568
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2740
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
      dw20.exe -x -s 400
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2920

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
758KB

MD5
0f26f5fd169878b2bffa2e359db64ca7

SHA1
91005b2391739d0355bfc4aa9b48378313ad80e3

SHA256
031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25

SHA512
5526b5fc7f4f02d63ad7acf02f914355d4bb476344d9b2866e08d709ee25babdadae21fc314e68b0e07b476b211eac5efdf701d2e495795952cced34f4096935

Download Submit
C:\Users\Admin\AppData\Local\Temp\._cache_031fc43e40930165bceec81343f423e652adefc1e91e4a525c2348859c22ea25.exe

Filesize
5KB

MD5
d1c2a3b371b2a3079c0626847473133a

SHA1
148a8f4f9d164839106e6d8c975abefa9edd0930

SHA256
179df48d01bce468c701a193a520918344bbe3d4415da237b19b43eef9ae1250

SHA512
de11323a6c8d209ced36c28e1a4e7f62d248df031843107ad4c3365432c61d106a2c1f745a4388e65e5eed28aadfb7908eb97f1ac9d14e1bc15853e4f280bf4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDGRyoGK.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDGRyoGK.xlsm

Filesize
31KB

MD5
acd856c34d7b9f3d18f204006f845000

SHA1
b930ccc0a0f288cb1e2fc22e5f0bdaccd1be91dc

SHA256
7782f1016445db937f62916296bbad498afedf4bf5e3fe95c6510e8893ed4509

SHA512
687cab4e4abdd63f36f6bf1c4d47a73538c4a313a00d092f1a33f3cf485f44ece08b60b83c7f07c7d91b6e7b9e3dc3123fdf3ec1a592b2ed92ee5ff7b140ebae

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDGRyoGK.xlsm

Filesize
24KB

MD5
9e6fedfe2be2fdac167aa812121f69de

SHA1
7c6155a4d39126a3eaf34150577a39a181b28822

SHA256
9192d85811f465babd402ce04a8555bfb170df76dcd7b37664548117bc1b89d8

SHA512
22899af6c0ea5d0b8f3f4991cc0d2170a18495ce84779c6874476428f4f1051d65f9e18f5ddf299fa6ba80521d5d742a41eb6073f180a6dd0e4511fc3d57e45c

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDGRyoGK.xlsm

Filesize
28KB

MD5
829962a8046dc6b79e2003ea9e9a6c8c

SHA1
17297fe760876aaf381cf9c403c656ce306a4c11

SHA256
d31da3c32b65c8421ff4e2f98a4b95232f2ef305581928538fddafbda97ada9c

SHA512
212047ceb7590911e7922054d482104b0d37551f5eb8d68a7cd9998fd18a99e5109f7ecc07111a8a95f2f58d8b0a82ab1be0164c1329e0de2a1e856c02f75dae

Download Submit
memory/2236-27-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2236-0-0x00000000003A0000-0x00000000003A1000-memory.dmp

Filesize
4KB

Download
memory/2336-46-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2336-109-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/2740-44-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2740-110-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2740-111-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2740-145-0x0000000000400000-0x00000000004C4000-memory.dmp

Filesize
784KB

Download
memory/2804-45-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download
memory/2804-19-0x0000000000A00000-0x0000000000A40000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads